Adding Internal CA SSL chains to Ansible AWX

I’m currently in the process of integrating my HobbitCloud machines into Ansible AWX. After creating an inventory, establishing my groups and adding my hosts, I began to create an SCM-based project that connects to my internal GitLab server. Unfortunately, I ran straight into an error.

Not what I had in mind

It’s pretty clear it doesn’t like the SSL certificate I’ve chosen to secure my GitLab server with. Whilst it was issued from the same certificate authority as my AWX server certificate, the full chain has not been applied to the Ansible AWX installation.

However, copying the full chain to the correct server is not enough, as Ansible uses Docker containers. The solution is to push it directly into the awx_task container.

To do this, list the Docker containers on your AWX server using:

docker ps

Note the container ID of the awx_task container:

Next, copy your full SSL chain to the container:

docker cp chain.pem 6fe4edceb452:/chain.pem

Move inside the container, bringing up a Bash terminal:

docker exec -it 6fe4edceb452 /bin/bash

Copy the chain to the correct folder:

mv chain.pem /etc/pki/ca-trust/source/anchors/

Finally, update the SSL trust anchors:

update-ca-trust extract

That’s it!

Update: one of my readers has commented it would be better to make this solution persistent, to which I fully agree.

To do this, edit your inventory file and uncomment the following line:

ca_trust_dir=/etc/pki/ca-trust/source/anchors

Re-run the installer using the following to make the changes persistent:

ansible-playbook -i inventory install.yml

5 thoughts on “Adding Internal CA SSL chains to Ansible AWX

  1. Nice one. However, it might be better to do this persistently? Perhaps create docker volume that would be mounted into /etc/pki/ca-trust/source/anchors/ in the container, and add it to docker-compose file. Makes it easier to maintain containers. Should you need to get them down for any reason and restart later, the change would persist.

    Like

  2. cheers this helped me with a problem, but just let the inventory build import the files into the webcontainer rather then go into the docker container manually

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.