Ansible 'urlopen error' Fix: SSL, Proxy & Network Connection Issues

Introduction

Today we're going to talk about Ansible troubleshooting, specifically about urlopen error. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: Ansible 'Destination Does Not Exist' Error: Fix Path Issues

Playbook

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the urlopen error and how to solve it!

error code

• urlopen_error.yml

---
- name: uri module Playbook
  hosts: all
  become: false
  vars:
    server: "https://reqres.it"
    endpoint: "/api/users?page=2"
  tasks:
    - name: list users
      ansible.builtin.uri:
        url: "{{ server }}{{ endpoint }}"
        method: GET
        status_code: 200
        timeout: 30
      register: result
- name: debug
      ansible.builtin.debug:
        var: result.json.data

See also: Ansible troubleshooting - Module Failure on Windows-target

error execution

$ ansible-playbook -i virtualmachines/demo/inventory troubleshooting/urlopen_error.yml
PLAY [uri module Playbook] *********************************************************
TASK [Gathering Facts] *********************************************************
ok: [demo.example.com]
TASK [list users] **************************************************************
fatal: [demo.example.com]: FAILED! => {"changed": false, "elapsed": 15, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno -2] Name or service not known>", "redirected": false, "status": -1, "url": "https://reqres.it/api/users?page=2"}
PLAY RECAP *********************************************************************
demo.example.com           : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

fix code

• urlopen_fix.yml

---
- name: uri module Playbook
  hosts: all
  become: false
  vars:
    server: "https://reqres.in"
    endpoint: "/api/users?page=2"
  tasks:
    - name: list users
      ansible.builtin.uri:
        url: "{{ server }}{{ endpoint }}"
        method: GET
        status_code: 200
        timeout: 30
      register: result
- name: debug
      ansible.builtin.debug:
        var: result.json.data

See also: Ansible 'Failure Downloading' Error: Fix get_url & uri Module Issues

fix execution

$ ansible-playbook -i virtualmachines/demo/inventory troubleshooting/urlopen_fix.yml
PLAY [uri module Playbook] ****************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [list users] *********************************************************************************
ok: [demo.example.com]
TASK [debug] **************************************************************************************
ok: [demo.example.com] => {
    "result.json.data": [
        {
            "avatar": "https://reqres.in/img/faces/7-image.jpg",
            "email": "michael.lawson@reqres.in",
            "first_name": "Michael",
            "id": 7,
            "last_name": "Lawson"
        },
        {
            "avatar": "https://reqres.in/img/faces/8-image.jpg",
            "email": "lindsay.ferguson@reqres.in",
            "first_name": "Lindsay",
            "id": 8,
            "last_name": "Ferguson"
        },
        {
            "avatar": "https://reqres.in/img/faces/9-image.jpg",
            "email": "tobias.funke@reqres.in",
            "first_name": "Tobias",
            "id": 9,
            "last_name": "Funke"
        },
        {
            "avatar": "https://reqres.in/img/faces/10-image.jpg",
            "email": "byron.fields@reqres.in",
            "first_name": "Byron",
            "id": 10,
            "last_name": "Fields"
        },
        {
            "avatar": "https://reqres.in/img/faces/11-image.jpg",
            "email": "george.edwards@reqres.in",
            "first_name": "George",
            "id": 11,
            "last_name": "Edwards"
        },
        {
            "avatar": "https://reqres.in/img/faces/12-image.jpg",
            "email": "rachel.howell@reqres.in",
            "first_name": "Rachel",
            "id": 12,
            "last_name": "Howell"
        }
    ]
}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

code with ❤️ in GitHub

Conclusion

Now you know better how to troubleshoot the Ansible urlopen error and solve it!

Common urlopen Errors

Connection refused

- name: Test URL first
  ansible.builtin.uri:
    url: https://example.com
    method: HEAD
    timeout: 10
  register: url_check
  ignore_errors: true
- name: Download if reachable
  ansible.builtin.get_url:
    url: https://example.com/file.tar.gz
    dest: /tmp/file.tar.gz
  when: url_check is succeeded

SSL certificate verify failed

# Fix 1: Update CA certs
- ansible.builtin.package:
    name: ca-certificates
    state: latest
  become: true
# Fix 2: Skip validation (testing only)
- ansible.builtin.get_url:
    url: https://example.com/file.tar.gz
    dest: /tmp/file.tar.gz
    validate_certs: false

Timeout

- ansible.builtin.get_url:
    url: https://slow-server.com/large.iso
    dest: /tmp/file.iso
    timeout: 300
  retries: 3
  delay: 15
  register: download
  until: download is succeeded

DNS resolution failed

- ansible.builtin.command: nslookup example.com
  register: dns_check
  changed_when: false
  ignore_errors: true

Proxy Configuration

Per-task proxy

- ansible.builtin.get_url:
    url: https://example.com/file.tar.gz
    dest: /tmp/file.tar.gz
  environment:
    http_proxy: http://proxy.corp.com:3128
    https_proxy: http://proxy.corp.com:3128
    no_proxy: "localhost,127.0.0.1,.internal.com"

Play-level proxy

- hosts: all
  environment:
    http_proxy: "{{ corporate_proxy }}"
    https_proxy: "{{ corporate_proxy }}"
  tasks:
    - ansible.builtin.get_url:
        url: https://example.com/file.tar.gz
        dest: /tmp/

Affected Modules

| Module | Network Usage | |--------|--------------| | get_url | Download files | | uri | HTTP requests | | pip | PyPI packages | | apt/yum | Package repos | | git | Clone repos |

FAQ

Why does curl work but Ansible doesn't?

Ansible uses Python's urllib, which may have different SSL/proxy settings than system curl. Update ca-certificates and python3-certifi.

How do I debug network issues?

ansible-playbook site.yml -vvvv

Common urlopen Errors

| Error | Cause | |-------|-------| | urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] | SSL cert issue | | urlopen error [Errno -2] Name does not resolve | DNS failure | | urlopen error [Errno 110] Connection timed out | Network/firewall | | urlopen error [Errno 111] Connection refused | Service not running |

Fix SSL Certificate Errors

# Option 1: Disable SSL verification (dev only!)
- ansible.builtin.uri:
    url: https://internal-server.corp.com/api
    validate_certs: false
- ansible.builtin.get_url:
    url: https://releases.example.com/app.tar.gz
    dest: /tmp/app.tar.gz
    validate_certs: false
# Option 2: Provide custom CA certificate
- ansible.builtin.uri:
    url: https://internal-server.corp.com/api
    ca_path: /etc/ssl/certs/corporate-ca.crt

Fix Proxy Issues

# Set proxy per task
- ansible.builtin.get_url:
    url: https://releases.example.com/app.tar.gz
    dest: /tmp/
  environment:
    http_proxy: http://proxy.corp.com:3128
    https_proxy: http://proxy.corp.com:3128
    no_proxy: "localhost,127.0.0.1,.internal.com"
# Set proxy for entire play
- hosts: all
  environment:
    http_proxy: "{{ corporate_proxy }}"
    https_proxy: "{{ corporate_proxy }}"

Fix DNS Resolution

# Check DNS
- command: nslookup releases.example.com
  register: dns_check
  changed_when: false
  ignore_errors: true
# Add to /etc/hosts as workaround
- ansible.builtin.lineinfile:
    path: /etc/hosts
    line: "10.0.1.50 internal-repo.corp.com"
  become: true

Fix pip Module urlopen Errors

# pip with custom index and no SSL verify
- ansible.builtin.pip:
    name: flask
    extra_args: "--trusted-host pypi.org --trusted-host files.pythonhosted.org"
# pip with proxy
- ansible.builtin.pip:
    name: flask
    extra_args: "--proxy http://proxy.corp.com:3128"
# pip with custom index
- ansible.builtin.pip:
    name: flask
    extra_args: "-i https://internal-pypi.corp.com/simple/"

Fix ansible-galaxy urlopen Errors

# Ignore SSL certs
ansible-galaxy collection install community.general --ignore-certs
# Use proxy
export HTTPS_PROXY=http://proxy.corp.com:3128
ansible-galaxy collection install community.general

Fix Timeout Issues

- ansible.builtin.uri:
    url: https://slow-api.example.com/data
    timeout: 60  # Default is 30 seconds
- ansible.builtin.get_url:
    url: https://releases.example.com/big-file.tar.gz
    dest: /tmp/
    timeout: 300  # 5 minutes for large downloads

Debugging

# Test from remote host
ansible myhost -m command -a "curl -v https://releases.example.com/test"
ansible myhost -m command -a "python3 -c 'import urllib.request; urllib.request.urlopen(\"https://example.com\")'"
# Check SSL
ansible myhost -m command -a "openssl s_client -connect releases.example.com:443 -brief"

FAQ

Why does it work from controller but fail on remote?

The remote host may have different DNS, proxy settings, CA certificates, or firewall rules. Debug from the remote host directly.

How do I update CA certificates on remote?

- apt: name=ca-certificates state=latest
  become: true
- command: update-ca-certificates
  become: true

"CERTIFICATE_VERIFY_FAILED" with internal servers?

Install your organization's CA certificate:

- copy:
    src: corporate-ca.crt
    dest: /usr/local/share/ca-certificates/
  become: true
- command: update-ca-certificates
  become: true

Related Articles

• using become for sudo in Ansible • Ansible inventory best practices • AWS automation with Ansible • role directory layout in Ansible