Adding Internal CA SSL chains to Ansible AWX

I’m currently in the process of integrating my HobbitCloud machines into Ansible AWX. After creating an inventory, establishing my groups and adding my hosts, I began to create an SCM-based project that connects to my internal GitLab server. Unfortunately, I ran straight into an error.

Not what I had in mind

It’s pretty clear it doesn’t like the SSL certificate I’ve chosen to secure my GitLab server with. Whilst it was issued from the same certificate authority as my AWX server certificate, the full chain has not been applied to the Ansible AWX installation.

However, copying the full chain to the correct server is not enough, as Ansible uses Docker containers. The solution is to push it directly into the awx_task container.

To do this, list the Docker containers on your AWX server using:

docker ps

Note the container ID of the awx_task container:

Next, copy your full SSL chain to the container:

docker cp chain.pem 6fe4edceb452:/chain.pem

Move inside the container, bringing up a Bash terminal:

docker exec -it 6fe4edceb452 /bin/bash

Copy the chain to the correct folder:

mv chain.pem /etc/pki/ca-trust/source/anchors/

Finally, update the SSL trust anchors:

update-ca-trust extract

That’s it!

Update: one of my readers has commented it would be better to make this solution persistent, to which I fully agree.

To do this, edit your inventory file and uncomment the following line:


Re-run the installer using the following to make the changes persistent:

ansible-playbook -i inventory install.yml

8 thoughts on “Adding Internal CA SSL chains to Ansible AWX

  1. Nice one. However, it might be better to do this persistently? Perhaps create docker volume that would be mounted into /etc/pki/ca-trust/source/anchors/ in the container, and add it to docker-compose file. Makes it easier to maintain containers. Should you need to get them down for any reason and restart later, the change would persist.


  2. cheers this helped me with a problem, but just let the inventory build import the files into the webcontainer rather then go into the docker container manually


  3. I am having an issue with Ansible AWX, not working with Secure LDAP (LDAPS) and now integration with OKTA, and it may have something to do with the NGINX, that I am using in front of AWX. I made the front-end SSL secure and then passing to port 9080 for the backend. I believe I need to make AWX Secure via SSL not a frontend, can I add the lines to the install file with the variable file and re-run the install and all will be good? I plan to upgrade from 15.0.1 to 17.0.1, just do it then?


    • I would make the change and do the upgrade in two different parts. Otherwise, if it breaks, you won’t know which caused it.

      All you need to do is add your cert and key to the following lines ssl_certificate and ssl_certificate_key lines and then re-run the installer again (ansible-playbook -i inventory install.yml).

      If successful I would then plan the upgrade.


  4. Hi, thanks for the tutorial. However, we are using AWX with Kubernetes and Execution Environments. When I start a job template I get SSL error “certificate verify failed: self signed certificate in certificate chain” when connecting to the servers. The certificate is signed by a custom CA. Root and Custom CA chain are stored in the Execution Environments, but SSL does not work. Does anyone know if I need root and custom CA also in awx-task and awx-web container to use SSL in job templates?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.