Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Certificate validation with ansible's maven_artifact

Tags:

ssl-certificate

ansible

I'm trying to pull a jar from a Nexus that is using a self signed certificate.

ansible -m maven_artifact -a "repository_url=https://<nexus_host>/repository/maven-snampshots group_id=<group_id> artifact_id=<artifact_id> dest=/tmp/jars validate_certs=yes username=admin password=admin123" -i inventory.ini env_dev

I'm getting the following error :

"msg": "Failed to validate the SSL certificate for XXXXXX. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine (the python executable used (/usr/bin/python) is version: 2.6 (r26:66714, May 6 2011, 15:10:21) [GCC 4.3.4 [gcc-4_3-branch revision 152973]]) or you can install the urllib3, pyOpenSSL, ndg-httpsclient, and pyasn1 python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:482: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed."

Chrome let me download the certificate (.cer) from the Nexus server. But I don't know where do I need to install it. And How.

Nexus : OSS 3.14.0-04
Server Ansible : CentOS Linux release 7.6.1810
Client Ansible : SUSE Linux Enterprise Server 11 (x86_64)
like image 778
alucas Avatar asked Jan 27 '26 21:01

alucas

1 Answers

The way we get certs is by using openssl and pointing it at the site in question, downloading it as .pem, then installing that .pem onto the server making the calls or being called.

Get Cert:

openssl s_client -connect  site.com:636 </dev/null 2>/dev/null  | openssl x509 -outform PEM > site.pem

Import cert into CAcerts:

sudo keytool -importcert -noprompt -alias site-`date "+%Y%m%d%H%M%S"` -file ./site.pem -keystore /usr/java/latest/lib/security/cacerts -storepass changeit
like image 154
Thomas W Avatar answered Feb 03 '26 09:02

Thomas W

Sign in to Comment

Related questions

Escape special XML characters in Jinja2 with Ansible
Run only tasks with a certain tag or untagged
Can I manage guest VMs in vSphere free using Ansible without vCenter?
Ansible synchronize asking for a password
Kubernetes Module appears to be missing but looks like it is installed
Why is ansible slow with simple tasks
Ansible playbook throwing `playbook does not exist on the guest` when testing with Vagrant machine

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!