Roots Discourse

TASK: [wp-cli | Install WP-CLI tab completions]

I’ve followed the installation instructions for Trellis in a fresh directory and keep running into this error:

TASK: [wp-cli | Install WP-CLI tab completions] ******************************* 
failed: [default] => {"failed": true}
msg: Failed to validate the SSL certificate for raw.githubusercontent.com:443. Make sure your managed systems have a valid CA certificate installed.  If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine.  You can use validate_certs=False if you do not need to confirm the server\s identity but this is unsafe and not recommended Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible

The issue seems to be related to getting a script from raw.githubusercontent.com

I have submitted an issue as there may be an issue with the provisioning script.

Hi - I’m seeing the same issue. Have you found a way around?

thanks

Nathan

Having the same problem here:
TASK [wp-cli : Install WP-CLI tab completions] ********************************* fatal: [default]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for raw.githubusercontent.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine. You can use validate_certs=False if you do not need to confirm the server\\s identity but this is unsafe and not recommended Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible"}
Running the lastest version Python 2.7.11,

Any help/ a work around would be appreciated.

By commenting out the wp-cli completions in task > main.yml ansible will now compile. Not sure I understand what has been removed and if this will cause me errors in the future.

No, won’t cause any issues. This is a pretty minor thing which just auto completes WP-CLI command names.

1 Like

roots/trellis#593 should resolve this issue. If not, feel free to mention it here.

1 Like

@fullyint What should one do if there’s the same issue (Failed to validate the SSL certificate) but for [composer : Download Composer installer] task? I can see it’s a vendor task but since Trellis is packaged with python 2.7.6 I’m not sure on what further steps should be.

Now vagrant up fails for me with “Failed to validate the SSL certificate for getcomposer.org:443”. Both curl https://getcomposer.org/installer -o installer and wget https://getcomposer.org/installer work well if executed on VM.

@max I’m afraid I don’t have a good answer for you. My first suggestion would be to try again after waiting a bit. I tried creating a fresh vm and couldn’t reproduce the problem.

If you have the option of turning on a VPN for your control machine, doing so should change your IP and could get around any potential rate-limiting, if relevant. That may have worked for me once when I think GitHub was rate-limiting me after a few provision attempts, or maybe it was just a coincidence. However, I realize the relevant domain is getcomposer.org, not GitHub.

If you haven’t already, check that you’re using Ansible 2.0.2.0 and Vagrant 1.8.1 (1.8.4 is not working for everybody). You could then

  • vagrant box update (e.g., to use the latest ubuntu/trusty64 with provider virtualbox version 20160627.0.0)
  • back up mysql db on vm (if somehow you did anything with the db)
  • vagrant destroy -f && vagrant up to completely rebuild the vm

If that doesn’t fix it, we can consider the error message, which I understand to be Ansible offering suggestions of what to check in the event of ssl.SSLError or socket.error rather than exact diagnostics of the problem. You probably saw something like

msg: Failed to validate the SSL certificate for getcomposer.org:443.
Make sure your managed systems have a valid CA certificate installed. 
If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine. 
You can use validate_certs=False if you do not need to confirm the server\s identity but this is unsafe and not recommended.
Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible
  • I doubt the problem is a missing/obsolete CA certificate on the vm because your curl and wget succeed.
  • I doubt it is an SNI or python version problem because I get the same cert in response to these commands:
# not applying SNI
openssl s_client -connect getcomposer.org:443 | openssl x509 -noout -text

# applying SNI by specifying -servername
openssl s_client -connect getcomposer.org:443 -servername getcomposer.org | openssl x509 -noout -text

If trying later doesn’t work, and a VPN doesn’t work, you may have to do a little more digging, or try a temporary dirty hack and adjust the offending task in the vendor/roles directory, either setting the validate_certs option to false (docs), which is insecure, or change the task to use curl.

3 Likes

I hate this kind of “solution”, but it just worked after I tried again a few hours later.
Anyway thanks for detailed answer Phil! Hopefully it will help someone to debug future issues.

2 Likes