Have you seen this error?

unable to open shell. Please see: https://docs.ansible.com/ansible
/network_debug_troubleshooting.html#unable-to-open-shell

We’ve written previously about a few ways to handle the situation when MetroÆ hits a problem connecting to the VSC using the Ansible sros_command and sros_config modules. The other topic focuses on making sure that you have the correct versions of paramiko (2.2.1 or 2.4.1) and Ansible (2.4.0 as of this writing…) and on managing the socket files on disk. We are starting to see another manifestation of this error that has a different root cause and solution.

When we saw this instance of the ‘unable to open shell’ error, we first looked at the paramiko and Ansible versions. We messed with the socket files. Everything was fine. We then followed the instructions on the troubleshooting page, which basically amount to setting ANSIBLE_DEBUG=true in the environment, then re-running MetroÆ. The result is an incredibly verbose ansible.log file. Carefully parsing that file just above the error yielded the following:

2018-12-13 11:57:41,783 paramiko.transport Unknown exception: cannot import name certificate_transparency
2018-12-13 11:57:41,785 paramiko.transport Traceback (most recent call last):
2018-12-13 11:57:41,785 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1925, in run
2018-12-13 11:57:41,785 paramiko.transport     self.kex_engine.parse_next(ptype, m)
2018-12-13 11:57:41,785 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/kex_gex.py", line 91, in parse_next
2018-12-13 11:57:41,785 paramiko.transport     return self._parse_kexdh_gex_reply(m)
2018-12-13 11:57:41,785 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/kex_gex.py", line 263, in _parse_kexdh_gex_reply
2018-12-13 11:57:41,785 paramiko.transport     self.transport._verify_key(host_key, sig)
2018-12-13 11:57:41,785 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1747, in _verify_key
2018-12-13 11:57:41,785 paramiko.transport     key = self._key_info[self.host_key_type](Message(host_key))
2018-12-13 11:57:41,786 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/rsakey.py", line 62, in __init__
2018-12-13 11:57:41,786 paramiko.transport     ).public_key(default_backend())
2018-12-13 11:57:41,786 paramiko.transport   File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
2018-12-13 11:57:41,786 paramiko.transport     from cryptography.hazmat.backends.openssl.backend import backend
2018-12-13 11:57:41,786 paramiko.transport   File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in 
2018-12-13 11:57:41,786 paramiko.transport     from cryptography.hazmat.backends.openssl.backend import backend
2018-12-13 11:57:41,786 paramiko.transport   File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 16, in 
2018-12-13 11:57:41,786 paramiko.transport     from cryptography import utils, x509
2018-12-13 11:57:41,786 paramiko.transport   File "/usr/lib64/python2.7/site-packages/cryptography/x509/__init__.py", line 7, in 
2018-12-13 11:57:41,786 paramiko.transport     from cryptography.x509 import certificate_transparency
2018-12-13 11:57:41,786 paramiko.transport ImportError: cannot import name certificate_transparency
2018-12-13 11:57:41,786 paramiko.transport 
2018-12-13 11:57:41,788 p=9657 u=root |  connecting to host 10.10.62.117 returned an error
2018-12-13 11:57:41,788 p=9657 u=root |  cannot import name certificate_transparency

It’s pretty clear that this is a paramiko error. And all that text boils down to this error:

cannot import name certificate_transparency

A quick search of the Internet for that error shows that when this particular error is encountered the python cryptography library is often out of date. The recommended fix is to update the package:

sudo pip install –upgrade cryptography

What is outlined here is a specific fix for a specific occurrence. There is a general rule illustrated by this specific example. That rule is that paramiko errors are not handled well by paramiko and Ansible. When the generic “unable to open shell” appears, it seems the problem could be caused by a missing or out-of-date python package paramiko relies on. In such a case, enable ANSIBLE_DEBUG and parse the ansible.log.