Failed to validate the SSL certificate for github.com

johnmathe · March 9, 2018, 1:52pm

I’m trying to run the command as root:
python /home/john/install.py --production --user frappe

The script exits with status 2 and the following error:

PLAY RECAP ***********************************************************************
localhost                  : ok=32   changed=5    unreachable=0    failed=1

Traceback (most recent call last):
  File "/home/john/install.py", line 387, in <module>
    install_bench(args)
  File "/home/john/install.py", line 109, in install_bench
    run_playbook('site.yml', sudo=True, extra_vars=extra_vars)
  File "/home/john/install.py", line 325, in run_playbook
    success = subprocess.check_call(args, cwd=os.path.join(cwd, 'playbooks'))
  File "/usr/lib/python2.7/subprocess.py", line 186, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['ansible-playbook', '-c', 'local', 'site.yml', '-e', '@/tmp/extra_vars.json', '--become', '--become-user=frappe']' returned non-zero exit status 2

The failure seems to be at this stage:

TASK [wkhtmltopdf : download wkthmltox linux] ************************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for github.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: (\"bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert protocol version')],)\",)."}

Appreciate any help regarding this install

tomtom5152 · March 9, 2018, 2:43pm

Having just checked with GH Status and tried a local clone, it would appear to be a local issue. Sadly I’m too new to know the install process properly on how to suggest a fix, but until some better advice comes along might I suggest trying to run curl https://github.com/tcort/wkhtmltox to see if that gives the same error. If it does its likely to be a problem with the installed certificate authorities, and you need to look at your linux distro for info on how to fix that.

johnmathe · March 10, 2018, 8:27am

You are right. This is an issue outside erpnext. I think this has to do with anisible and the way it uses urllib3 package.
Also, I was trying with python 3. I realised that the migration to v3 has not yet happened for ERPNext

Thanks for your quick reply @tomtom5152

ppwicho · March 23, 2018, 7:58pm

Change on the installation script the ansible version to pip install ansible==2.5.0 and that fix the problem with the CA certificate.