How to fix following ansible galaxy SSL error?
Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.
OS :
Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic
Ansible version:
ansible 2.9.5
config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
executable location = /home/maciej/.local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
Answer
I had the same issue, but on Mac OS X.
The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.
For Mac OS X I was able to solve this based on this answer: How to make Python use CA certificates from Mac OS TrustStore?
i.e. by running the script to install the certs, shipped with the installation:
cd /Applications/Python\ 3.7/
./Install\ Certificates.command
For Ubuntu / Debian:
Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)