12

Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:

ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>

Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.

OS :

Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic

Ansible version:

ansible 2.9.5
  config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
  configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
  executable location = /home/maciej/.local/bin/ansible
  python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
nehtor.t
  • 469
  • 4
  • 11
Maciej
  • 1,209
  • 4
  • 16
  • 26

6 Answers6

22

I had the same issue, but on Mac OS X.

The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.

For Mac OS X I was able to solve this based on this answer: How to make Python use CA certificates from Mac OS TrustStore?

i.e. by running the script to install the certs, shipped with the installation:

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

(your Python version might be different)

For Ubuntu / Debian:

Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:

sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs

P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)

nehtor.t
  • 469
  • 4
  • 11
6

Worked for me:

ansible-galaxy search --ignore-certs postgresql
fcdt
  • 2,371
  • 5
  • 14
  • 26
Андрей Катрук
  • 85
  • 2
6

Had back to this issue... life is best motivator. What helped me is:

sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
Maciej
  • 1,209
  • 4
  • 16
  • 26
2

in case someone else is looking at this, the args are order dependent. On rhel8 with a cntlm proxy ....

declare -x https_proxy='127.0.0.1:3128'
declare -x http_proxy='127.0.0.1:3128'

# this works through a proxy
ansible-galaxy collection install ovirt.ovirt --ignore-certs

# this does not
ansible-galaxy --ignore-certs collection install ovirt.ovirt 

# and this does not
ansible-galaxy collection --ignore-certs install ovirt.ovirt
agrov8
  • 21
  • 2
0

For RHEL/CENTOS

You may want to check the cryptopolicy, if the policy is set to future temporarily set it to default

sudo update-crypto-policies --set=DEFAULT

Jan Gerrit Kootstra
  • 1
-1

bahrathkumaraju@Bahrathkumarajus-MacBook-Pro vault_ansible % ansible-galaxy collection install community.hashi_vault --ignore-certs
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/download/community-hashi_vault-3.0.0.tar.gz to /Users/bahrathkumaraju/.ansible/tmp/ansible-local-91443c5vh69v3/tmp76qmz32a/community-hashi_vault-3.0.0-635b3qde
Installing 'community.hashi_vault:3.0.0' to '/Users/bahrathkumaraju/.ansible/collections/ansible_collections/community/hashi_vault'
community.hashi_vault:3.0.0 was installed successfully
bahrathkumaraju@Bahrathkumarajus-MacBook-Pro vault_ansible %
BharathKumarRaju Dasararaju
  • 105
  • 1
  • 1
  • 9