From f7c40fb71668c5cd0715220e7f95acbd798b66ca Mon Sep 17 00:00:00 2001 From: Zach Huntington-Meath Date: Wed, 8 Jul 2026 15:21:13 -0400 Subject: [PATCH] Use dnf module with allow_downgrade for openssl EL9 workaround Swap the task order: downgrade first using ansible.builtin.dnf with allow_downgrade, then set excludepkgs to prevent update_os_packages from pulling 3.5.7-1 back in. The previous order failed because the excludes blocked depsolve during the downgrade. Tested on a CentOS 9 Stream box with openssl 3.5.7-1 installed. Co-Authored-By: Claude Opus 4.6 --- roles/vagrant_workarounds/tasks/main.yml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/roles/vagrant_workarounds/tasks/main.yml b/roles/vagrant_workarounds/tasks/main.yml index bcbfd13b9..c14bc6751 100644 --- a/roles/vagrant_workarounds/tasks/main.yml +++ b/roles/vagrant_workarounds/tasks/main.yml @@ -15,6 +15,15 @@ - ansible_facts['os_family'] == 'Debian' # workaround for https://issues.redhat.com/browse/RHEL-192424 +- name: force downgrade to openssl-3.5.5-3.el9 + ansible.builtin.dnf: + name: openssl-3.5.5-3.el9 + state: present + allow_downgrade: true + when: + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + - name: don't install broken openssl on EL9 community.general.ini_file: path: /etc/dnf/dnf.conf @@ -24,14 +33,3 @@ when: - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] == '9' - -- name: force downgrade to openssl-3.5.5-3.el9 - ansible.builtin.package: - name: - - openssl-3.5.5-3.el9 - - openssl-libs-3.5.5-3.el9 - - openssl-fips-provider-3.5.5-3.el9 - state: present - when: - - ansible_facts['os_family'] == 'RedHat' - - ansible_facts['distribution_major_version'] == '9'