ansible
Cannot sync GitHub repo using HTTPS - certificate issue
Please confirm the following
- [X] I agree to follow this project's code of conduct.
- [X] I have checked the current issues for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
- [X] I am NOT reporting a (potential) security vulnerability. (These should be emailed to
[email protected]instead.)
Bug Summary
AWX fails to sync GitHub repo over HTTPS with below error message about certificate:
SSL: no alternative certificate subject name matches target host name 'github.com'
PLAY [Update source tree if necessary] *****************************************
TASK [Delete project directory before update] ********************************** ok: [localhost]
TASK [Update project using git] ************************************************ fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote https://github.com/Gibonnn/ansible.git -h refs/heads/HEAD", "msg": "fatal: unable to access 'https://github.com/Gibonnn/ansible.git/': SSL: no alternative certificate subject name matches target host name 'github.com'", "rc": 128, "stderr": "fatal: unable to access 'https://github.com/Gibonnn/ansible.git/': SSL: no alternative certificate subject name matches target host name 'github.com'\n", "stderr_lines": ["fatal: unable to access 'https://github.com/Gibonnn/ansible.git/': SSL: no alternative certificate subject name matches target host name 'github.com'"], "stdout": "", "stdout_lines": []}
PLAY RECAP *********************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
`
Why is this happening? I would expect GitHub sync to work out of the box. Thanks
AWX version
23.5.1
Select the relevant components
- [X] UI
- [ ] UI (tech preview)
- [ ] API
- [ ] Docs
- [ ] Collection
- [ ] CLI
- [ ] Other
Installation method
kubernetes
Modifications
no
Ansible version
core 2.15.8
Operating system
Ubuntu
Web browser
Chrome
Steps to reproduce
Configure Project to sync source control using HTTPs.
Expected results
Repo is being synced
Actual results
Connection to Github fails with:
SSL: no alternative certificate subject name matches target host name 'github.com'
Additional information
No response
Doesn't seem like an issue with AWX. More like TLS inspection.
Can you run the following command from the host where AWX is deployed?
openssl s_client -connect github.com:443
and paste the results here?
Here it is: `CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com verify return:1
Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Mar 14 23:59:59 2024 GMT 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384 v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT
Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBPGgAwIBAgIQDNCovsYyz+ZF7KCpsIT7HDAKBggqhkjOPQQDAzBWMQsw CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMjE0MDAw MDAwWhcNMjQwMzE0MjM1OTU5WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi LCBJbmMuMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D AQcDQgAEo6QDRgPfRlFWy8k5qyLN52xZlnqToPu5QByQMog2xgl2nFD1Vfd2Xmgg nO4i7YMMFTAQQUReMqyQodWq8uVDs6OCA48wggOLMB8GA1UdIwQYMBaAFAq8CCkX jKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBTHByd4hfKdM8lMXlZ9XNaOcmfr3jAl BgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNvbTAOBgNVHQ8BAf8E BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGbBgNVHR8EgZMw gZAwRqBEoEKGQGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5jcmwwRqBEoEKGQGh0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBDQTEtMS5j cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAy MENBMS0xLmNydDAJBgNVHRMEAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoA dwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYZQ3Rv6AAAEAwBI MEYCIQDkFq7T4iy6gp+pefJLxpRS7U3gh8xQymmxtI8FdzqU6wIhALWfw/nLD63Q YPIwG3EFchINvWUfB6mcU0t2lRIEpr8uAHYASLDja9qmRzQP5WoC+p0w6xxSActW 3SyB2bu/qznYhHMAAAGGUN0cKwAABAMARzBFAiAePGAyfiBR9dbhr31N9ZfESC5G V2uGBTcyTyUENrH3twIhAPwJfsB8A4MmNr2nW+sdE1n2YiCObW+3DTHr2/UR7lvU AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGGUN0cOgAABAMA SDBGAiEAzOBr9OZ0+6OSZyFTiywN64PysN0FLeLRyL5jmEsYrDYCIQDu0jtgWiMI KU6CM0dKcqUWLkaFE23c2iWAhYAHqrFRRzAKBggqhkjOPQQDAwNnADBkAjAE3A3U 3jSZCpwfqOHBdlxi9ASgKTU+wg0qw3FqtfQ31OwLYFdxh0MlNk/HwkjRSWgCMFbQ vMkXEPvNvv4t30K6xtpG26qmZ+6OiISBIIXMljWnsiYR1gyZnTzIg3AQSw4Vmw== -----END CERTIFICATE----- subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits
SSL handshake has read 2806 bytes and written 376 bytes Verification: OK
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 8BB47855685183052DE6CAD36E8114852B7FA1FAEBB5964577EE520FBFACC36F Session-ID-ctx: Resumption PSK: 4504C0FC41724A0E6F8F8BD21233FC57F4DEF9BFD0EC959C65311EBE0BF8B2B7 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - fd e9 e5 b3 3f 83 69 6d-dc 08 7b b0 ff 99 6f a6 ....?.im..{...o. 0010 - 82 52 ea 7b d2 59 1b 4c-1e 07 1f 16 12 a8 53 09 .R.{.Y.L......S.
Start Time: 1705518965
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 0A89BA2EEEA492BD099B7A346705E408ED72EFB5116803BB96623BDBD73AE183 Session-ID-ctx: Resumption PSK: 7EA1C8DAD8B3880B6A6422E179BF070567D76CEF7A8D43A61C7FC5C5B1AC5845 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 1b 26 6c 39 18 d9 fc 86-d0 94 9e 7b a7 10 28 61 .&l9.......{..(a 0010 - 05 fd 88 89 a1 67 fd 1b-13 df cd 90 a9 50 4b e7 .....g.......PK.
Start Time: 1705518965
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
read R BLOCK closed`
hi @Gibonnn
You can use gist.github.com for pastes. With respect to the SSL issue, there are a number of system/network configurations that might produce this problem that are not directly related to AWX.
For example, using third party DNS servers https://stackoverflow.com/questions/23231788/ssl-error-certificate-subject-name-does-not-match-target-host-for-github-com
Proxy servers and caches. https://github.com/k3s-io/k3s/issues/7680
