Adding Internal CA SSL chains to Ansible AWX

I’m currently in the process of integrating my HobbitCloud machines into Ansible AWX. After creating an inventory, establishing my groups and adding my hosts, I began to create an SCM-based project that connects to my internal GitLab server. Unfortunately, I ran straight into an error.

Not what I had in mind

It’s pretty clear it doesn’t like the SSL certificate I’ve chosen to secure my GitLab server with. Whilst it was issued from the same certificate authority as my AWX server certificate, the full chain has not been applied to the Ansible AWX installation.

However, copying the full chain to the correct server is not enough, as Ansible uses Docker containers. The solution is to push it directly into the awx_task container.

To do this, list the Docker containers on your AWX server using:

docker ps

Note the container ID of the awx_task container:

Next, copy your full SSL chain to the container:

docker cp chain.pem 6fe4edceb452:/chain.pem

Move inside the container, bringing up a Bash terminal:

docker exec -it 6fe4edceb452 /bin/bash

Copy the chain to the correct folder:

mv chain.pem /etc/pki/ca-trust/source/anchors/

Finally, update the SSL trust anchors:

update-ca-trust extract

That’s it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.