Skip to content

Commit 84a9caf

Browse files
lmicciniopenshift-cherrypick-robot
authored andcommitted
Workaround OpenSSL 3.5.x breaking Ansible url lookups
OpenSSL >= 3.5.6 introduced strict DER validation that rejects some real-world CA root certificates with non-standard encoding (openssl/openssl#25023). This causes Ansible 2.15's url lookup plugin to fail with "ASN1: NOT_ENOUGH_DATA" when load_verify_locations is called with DER-encoded cadata. Pin openssl to 3.5.5 until the issue is resolved upstream. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Luca Miccini <lmiccini@redhat.com>
1 parent 21dbd39 commit 84a9caf

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

scripts/setup_molecule

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,12 @@ export PROJECT_DIR="$(dirname $(dirname $(readlink -f ${BASH_SOURCE[0]})))"
2525
# system ansible may be installed.
2626
export ANSIBLE_SKIP_CONFLICT_CHECK=1
2727

28+
# Workaround: OpenSSL >= 3.5.6 introduced strict DER validation that rejects
29+
# some real-world CA root certs (openssl/openssl#25023), breaking Ansible's
30+
# url lookup plugin. Pin to 3.5.5 until the issue is resolved upstream.
31+
# Remove this block once openssl/openssl#25023 is fixed.
32+
sudo dnf downgrade --allowerasing -y openssl-3.5.5 openssl-libs-3.5.5 2>/dev/null || true
33+
2834
PIP_INSTALL_ARGUMENTS="-U -r ${PROJECT_DIR}/test-requirements.txt"
2935
case ${USE_VENV-'yes'} in
3036
y|yes|true)

0 commit comments

Comments
 (0)