ansible-galaxy collection install fails with error <urlopen error [SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)
Environment
- Ansible Engine 2.9+
- RHEL 8.x
Issue
-
While running the command
ansible-galaxy collection installto install collection from Ansible galaxy fails with the error below :ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: BAD_AUTHENTICATION_TYPE] bad dh value (_ssl.c:897)>
Resolution
-
Switch to LEGACY policy by running the following command from root user and then reboot the system to apply the changes:
# update-crypto-policies --show # update-crypto-policies --set LEGACY # reboot -
More information about the system-wide cryptographic policies can be found here
-
Warning: Switching to the LEGACY policy level results in a less secure system and applications.
Root Cause
-
The cause of the issue is most likely FIPS policy set to true due to internal Compliance requirements.
-
FIPS mode can be checked in the kernel (0 indicates disabled and 1 indicates enabled) by running following commands:
# cat /proc/sys/crypto/fips_enabled # sysctl crypto.fips_enabled
Diagnostic Steps
-
Curl to galaxy.com returns following error:
curl: (35) error:141A3066:SSL routines:tls_process_ske_dhe:bad dh value
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments