I’m currently in the process of integrating my HobbitCloud machines into Ansible AWX. After creating an inventory, establishing my groups and adding my hosts, I began to create an SCM-based project that connects to my internal GitLab server. Unfortunately, I ran straight into an error.
Not what I had in mind
It’s pretty clear it doesn’t like the SSL certificate I’ve chosen to secure my GitLab server with. Whilst it was issued from the same certificate authority as my AWX server certificate, the full chain has not been applied to the Ansible AWX installation.
However, copying the full chain to the correct server is not enough, as Ansible uses Docker containers. The solution is to push it directly into the awx_task container.
To do this, list the Docker containers on your AWX server using:
docker ps
Note the container ID of the awx_task container:
Next, copy your full SSL chain to the container:
docker cp chain.pem 6fe4edceb452:/chain.pem
Move inside the container, bringing up a Bash terminal:
docker exec -it 6fe4edceb452 /bin/bash
Copy the chain to the correct folder:
mv chain.pem /etc/pki/ca-trust/source/anchors/
Finally, update the SSL trust anchors:
update-ca-trust extract
That’s it!
Update: one of my readers has commented it would be better to make this solution persistent, to which I fully agree.
To do this, edit your inventory file and uncomment the following line:
ca_trust_dir=/etc/pki/ca-trust/source/anchors
Re-run the installer using the following to make the changes persistent:
ansible-playbook -i inventory install.yml
virtualhobbit 
Nice one. However, it might be better to do this persistently? Perhaps create docker volume that would be mounted into /etc/pki/ca-trust/source/anchors/ in the container, and add it to docker-compose file. Makes it easier to maintain containers. Should you need to get them down for any reason and restart later, the change would persist.
LikeLike
Thanks. I’ve updated the post š
LikeLike
Thanks. That was actually way easier than i thought it would be. Didn’t even ocur to me to check if they’ve implemented it through inventory variables already.
LikeLike
And thanks btw. This is very instructional.
LikeLike
cheers this helped me with a problem, but just let the inventory build import the files into the webcontainer rather then go into the docker container manually
LikeLike
I am having an issue with Ansible AWX, not working with Secure LDAP (LDAPS) and now integration with OKTA, and it may have something to do with the NGINX, that I am using in front of AWX. I made the front-end SSL secure and then passing to port 9080 for the backend. I believe I need to make AWX Secure via SSL not a frontend, can I add the lines to the install file with the variable file and re-run the install and all will be good? I plan to upgrade from 15.0.1 to 17.0.1, just do it then?
LikeLike
I would make the change and do the upgrade in two different parts. Otherwise, if it breaks, you won’t know which caused it.
All you need to do is add your cert and key to the following lines ssl_certificate and ssl_certificate_key lines and then re-run the installer again (ansible-playbook -i inventory install.yml).
If successful I would then plan the upgrade.
LikeLike
Hi, thanks for the tutorial. However, we are using AWX with Kubernetes and Execution Environments. When I start a job template I get SSL error “certificate verify failed: self signed certificate in certificate chain” when connecting to the servers. The certificate is signed by a custom CA. Root and Custom CA chain are stored in the Execution Environments, but SSL does not work. Does anyone know if I need root and custom CA also in awx-task and awx-web container to use SSL in job templates?
LikeLike