Ubuntu 14.04 - Fails to fetch ssl tar w/ docs rewrite

[jaredledvina]

See https://travis-ci.org/sensu/sensu-ansible/jobs/352856869#L898

TASK [role_under_test : Untar the ssl_certs tarball from sensuapp.org] *********
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to validate the SSL certificate for docs.sensu.io:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine  (the python executable used (/usr/bin/python) is version: 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]) or you can install the `urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error."}

[jaredledvina]

Yeah, it's because of the SAN:

❯ echo | openssl s_client -showcerts -servername docs.sensu.io -connect docs.sensu.io:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:88:f7:66:4d:b2:6a:f5:72:a1:da:14:29:cc:db:55:90:42
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Mar 16 18:37:07 2018 GMT
            Not After : Jun 14 18:37:07 2018 GMT
        Subject: CN=docs-preview.sensuapp.com
........
            X509v3 Subject Alternative Name:
                DNS:docs-preview.sensuapp.com, DNS:docs-preview.sensuapp.org, DNS:docs.sensu.io, DNS:docs.sensuapp.com, DNS:docs.sensuapp.org
........

[jaredledvina]

❯ curl -I http://sensuapp.org/docs/1.2/files/sensu_ssl_tool.tar
HTTP/1.1 301 Moved Permanently
Date: Tue, 20 Mar 2018 03:37:33 GMT
Connection: keep-alive
Content-Type: text/html
Location: https://sensuapp.org/docs/1.2/files/sensu_ssl_tool.tar
Content-Length: 120
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: thin
Via: 1.1 vegur

[jaredledvina]

So far, no luck here, I'm either missing some dependency or getting an old version of whichever package is supposed to actually figure out the SNI logic. Instead, I opened up https://github.com/sensu/sensu-docs/issues/298 to see if we can issue the Let's Encrypt certificate directly for docs.sensu.io instead of docs-preview.sensu.io and avoid doing any of this all together.

[jaredledvina]

https://github.com/sensu/sensu-ansible/pull/151 fixes this, going to merge and cut a release to close out this bug.

[jaredledvina]

Released in 2.4.0: https://github.com/sensu/sensu-ansible/releases/tag/2.4.0