search

ansible / galaxy

Legacy Galaxy still available as read-only on https://old-galaxy.ansible.com - looking for the new galaxy -> https://github.com/ansible/galaxy_ng
Apache License 2.0
854 stars 328 forks source link

Failure to download modules #3375

Closed RomansKrjukovs closed 4 months ago

RomansKrjukovs commented 4 months ago

Bug Report

SUMMARY

AWX project sync start to fail on attempts to download modules from Galaxy with following error:

{
  "changed": false,
  "stdout": "Starting galaxy collection install process\nProcess install dependency map\nStarting collection install process\nDownloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz to /var/lib/awx/projects/.__awx_cache/_8__ec2_CHANGED/stage/tmp/ansible-local-1383k0_g54zr/tmp8hksrvlp/community-mysql-3.9.0-1fch55y6",
  "stderr": "ERROR! Failed to download collection tar from 'server0' due to the following unforeseen error: HTTP Error 403: Forbidden. HTTP Error 403: Forbidden",
  "rc": 1,
  "cmd": [
    "ansible-galaxy",
    "collection",
    "install",
    "-r",
    "/var/lib/awx/projects/_8__ec2_CHANGED/collections/requirements.yml",
    "--collections-path",
    "/var/lib/awx/projects/.__awx_cache/_8__ec2_CHANGED/stage/requirements_collections"
  ],
  "start": "2024-07-08 14:29:13.046147",
  "end": "2024-07-08 14:29:14.894268",
  "delta": "0:00:01.848121",
  "msg": "non-zero return code",
  "invocation": {
    "module_args": {
      "chdir": "/var/lib/awx/projects/_8__ec2_CHANGED",
      "_raw_params": "ansible-galaxy collection install -r /var/lib/awx/projects/_8__ec2_CHANGED/collections/requirements.yml --collections-path /var/lib/awx/projects/.__awx_cache/_8__ec2_CHANGED/stage/requirements_collections \n",
      "_uses_shell": false,
      "stdin_add_newline": true,
      "strip_empty_ends": true,
      "argv": null,
      "executable": null,
      "creates": null,
      "removes": null,
      "stdin": null
    }
  },
  "stdout_lines": [
    "Starting galaxy collection install process",
    "Process install dependency map",
    "Starting collection install process",
    "Downloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz to /var/lib/awx/projects/.__awx_cache/_8__ec2_CHANGED/stage/tmp/ansible-local-1383k0_g54zr/tmp8hksrvlp/community-mysql-3.9.0-1fch55y6"
  ],
  "stderr_lines": [
    "ERROR! Failed to download collection tar from 'server0' due to the following unforeseen error: HTTP Error 403: Forbidden. HTTP Error 403: Forbidden"
  ],
  "_ansible_no_log": false,
  "item": "/var/lib/awx/projects/_8__ec2_CHANGED/collections/requirements.yml",
  "ansible_loop_var": "item",
  "_ansible_item_label": "/var/lib/awx/projects/_8__ec2_CHANGED/collections/requirements.yml"
}
STEPS TO REPRODUCE

To reproduce try to install mysql module from galaxy:

 % ANSIBLE_GALAXY_IGNORE=True ansible-galaxy collection install community.mysql                                              
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz to /Users/romans.krjukovs/.ansible/tmp/ansible-local-55743okab3g3f/tmpl9zk1s90/community-mysql-3.9.0-xkxw0yiu
ERROR! Failed to download collection tar from 'default': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
EXPECTED RESULTS

Comunity module is successfully downloaded.

ACTUAL RESULTS

Fails to download module with an AWS S3 error of:

<Error><Code>InvalidAccessKeyId</Code><Message>The AWS Access Key Id you provided does not exist in our records.</Message><AWSAccessKeyId>AKIA5DPYWLYOGHQ73CV2</AWSAccessKeyId><RequestId>M0K3YH1GT0N13E47</RequestId><HostId>Ux0uRzNbJC5pPUcMqh2bNEwNib6BZrtW+9lVWXSjqiSgFp27foBBfzEJf2cIfh6yc4OGji90HbM=</HostId></Error>

Log:

 % ANSIBLE_GALAXY_IGNORE=True ansible-galaxy collection install community.mysql                                              
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz to /Users/romans.krjukovs/.ansible/tmp/ansible-local-55743okab3g3f/tmpl9zk1s90/community-mysql-3.9.0-xkxw0yiu
ERROR! Failed to download collection tar from 'default': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
romans.krjukovs@MacBook-Pro-14-inch-2021-Xentral-X65RWXQQN3 ~/Xentral
 % curl -vvv -L https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz
* Host galaxy.ansible.com:443 was resolved.
* IPv6: (none)
* IPv4: 172.67.68.251, 104.26.0.234, 104.26.1.234
*   Trying 172.67.68.251:443...
* Connected to galaxy.ansible.com (172.67.68.251) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=ansible.com
*  start date: May 12 22:58:40 2024 GMT
*  expire date: Aug 10 22:58:39 2024 GMT
*  subjectAltName: host "galaxy.ansible.com" matched cert's "*.ansible.com"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://galaxy.ansible.com/api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: galaxy.ansible.com]
* [HTTP/2] [1] [:path: /api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET /api/v3/plugin/ansible/content/published/collections/artifacts/community-mysql-3.9.0.tar.gz HTTP/2
> Host: galaxy.ansible.com
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/2 302 
< date: Mon, 08 Jul 2024 14:56:03 GMT
< content-type: text/html; charset=utf-8
< location: https://galaxy.ansible.com/api/pulp/content/published/community-mysql-3.9.0.tar.gz?expires=1720454163&validate_token=9c7a14efeae3095cf730704523b45b7be4ab1ee730047f6a05decc526ed0f7b3:3b853bdbb85ab0a4a15e1bc97248a398181fa79da7327df612e35d5b7fd29d58
< vary: Accept, Accept-Language, Cookie
< allow: GET, HEAD, OPTIONS
< correlation-id: 17bf215ca182489b85963213aa3e318a
< access-control-expose-headers: Correlation-ID
< content-language: en-us
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: same-origin
< cross-origin-opener-policy: same-origin
< cf-cache-status: BYPASS
< set-cookie: 5ceea3ad3c3a60af203c126b07e8ab00=43ce49a450b05aec5a1a0eed6c74e7ba; path=/; HttpOnly; Secure; SameSite=None
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vZp69ytWAPdU7fFsi0RPX09H5FkecEIWmvQKibkTjHdDmeHLiXV%2BOvo35YQnlw4VC7F%2FdB6rBi5D3YKJbZ2%2FX1plyKrrvFnlRS7L3gXzixGSJ3OOJ3hVzLE2WZzcsOhXmL73NQ%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8a00eb33584fa8a2-RIX
< 
* Ignoring the response-body
* Connection #0 to host galaxy.ansible.com left intact
* Issue another request to this URL: 'https://galaxy.ansible.com/api/pulp/content/published/community-mysql-3.9.0.tar.gz?expires=1720454163&validate_token=9c7a14efeae3095cf730704523b45b7be4ab1ee730047f6a05decc526ed0f7b3:3b853bdbb85ab0a4a15e1bc97248a398181fa79da7327df612e35d5b7fd29d58'
* Found bundle for host: 0x600000c24960 [can multiplex]
* Re-using existing connection with host galaxy.ansible.com
* [HTTP/2] [3] OPENED stream for https://galaxy.ansible.com/api/pulp/content/published/community-mysql-3.9.0.tar.gz?expires=1720454163&validate_token=9c7a14efeae3095cf730704523b45b7be4ab1ee730047f6a05decc526ed0f7b3:3b853bdbb85ab0a4a15e1bc97248a398181fa79da7327df612e35d5b7fd29d58
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: galaxy.ansible.com]
* [HTTP/2] [3] [:path: /api/pulp/content/published/community-mysql-3.9.0.tar.gz?expires=1720454163&validate_token=9c7a14efeae3095cf730704523b45b7be4ab1ee730047f6a05decc526ed0f7b3:3b853bdbb85ab0a4a15e1bc97248a398181fa79da7327df612e35d5b7fd29d58]
* [HTTP/2] [3] [user-agent: curl/8.6.0]
* [HTTP/2] [3] [accept: */*]
> GET /api/pulp/content/published/community-mysql-3.9.0.tar.gz?expires=1720454163&validate_token=9c7a14efeae3095cf730704523b45b7be4ab1ee730047f6a05decc526ed0f7b3:3b853bdbb85ab0a4a15e1bc97248a398181fa79da7327df612e35d5b7fd29d58 HTTP/2
> Host: galaxy.ansible.com
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/2 302 
< date: Mon, 08 Jul 2024 14:56:03 GMT
< content-type: text/plain; charset=utf-8
< content-length: 10
< location: https://ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com/artifact/78/516b7245a627102da22c9935a16826995f7827feb2cd3afcf203eb96266257?response-content-disposition=attachment%3Bfilename%3Dcommunity-mysql-3.9.0.tar.gz&response-content-type=application%2Fgzip&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5DPYWLYOGHQ73CV2%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T145603Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=0f93e87101150f88cf49cdc7e743aa0ca15f53f7c0ee37c1f74fd1ecbb8f13ad
< cf-cache-status: BYPASS
< set-cookie: 5ceea3ad3c3a60af203c126b07e8ab00=43ce49a450b05aec5a1a0eed6c74e7ba; path=/; HttpOnly; Secure; SameSite=None
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JeXwhyU%2BjvxGglhvT4pCiVfOXzymZZRwNaZbG%2FPTe%2BFYtjYejWtS3e2sUTk7%2FKUo3DonF0UmhQQbPsZNZORcOao0IRDb3Pmzh2Mo9iVXEZtINgtX1f3YaXCJIo%2Bx0f9RKoFAxw%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8a00eb349a61a8a2-RIX
< 
* Ignoring the response-body
* Connection #0 to host galaxy.ansible.com left intact
* Issue another request to this URL: 'https://ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com/artifact/78/516b7245a627102da22c9935a16826995f7827feb2cd3afcf203eb96266257?response-content-disposition=attachment%3Bfilename%3Dcommunity-mysql-3.9.0.tar.gz&response-content-type=application%2Fgzip&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5DPYWLYOGHQ73CV2%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T145603Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=0f93e87101150f88cf49cdc7e743aa0ca15f53f7c0ee37c1f74fd1ecbb8f13ad'
* Host ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com:443 was resolved.
* IPv6: (none)
* IPv4: 52.216.152.136, 52.217.166.202, 52.216.249.96, 52.216.222.170, 54.231.198.186, 52.217.9.64, 52.217.235.122, 16.182.69.122
*   Trying 52.216.152.136:443...
* Connected to ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com (52.216.152.136) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=s3.amazonaws.com
*  start date: May 25 00:00:00 2024 GMT
*  expire date: May  2 23:59:59 2025 GMT
*  subjectAltName: host "ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com" matched cert's "*.s3.dualstack.us-east-1.amazonaws.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/1.x
> GET /artifact/78/516b7245a627102da22c9935a16826995f7827feb2cd3afcf203eb96266257?response-content-disposition=attachment%3Bfilename%3Dcommunity-mysql-3.9.0.tar.gz&response-content-type=application%2Fgzip&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5DPYWLYOGHQ73CV2%2F20240708%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240708T145603Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=0f93e87101150f88cf49cdc7e743aa0ca15f53f7c0ee37c1f74fd1ecbb8f13ad HTTP/1.1
> Host: ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< x-amz-request-id: M0K3YH1GT0N13E47
< x-amz-id-2: Ux0uRzNbJC5pPUcMqh2bNEwNib6BZrtW+9lVWXSjqiSgFp27foBBfzEJf2cIfh6yc4OGji90HbM=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 08 Jul 2024 14:56:03 GMT
< Server: AmazonS3
< 
<?xml version="1.0" encoding="UTF-8"?>
* Leftovers after chunking: 12 bytes
* Connection #1 to host ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com left intact
<Error><Code>InvalidAccessKeyId</Code><Message>The AWS Access Key Id you provided does not exist in our records.</Message><AWSAccessKeyId>AKIA5DPYWLYOGHQ73CV2</AWSAccessKeyId><RequestId>M0K3YH1GT0N13E47</RequestId><HostId>Ux0uRzNbJC5pPUcMqh2bNEwNib6BZrtW+9lVWXSjqiSgFp27foBBfzEJf2cIfh6yc4OGji90HbM=</HostId></Error>%
bbethell-1 commented 4 months ago

Clone of https://github.com/ansible/galaxy/issues/3374

RomansKrjukovs commented 4 months ago

Closing as clone.