AWX is installed on CentOS machine. A separate machine (gitlab.techraf
) serves GitLab's web interface over HTTPS with a certificate signed by a private CA.
The storyline:
On a "fresh" system I issue the command:
/usr/bin/git clone --origin origin https://gitlab.techraf/techraf/project.git /tmp/project
and get (expected):
fatal: unable to access '
https://gitlab.techraf/techraf/project.git/
': Peer's Certificate issuer is not recognized.I install the root CA certificate on the AWX machine:
update-ca-trust force-enable curl https://certificate.source/certificates/techrafCA.pem > /etc/pki/ca-trust/source/anchors/techrafCA.pem update-ca-trust extract
I retry the above
git clone
, this time getting a correct response:Cloning into '/tmp/project'...
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.As a sanity check I ran
git clone
using different user accounts - no problem after root CA certificate installation in point 2 - the root CA seems to be installed system-wise.curl
also accepts thegitlab.techraf
's certificate.(problem) I define a project in AWX interface and try to synchronise it from the GitLab, however I get:
TASK [update project using git]
************************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/bin/git clone --origin origin https://gitlab.techraf/techraf/project.git /var/lib/awx/projects/_6__project
", "failed": true, "msg": "fatal: unable to access 'https://gitlab.techraf/techraf/project.git/
': Peer's Certificate issuer is not recognized.", "rc": 128, "stderr": "fatal: unable to access 'https://gitlab.techraf/techraf/project.git/
': Peer's Certificate issuer is not recognized.\n", "stderr_lines": ["fatal: unable to access 'https://gitlab.techraf/techraf/project.git/
': Peer's Certificate issuer is not recognized."], "stdout": "Cloning into '/var/lib/awx/projects/_6__project'...\n", "stdout_lines": ["Cloning into '/var/lib/awx/projects/_6__project'..."]}As a sanity check I tried with a project from GitHub and AWX fetches it correctly.
As another sanity check I ran
ansible localhost -m command -a "/usr/bin/git clone --origin origin https://gitlab.techraf/techraf/project.git /tmp/project2
, as well as from a different machine to ensure non-interactive shell sessions work the same. In either case the certificate was accepted.
What can be the cause of git
(called by AWX/Ansible) not using the installed techrafCA.pem
certificate?
What is the next step I can take to troubleshoot the issue?
If you do same inside awx_task container then it works!
Verified with my AWX setup.
You need two files:
Add to docker-compose.yml in task:
Recreate task container
docker-compose up -d
You can disable GIT certificate verification completely within AWX. Add
AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True'
to the awx_task container and restart it: