Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elb_target_group does not fully respect validate_certs #554

Closed
brsolomon-deloitte opened this issue Apr 26, 2021 · 4 comments
Closed

elb_target_group does not fully respect validate_certs #554

brsolomon-deloitte opened this issue Apr 26, 2021 · 4 comments
Labels
bug This issue/PR relates to a bug module module needs_triage plugins plugin (any type) python3 traceback

Comments

@brsolomon-deloitte
Copy link
Contributor

brsolomon-deloitte commented Apr 26, 2021
edited
Loading

SUMMARY

validate_certs: false for elb_target_group still results in

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

which is the very type of issue validate_certs: false is supposed to ignore.

validate_certs=False does work for other modules such as ec2.

Also does not respect AWS_CA_BUNDLE in Ansible environment.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

elb_target_group

ANSIBLE VERSION
$ ansible --version
ansible 2.9.20
  config file = xxx/playbooks/ansible.cfg
  configured module search path = ['/Users/brsolomon/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = xxx/venv/lib/python3.9/site-packages/ansible
  executable location = xxx/venv/bin/ansible
  python version = 3.9.4 (default, Apr  5 2021, 01:49:30) [Clang 12.0.0 (clang-1200.0.32.29)]
CONFIGURATION
ANSIBLE_NOCOWS(env: ANSIBLE_NOCOWS) = True
DEFAULT_LOG_PATH(xxx/playbooks/ansible.cfg) = ~/ansible_cloud_nsm.log
DEFAULT_REMOTE_USER(xxx/playbooks/ansible.cfg) = ubuntu
HOST_KEY_CHECKING(xxx/playbooks/ansible.cfg) = False
OS / ENVIRONMENT
$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.7
BuildVersion:	19H524
STEPS TO REPRODUCE
    - name: Create target group
      elb_target_group:
        name: xxxxxxxx
        protocol: TCP
        port: 6443
        vpc_id: vpc-xxxxxxxx
        region: us-east-2
        target_type: instance
        validate_certs: false
        wait: true
        state: present
        modify_targets: true
        profile: xxxxxxxx
EXPECTED RESULTS

Create target group successfully

ACTUAL RESULTS
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'SSLError' object has no attribute 'response'
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 428, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 472, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/httpsession.py", line 314, in send
    urllib_response = conn.urlopen(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/util/retry.py", line 507, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/packages/six.py", line 734, in reraise
    raise value.with_traceback(tb)
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 428, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/xxxx/venv/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 472, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/folders/28/rx5hw8hd3hl48jtj0c1vz9wr0000gn/T/ansible_elb_target_group_payload_shn9tiu7/ansible_elb_target_group_payload.zip/ansible/modules/cloud/amazon/elb_target_group.py", line 384, in get_target_group
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/paginate.py", line 449, in build_full_result
    for response in self:
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/paginate.py", line 255, in __iter__
    response = self._make_request(current_kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/paginate.py", line 332, in _make_request
    return self._method(**current_kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/client.py", line 662, in _make_api_call
    http, parsed_response = self._make_request(
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/client.py", line 682, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/endpoint.py", line 136, in _send_request
    while self._needs_retry(attempts, operation_model, request_dict,
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/endpoint.py", line 253, in _needs_retry
    responses = self._event_emitter.emit(
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 183, in __call__
    if self._checker(attempts, response, caught_exception):
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 250, in __call__
    should_retry = self._should_retry(attempt_number, response,
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 277, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 316, in __call__
    checker_response = checker(attempt_number, response,
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 222, in __call__
    return self._check_caught_exception(
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
    raise caught_exception
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/endpoint.py", line 200, in _do_get_response
    http_response = self._send(request)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/endpoint.py", line 269, in _send
    return self.http_session.send(request)
  File "/xxxx/venv/lib/python3.9/site-packages/botocore/httpsession.py", line 341, in send
    raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://elasticloadbalancing.us-east-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/brsolomon/.ansible/tmp/ansible-tmp-1619452568.050251-47151-187828669344023/AnsiballZ_elb_target_group.py", line 102, in <module>
    _ansiballz_main()
  File "/Users/brsolomon/.ansible/tmp/ansible-tmp-1619452568.050251-47151-187828669344023/AnsiballZ_elb_target_group.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/Users/brsolomon/.ansible/tmp/ansible-tmp-1619452568.050251-47151-187828669344023/AnsiballZ_elb_target_group.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible.modules.cloud.amazon.elb_target_group', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 210, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/local/Cellar/[email protected]/3.9.4/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/var/folders/28/rx5hw8hd3hl48jtj0c1vz9wr0000gn/T/ansible_elb_target_group_payload_shn9tiu7/ansible_elb_target_group_payload.zip/ansible/modules/cloud/amazon/elb_target_group.py", line 828, in <module>
  File "/var/folders/28/rx5hw8hd3hl48jtj0c1vz9wr0000gn/T/ansible_elb_target_group_payload_shn9tiu7/ansible_elb_target_group_payload.zip/ansible/modules/cloud/amazon/elb_target_group.py", line 822, in main
  File "/var/folders/28/rx5hw8hd3hl48jtj0c1vz9wr0000gn/T/ansible_elb_target_group_payload_shn9tiu7/ansible_elb_target_group_payload.zip/ansible/modules/cloud/amazon/elb_target_group.py", line 479, in create_or_update_target_group
  File "/var/folders/28/rx5hw8hd3hl48jtj0c1vz9wr0000gn/T/ansible_elb_target_group_payload_shn9tiu7/ansible_elb_target_group_payload.zip/ansible/modules/cloud/amazon/elb_target_group.py", line 386, in get_target_group
AttributeError: 'SSLError' object has no attribute 'response'
", "module_stdout": "", "msg": "MODULE FAILURE
See stdout/stderr for the exact error", "rc": 1}
@ansibullbot
Copy link

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link

cc @jillr @s-hertel @tremble @wimnat
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug module module needs_triage plugins plugin (any type) python3 traceback labels Apr 26, 2021
@brsolomon-deloitte
Copy link
Contributor Author

Same issue with ec2_vol_info

@tremble
Copy link
Contributor

tremble commented Apr 28, 2021
edited
Loading

@brsolomon thank you for taking the time to open this issue.

support for AWS_CA_BUNDLE was added in release 1.1.0 of the amazon.aws collection and is not expected to be available through Ansible 2.9 without explicitly downloading and using recent versions of these collections.

This main issue to which you're referring is a duplicate of ansible-collections/amazon.aws#129 and is related to your use of a profile (which, due to the bug overrode the flag to ignore the SSL certs). A fix for this issue is available in release 1.2.0 of the amazon.aws collection, and as such I will be closing this issue.

With the recent release of Ansible 2.11, Ansible 2.9 is now in "security fixes only", and while SSL/TLS is related to security, I do not believe a backported fix for this would be accepted.

@tremble tremble closed this as completed Apr 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug module module needs_triage plugins plugin (any type) python3 traceback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tremble @ansibullbot @brsolomon-deloitte