Vagrant sites suddenly return 500 error / error running ansible-playbook

composer
trellis
ansible

#1

I’ve been struggling to get my development sites that use vagrant ro run for a couple of weeks, and wanted to reach out to the roots community to see if anyone had any ideas.vagrant up does not output any errors, but vagrant provision shows the output below (I’ve included the full output - but the warnings below might be the most insightful).

Here’s some more info that could be applicable

ansible-galaxy --version

ansible-galaxy 2.4.3.0
  config file = /Users/XXX/YYY/trellis/ansible.cfg
  configured module search path = ['/Users/Jillian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible-galaxy
  python version = 3.6.4 (default, Mar  5 2018, 15:14:52) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]

python --version
Python 3.6.4

python -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2n 7 Dec 2017

python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
(no output…)

vagrant provision

==> default: Running provisioner: ansible...
    default: Running ansible-galaxy...
- changing role composer from 1.5.0 to 1.5.0
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.5.0.tar.gz
- extracting composer to /Users/XXX/YYY/trellis/vendor/roles/composer
- composer (1.5.0) was installed successfully
- changing role ntp from 1.3.0 to 1.3.0
- downloading role 'ntp', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-ntp/archive/1.3.0.tar.gz
- extracting ntp to /Users/XXX/YYY/trellis/vendor/roles/ntp
- ntp (1.3.0) was installed successfully
- changing role logrotate from e7a498d to e7a498d
- downloading role 'logrotate', owned by nickhammond
- downloading role from https://github.com/nickhammond/ansible-logrotate/archive/e7a498d.tar.gz
- extracting logrotate to /Users/XXX/YYY/trellis/vendor/roles/logrotate
- logrotate (e7a498d) was installed successfully
- changing role swapfile from 0.4 to 0.4
- downloading role 'swapfile', owned by kamaln7
- downloading role from https://github.com/kamaln7/ansible-swapfile/archive/0.4.tar.gz
- extracting swapfile to /Users/XXX/YYY/trellis/vendor/roles/swapfile
- swapfile (0.4) was installed successfully
- changing role geerlingguy.daemonize from 1.1.1 to 1.1.1
- downloading role 'daemonize', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-daemonize/archive/1.1.1.tar.gz
- extracting geerlingguy.daemonize to /Users/XXX/YYY/trellis/vendor/roles/geerlingguy.daemonize
- geerlingguy.daemonize (1.1.1) was installed successfully
- changing role mailhog from 2.1.0 to 2.1.0
- downloading role 'mailhog', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-mailhog/archive/2.1.0.tar.gz
- extracting mailhog to /Users/XXX/YYY/trellis/vendor/roles/mailhog
- mailhog (2.1.0) was installed successfully
 [WARNING]: - dependency geerlingguy.daemonize from role mailhog differs from
already installed version (1.1.1), skipping

    default: Running ansible-playbook...
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 
'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions.
 This feature will be removed in a future release. Deprecation warnings can be 
disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is
 discouraged. The module documentation details page may explain more about this
 rationale.. This feature will be removed in a future release. Deprecation 
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ERROR! Unexpected Exception, this is probably a bug: No module named 'ansible.compat.six'

pip list | grep six

DEPRECATION: The default format will switch to columns in the future. You can use     --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under   the [list] section) to disable this warning.
six (1.11.0)

Thanks! Any help on this would be greatly appreciated :slight_smile: Let me know if my question can be more clear.

Update:

vagrant provision now works… I was able to get it working with a combination of using Python 2.7.13 (and unlinking and linking it with brew unlink python && brew link python) and installing ansible 2.3.2, and relinking openssl 1.0.2n

My websites still don’t work though… now with no error messages :confused:


#2

Did you upgrade your Python version recently? You’ll need to go back to 2.7

I think this has came up a few times, see Ansible/Trellis Bug? Unexpected Exception


#3

Thanks for the reply! And yes - so python 2.7 should still be installed. How do I get ansible to point to an older version of python?


#4

Hm, I was able to re-link ansible to python 2.7.10, but now receiving different error:

==> default: Running provisioner: ansible...
    default: Running ansible-galaxy...
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.5.0.tar.gz
 [ERROR]: failed to download the file: Failed to validate the SSL certificate
for github.com:443. Make sure your managed systems have a valid CA certificate
installed. You can use validate_certs=False if you do not need to confirm the
servers identity but this is unsafe and not recommended. Paths checked for this
platform: /etc/ssl/certs, /etc/ansible, /usr/local/etc/openssl. The exception
msg was: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version
(_ssl.c:590).

 [WARNING]: - composer was NOT installed successfully.

ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

Sorry to bombard you with command-line errors as they come, just trying to resolve this as quickly as possible to get back to development :frowning:


#5

I’m very sympathetic with the frustration of unexpected and unwelcome dev tool “detours” while just trying to get some work done. Remember that you’ll get the most positive response from the forum by spending time working on each error (and demonstrating as much) on your own before posting. Hope you got it resolved. :slight_smile:

Maybe you’ve already worked through the tips and discussion at these links related to the error in your output?
https://discourse.roots.io/search?q=failed%20to%20download%20the%20file%3A%20Failed%20to%20validate%20the%20SSL%20certificate%20for%20github.com%3A443


#6

Yes, I have - obviously I look to roots discourse before anything else :slight_smile:

I’ve actually resolved all the issues since my post, and now have a bunch of sites that still don’t work, but without error messages (I’ve written an ‘update’ accordingly).

Thank you for bearing with me - I’ve spent hours over a couple of weeks probably making things worse (it seems like once one issue is resolved, another crops up), so it’s nice to have a second pair of eyes…


#7

:trophy: Congrats! :dizzy:

People want to help but this isn’t much info to go on. What have you’ve tried and discovered so far?

A few possibilities come to mind.

  • You could be sure to use .test instead of .dev for development domains (details at https://github.com/roots/trellis/pull/923).
  • You could vagrant reload and vagrant hostmanager to refresh many things that could affect functioning.
  • If you have many VMs running (check using vagrant global-status)
    • shut down any VMs that aren’t in use
    • use a different vagrant_ip per VM
  • You could check for helpful info in logs. Run vagrant ssh and check contents of
    • /srv/www/example.com/logs/error.log (for each affected site)
    • /var/log/nginx/error.log
    • /var/log/nginx/php7.2-fpm.log (or php7.1-fpm.log)
  • You could check for http status codes returned when you try to load example.test
    • use Chrome dev tools Network tab to see status code, if any (e.g., 502)
    • use command like this to get http status code and double-check what IP is associated with the domain:
      curl -ILk -w "%{http_code}\n%{remote_ip}\n" http://example.test
      (or https://)

:star: If you aren’t able to resolve it, please start a new thread given that this a new topic.


#8

ok, thank you for your help.