workaround failure of get_url on python 2.7.6 hosts

golang.org download URLs do not serve the correct TLS certificate unless TLS SNI is used. The TLS client in Python 2.7.6 doesn't support TLS SNI and so reports an certificate validation error. Fortunately, the golang.org URL is actually a redirect to a different URL which does export the correct certificate even without SNI. This change adjusts the specified download URL to take account of which version of python is installed on the host by fallowing the redirect with curl, defaulting to the original URL if this process does not work for some reason. Signed-off-by: Jon Seymour <[email protected]>
jlund · Mar 19, 2016 · 7a60870 · 7a60870
1 parent 3b47945
commit 7a60870
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/files/resolve-redirect.sh b/files/resolve-redirect.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+PYTHON_VERSION=$1
+URL=$2
+
+# golang URLs are behind a redirect that requires clients
+# that support TLS SNI which Python 2.7.6 found on
+# most Ubuntu 14.04 installations does not support.
+# get_url will fail if executed against the original URL
+# but will succeed with the final URL
+
+test "$PYTHON_VERSION" "<" "2.7.9" &&
+url=$(curl -s -I "$URL" | sed -n "s/Location: //p") &&
+test -n "$url" &&
+URL="$url"; echo "$URL"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,6 +1,10 @@
 ---
+- name: Resolve redirect early for Python < 2.7.9
+ script: files/resolve-redirect.sh {{ ansible_python_version }} {{ go_download_location }}
+ register: go_download_location_adjusted
+
 - name: Download the Go tarball
- get_url: url={{ go_download_location }}
+ get_url: url={{ go_download_location_adjusted.stdout }}
  dest=/usr/local/src/{{ go_tarball }}
  sha256sum={{ go_tarball_checksum }}
 

diff --git a/vars/main.yml b/vars/main.yml
@@ -1,2 +1,2 @@
 ---
-go_download_location: "https://storage.googleapis.com/golang/{{ go_tarball }}"
+go_download_location: "https://golang.org/dl/{{ go_tarball }}"