ImageMagick download fails with SSLV3 Alert Handshake Failure
amberream opened this issue · 6 comments
amberream commented
Bug description
I'm trying to install Alfresco Community Edition on CentOS 7. I am using Python3.10, Ansible 2.12.4, and OpenSSL1.1.1. I get this error when it tries to download ImageMagick.
TASK [../roles/transformers : Download ImageMagick distribution] *************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'url'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>. Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>"}
Target OS
Cent OS 7
Ansible error
TASK [../roles/transformers : Download ImageMagick distribution] ***************
task path: /home/qoppa/Downloads/alfresco-ansible-deployment-2.0.0/roles/transformers/tasks/main.yml:24
exception during Jinja2 execution: Traceback (most recent call last):
File "/usr/local/lib/python3.10/urllib/request.py", line 1348, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/local/lib/python3.10/http/client.py", line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.10/http/client.py", line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.10/http/client.py", line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/local/lib/python3.10/http/client.py", line 1037, in _send_output
self.send(msg)
File "/usr/local/lib/python3.10/http/client.py", line 975, in send
self.connect()
File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 545, in connect
self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/local/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/ansible/plugins/lookup/url.py", line 196, in run
response = open_url(term, validate_certs=self.get_option('validate_certs'),
File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 1535, in open_url
return Request().open(method, url, data=data, headers=headers, use_proxy=use_proxy,
File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 1446, in open
return urllib_request.urlopen(request, None, timeout)
File "/usr/local/lib/python3.10/urllib/request.py", line 216, in urlopen
return opener.open(url, data, timeout)
File "/usr/local/lib/python3.10/urllib/request.py", line 519, in open
response = self._open(req, data)
File "/usr/local/lib/python3.10/urllib/request.py", line 536, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/local/lib/python3.10/urllib/request.py", line 496, in _call_chain
result = func(*args)
File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 558, in https_open
return self.do_open(
File "/usr/local/lib/python3.10/urllib/request.py", line 1351, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/ansible/template/__init__.py", line 1032, in _lookup
ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
File "/usr/local/lib/python3.10/site-packages/ansible/plugins/lookup/url.py", line 213, in run
raise AnsibleError("Failed lookup url for %s : %s" % (term, to_native(e)))
ansible.errors.AnsibleError: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>
fatal: [localhost]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'url'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>. Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>"
}
Ansible context
Paste the output of the following commands:
ansible --version
ansible [core 2.12.4]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.10.2 (main, Aug 23 2022, 16:27:21) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = Trueansible-config dump --only-changed
ansible-inventory -i your_inventory_file --graph
@all:
|--@activemq:
| |--@repository:
| | |--localhost
|--@adw:
| |--@repository:
| | |--localhost
|--@database:
| |--@repository:
| | |--localhost
|--@external:
| |--@external_activemq:
|--@external_activemq:
|--@nginx:
| |--@repository:
| | |--localhost
|--@repository:
| |--localhost
|--@search:
| |--@repository:
| | |--localhost
|--@syncservice:
| |--@repository:
| | |--localhost
|--@transformers:
| |--@repository:
| | |--localhost
|--@ungrouped:
alxgomz commented
I just tried debugging the SSL cert on our artifact repository and it's definitely using TLSv1.2:
$ openssl s_client -servername artifacts.alfresco.com -connect artifacts.alfresco.com:443
--
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 2FBC7091E50FF1A804B0B1FF6B9B0F749CD021120ABF3FE150C2D790DD26FCF2
Session-ID-ctx:
Master-Key: 1950189489D1E09E7B110446A55E8EF1CF3722455647E5FF3C8FC9CC4DACCD8F5D61FD6561B5DE51495C1F23C83B1C29
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 6b 0f 14 73 c1 3d f6 ff-eb 0f 0a 32 88 5a 8d c7 k..s.=.....2.Z..
0010 - 4d fa 7b 4e 70 f6 e2 ee-35 42 d9 a6 7e 23 54 1b M.{Np...5B..~#T.
0020 - ba 33 47 a2 bf fd 00 ae-c4 08 e3 71 4f 79 99 15 .3G........qOy..
0030 - 96 86 8c 71 33 4b 7e d3-3b 20 aa 42 cb 53 c4 f5 ...q3K~.; .B.S..
0040 - fb 76 c6 ae aa 3b c6 94-90 06 1b e9 04 fe e1 36 .v...;.........6
0050 - c2 6c 99 85 b3 ee 77 52-a0 7d 24 32 40 30 7d 94 .l....wR.}$2@0}.
0060 - 35 0c a2 e4 8d 15 23 d2-f7 b2 f7 9e 98 f9 01 3f 5.....#........?
0070 - 75 63 d7 02 03 e1 bb 2c-12 cc e5 c6 2e 97 8f 9e uc.....,........
0080 - 39 02 54 bd 50 4d bb 5c-af fc ce c7 9c de 36 ab 9.T.PM.\......6.
0090 - 18 14 24 20 02 18 fd 6b-66 05 d9 ac 70 af 3f 38 ..$ ...kf...p.?8
00a0 - 95 eb 92 fb d2 1e e3 b4-48 d7 d7 29 03 3c 7d da ........H..).<}.
00b0 - 89 51 0e b2 02 06 2c e7-d7 86 b8 2f a5 50 b4 d5 .Q....,..../.P..
00c0 - 93 2a 29 d6 0e 56 d6 4e-45 56 69 75 30 03 e5 80 .*)..V.NEViu0...
Start Time: 1661362377
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
read:errno=0Not sure why the playbook complains about SSLv3. Are you sure you don't have a transparent proxy soemwhere playing the man in the middle?
What if you try executing the same command from your target machine?
amberream commented
How would I figure out if I have a transparent proxy somewhere playing man in the middle?
Which command are you asking me to run on my target machine?
That first line in your output mentions SSL v3:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
I do see the line in the output that shows the SSL-Session Protocol is TLS1.2, but I'm not clear on what that first line of the output is telling us.
I'm wondering if the error could be related to Python3.10, the docs say, "The deprecated protocols SSL 3.0, TLS 1.0, and TLS 1.1 are no longer officially supported. Python does not block them actively. However OpenSSL build options, distro configurations, vendor patches, and cipher suites may prevent a successful handshake."
amberream commented
Were you asking me to run the same openssl command you ran? This is the output:
openssl s_client -servername artifacts.alfresco.com -connect artifacts.alfresco.com:443
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Ohio, L = Westlake, O = Hyland Software, CN = *.alfresco.com
verify return:1
---
Certificate chain
0 s:C = US, ST = Ohio, L = Westlake, O = Hyland Software, CN = *.alfresco.com
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGwzCCBaugAwIBAgIQFqz/XgVYoCgJ833B7UaQUjANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MjA3MTMxODE1MDVaFw0yMzA4MTIxODE1MDRaMGIxCzAJBgNVBAYTAlVTMQ0wCwYD
VQQIEwRPaGlvMREwDwYDVQQHEwhXZXN0bGFrZTEYMBYGA1UEChMPSHlsYW5kIFNv
ZnR3YXJlMRcwFQYDVQQDDA4qLmFsZnJlc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKfx2KIybyyWEB4yWj5rkxsB9IMa9lrpWmmGEYKXbm7o
b49JGMi0sJfMAxpWwb8pjf3IoF+///z9C9D4yOIMP4nr8oUzc/Gr9EW0LzmT/ejs
9dH+CQ/0bthWMPQCkvfH2jpzMMoEDPtuAsfogwTz4jRQ5t/JxluQJ6yajIkZUVuy
Apq0StFQ114z9CRRayvTS9zof7an/3g/p9tVopEn73d7BakUAxv/YvAo3VeaSle7
wR7hwUnIRyozS7SvBE0A0p1WYCrlbKg8Iw+KmtrhQo08glS7s2cYxh1tGXgzUDeW
uNTpN5XvR3BlBRKaYd+OAKBGXk15xlNkA7wIZoGW3z8CAwEAAaOCAxowggMWMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFEl56aHdU2iTDn7gLEFkNgwjh4YwMB8GA1Ud
IwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0
dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1Ud
EQQgMB6CDiouYWxmcmVzY28uY29tggxhbGZyZXNjby5jb20wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcG
CmCGSAGG+mwKAQUwKTAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5u
ZXQvcnBhMAgGBmeBDAECAjCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYAVYHU
whaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAGB+MWN4QAABAMARzBFAiAD
XOdj81CZnea4S6zf/XIpeOVopKzaNcTm01UbaWo7eAIhAMhhtm2n44AZI6zFV3FL
zV8j3TRSScD+zlc3caKRr5yVAHYAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PAD
Dnk2pZoAAAGB+MWN4AAABAMARzBFAiEA+vwUmERHC6uyE9N/cxVt3XL4YK9Juolq
EnYODHooTyYCID3PInFJZqMUhtyPkp0OM3zd6C/jp1CgWKJ1/1gwJajhAHcA6D7Q
2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGB+MWNuAAABAMASDBGAiEA
7GSAis6VzvX5JYSonwybim61ed770Jw5ODZSdNG4EuECIQCzFaRfMaCVVkWnTGrH
d52/r2N//XfIXD/9q9OpIXauXjANBgkqhkiG9w0BAQsFAAOCAQEA0TwjFcexdbDI
RzxmNa8F0jAWMbcFM0xhO2mfJew5pNsu1bTP4fMgOf2w7j9FjIR2NRjL3IFVV6fs
R1tJVm/pnwDOHhbnjiBe8EUB26VRT6MGQtQvB259dUhV4IYc5/DtXcPq3FDhi4fa
BEArvqPcu5wvpv/QnEKhIladmwqk8SlbFN+QWY4uwi9bS55P8n4gfyjnUI/qMeiG
GhMPEKoxb6zuGn6CZY+W1rLgwwuaf5l3rdexw2O9pOfnFEyjVGnZbi0mks0Kz9XO
7p6p1Hu2Kodes0Zl/L7Vc0iWFiDr7x/gQxItZLG4cszNX5YlCUnyMnfy0Q0/PBDt
ZBkmFZNcbA==
-----END CERTIFICATE-----
subject=C = US, ST = Ohio, L = Westlake, O = Hyland Software, CN = *.alfresco.com
issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3766 bytes and written 474 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: CE02BB6D7CEAE8D1A26C4A759DAA6F955B67A1E5FBCDC16D5BF97BC1561DE158
Session-ID-ctx:
Master-Key: C2C3EF88647D70843884D8687199931BB089E4154BD3916E4715A626DC184A975390CEA8B3B6BC1E80E50DD2F8D03CB1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 6b 0f 14 73 c1 3d f6 ff-eb 0f 0a 32 88 5a 8d c7 k..s.=.....2.Z..
0010 - 40 48 2c f3 49 84 5d 6a-90 4d 7d 6f df 41 7a 89 @H,.I.]j.M}o.Az.
0020 - 9f 83 fe 45 fb 48 2c 2c-9e 70 c1 a8 e3 e0 40 87 ...E.H,,.p....@.
0030 - 5a 24 02 10 a0 87 a8 0a-49 52 0d 6a 2e 03 29 41 Z$......IR.j..)A
0040 - 59 08 17 83 b3 ad 8a 0f-d6 5d 18 1f c2 ad f9 44 Y........].....D
0050 - 1f 93 e4 ca 19 18 3d 94-77 d3 31 26 34 f8 71 5f ......=.w.1&4.q_
0060 - e6 40 d0 00 15 98 47 21-ef 18 75 54 fa a7 87 a9 .@....G!..uT....
0070 - 7e b3 5e 70 33 a9 c1 20-5f 85 27 32 10 ea 36 94 ~.^p3.. _.'2..6.
0080 - 8b 29 ef f3 c0 82 4d cc-58 e7 8a e1 a9 48 98 29 .)....M.X....H.)
0090 - f9 62 e2 d3 42 1c 22 4e-b9 e7 ac 1c 0d cf 1a 51 .b..B."N.......Q
00a0 - 63 59 83 a6 ed 7a a9 38-8a f2 0e ed a2 1a 15 40 cY...z.8.......@
00b0 - 13 cf b9 56 3d d8 7c 6b-2a 17 d3 f0 c7 88 28 e7 ...V=.|k*.....(.
00c0 - 4c d3 69 7d 97 7f 3e 10-63 b1 ce 1e b0 b2 55 2a L.i}..>.c.....U*
Start Time: 1661362998
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
read:errno=0
amberream commented
I submitted this same issue to Ansible and they confirmed it is indeed Python 3.10 causing the problem.
ansible/ansible#78633 (comment)
To get this working I switched back to Python3.8. It would be nice if it worked with a newer version of Python though.
alxgomz commented
Thank you for your investigations.
We have confirmed this issue happens on our CI when switching to python 3.10 and we're tracking this issue via an internal ticket we hope to fix before next release
alxgomz commented
Hi @amberream ,
We believe the problem is fixed. Feel free to update this issue if you still experience the same error.