Custom Root CA Certificate issue for AWX LDAP connectivity

1,351 views
Skip to first unread message

Cnu k

unread,
Jan 20, 2021, 12:54:25 PM1/20/21
to AWX Project
Hi,

We have deployed latest AWX version(16.0.0) containers in Kubernetes environment and used API settings to configure LDAP configuration but getting following error when we try to login to AWX using LDAP credentials.

2021-01-20 17:33:37,328 WARNING  django_auth_ldap Caught LDAPError while authenticating user1: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)

I have created a configmap with our internal Root CA and updated volumes and volumemounts sections for awx-web and awx-task containers in deployment.yml.j2. Tried mounting to /etc/pki/ca-trust/custom-ca-cert.perm and different options as below, but still getting the same error.

volumeMounts:
            - name: custom-root-ca-cert
              mountPath: "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"
              subPath: ca-bundle.trust.crt
              readOnly: true

volumes:
        - name:  custom-root-ca-cert
          configMap:
            name: certs-cmap

Really appreciate any clues to resolve this issue.

Thanks

Cnu k

unread,
Jan 20, 2021, 2:50:50 PM1/20/21
to AWX Project
Added following environment variable to Kubernetes deployment.yml.j2 to temporarily fix the issue. Still researching how to make it work with internal Root CA certificate as it's not picking up the certificate from above mentioned and other standard OS locations.

env:
            - name: LDAPTLS_REQCERT
              value: "never"

Ankit Vashistha

unread,
Jan 21, 2021, 3:07:37 AM1/21/21
to Cnu k, AWX Project
Following.

We are facing the same problem right now.

Regards,
Ankit


--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/d39eff4b-77c1-445e-95e7-42eef97d48c9n%40googlegroups.com.

Cnu k

unread,
Jan 21, 2021, 10:49:40 AM1/21/21
to AWX Project
Hi Ankit and others,

I have solved this issue, see details below for AWX Kubernetes environment. Changed the configmap to use the host server /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file that has our internal CA Root certificates as well.

kubectl -n awx create configmap  certs-cmap --from-file=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Then got some insight from below post(little old but still works) that talks about django LDAP set up. It doesn't match the path completely but poked around until I came across following entry inside the awx-web container in /etc/openldap/ldap.conf file that talks about TLS_CACERT location.

# When no CA certificates are specified the Shared System Certificates

# are in use. In order to have these available along with the ones specified

# by TLS_CACERTDIR one has to include them explicitly:

#TLS_CACERT     /etc/pki/tls/cert.pem


Make below changes to Kubernetes deployment.yml.j2 file.
volumeMounts:
            - name: ca-certs
              mountPath: "/etc/pki/tls/cert.pem"
              subPath: cert.pem
              readOnly: true

volumes:
        - name:  ca-certs
          configMap:
            name: certs-cmap

I had to go this route since we cannot build AWX images in our environment due to restrictions, so I created a custom image off of the AWX docker hub image and pushed to our internal registry. Run Ansible playbook steps after making changes

Cnu k

unread,
Jan 21, 2021, 11:40:11 AM1/21/21
to AWX Project
Just to clarify the volumes part is common in the deployment.yml.j2 for awx-web and awx-task containers but volumeMounts are per containers, so I added the volumeMounts entry for both containers. I have tested LDAPS connectivity for the awx-web container and it's working fine.
Reply all
Reply to author
Forward
0 new messages