How to fix following ansible galaxy SSL error?

Maciej picture Maciej · Aug 22, 2020 · Viewed 12.1k times · Source

Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:

ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)> 

Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.

OS :

Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic

Ansible version:

ansible 2.9.5
  config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
  configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
  executable location = /home/maciej/.local/bin/ansible
  python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]

Answer

nehtor.t picture nehtor.t · Nov 5, 2020

I had the same issue, but on Mac OS X.

The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.

For Mac OS X I was able to solve this based on this answer: How to make Python use CA certificates from Mac OS TrustStore?

i.e. by running the script to install the certs, shipped with the installation:

cd /Applications/Python\ 3.7/
./Install\ Certificates.command

For Ubuntu / Debian:

Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:

sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs

P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)