Internal CA trust for project playbooks
324 views
Skip to first unread message
Thibaut Perrin
Sep 23, 2021, 3:29:13 AM9/23/21
to AWX Project
Hello everyone,
I have a simple yet problematic situation.
I have an AWX 19.3 setup in an openshift cluster, and I have a gitlab repo that is hosting my playbooks and another for my collections.
When I try and import my collections, I have an error fatal: unable to access 'https://gitlab/blabla/repo/': SSL certificate problem: self signed certificate in certificate chain".
The IRC channel has advised me to build my own EE, but :
1/ I'm not sure on how to do that
2/ I'm not sure on how to do that while including my CA
If someone has a detailed view on how to build EE properly and sustainably, or on how to achieve my goal here, I'd be very glad.
Thanks a lot and happy automating !
Cnu k
Sep 23, 2021, 9:27:22 AM9/23/21
to AWX Project
I haven't tested with our interal github yet as I just finished setting up the operator and a test AWX instance in the OpenShift 4.7 cluster.
As per one of the posts, I created following secrets with our internal CA that's used by LDAP, git and others for HTTPS communication.
oc create secret generic org-ca-cert -n awx-test-ns --from-file=ldap-ca.crt=myorg-CA.pem --from-file=bundle-ca.crt=
myorg-CA.pem
I have not customized the EE docker image yet, I do see that EE container has following mount now with the certificate data
/etc/pki/ca-trust/source/anchors/bundle-ca.crt
I have these entries in the AWX instance YAML
ldap_cacert_secret:
org-ca-cert
bundle_cacert_secret:
org-ca-cert
Wei-Yen Tan
Sep 23, 2021, 9:38:43 AM9/23/21
to Cnu k, AWX Project
Here is how the documentation on how to write ee.
I also wrote something about it a while back
Some things you may need to increment the versions for.
I hope it helps
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Cnu k <cnuk...@gmail.com>
Sent: Friday, September 24, 2021 1:27:22 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Re: Internal CA trust for project playbooks
Sent: Friday, September 24, 2021 1:27:22 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Re: Internal CA trust for project playbooks
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4af4d4e5-6984-4488-94e6-9ea4c5a90e39n%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/4af4d4e5-6984-4488-94e6-9ea4c5a90e39n%40googlegroups.com.
Wei-Yen Tan
Sep 23, 2021, 9:49:40 AM9/23/21
to Cnu k, AWX Project
The git ssl verification can be turned off in awx of you are so inclined . I'll dig it up if you want to go down that path
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Cnu k <cnuk...@gmail.com>
Sent: Friday, September 24, 2021 1:27:22 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Re: Internal CA trust for project playbooks
Sent: Friday, September 24, 2021 1:27:22 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Re: Internal CA trust for project playbooks
--
Thibaut Perrin
Sep 23, 2021, 11:49:04 AM9/23/21
to AWX Project
That is EXACTLY what I've been looking for. Thank you so much.
I've added the bundle-ca.crt generic secret, and now my git SSL certs do not throw any errors.
Thanks again ! :)
Reply all
Reply to author
Forward
0 new messages