SSL

[bvandermeersch]

ISSUE TYPE

• Bug Report

SUMMARY

Can get SSL working on AWX

Went into in inventory file and changed host_port to 443 and set ssl_certificate to /home/ec2-user/ssl/servername.pem

then I run the ansible install.

doesnt seem to create a volume in the docker-compose or add an entry in the container nginx file

am i doing somthing wrong?

[devops-42]

Same here, it seems, that the parameter ssl_certificate doesn't mount host paths into the awx_web container (at least there's not placeholder in the docker-compose template for it)

/edit
PR seems to be pending: https://github.com/ansible/awx/pull/3604/files#submit-review

So there should be a solution (hopefully) soon :)

[ssaammoo]

was this bug fixed please ?

[ryanpetrello]

Should be resolved by #3604

[Ernst-LRZ]

Hello,
I am new to Github, Docker and AWX, but anyway, I have a similar problem. I installed AWX on a Debian 10 machine which worked very well. However, switching from http to https is much more difficult than expected. I got myself an official certificate and built a certificate bundle with the certificate, the chain and the private key in .pem (or .crt) format, and configured the followingin the file /root/awx/installer/inventory:

ssl_certificate=/etc/ssl/bvbawx1_bundle_key.crt

Then I installed the Docker containers with the command

ansible-playbook install.yml -i inventory

docker container ls shows me the following:

…
c0845791bb95 ansible/awx_web:6.1.0 "/tini -- /bin/sh -c…" 4 hours ago Up 25 minutes 0.0.0.0:80->8052/tcp, 0.0.0.0:443->8053/tcp awx_web

https is being directed into the awx_web containe port 8053. Inside the container there is a file /etc/nginx/awxweb.pem which contains the certificate, the chain and the private key. So this part seems OK, too.
However, the configuration file nginx.conf knows nothing about ssl:

server {
            listen 8052 default_server;

I separated the private key out of the bundle and changed the configuration manually to

server {
            listen 8053 ssl;
    server_name bvbawx1,bib-bvb.de;
    keepalive_timeout 65;
    ssl_certificate     /etc/nginx/awxweb.pem;
    ssl_certificate_key /etc/nginx/key.pem;
    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

With this, https works. But to my understanding, this is supposed to configure itself automatically. Did I do something wrong or is it a bug?

[fxfitz]

@Ernst-LRZ The problem you're having is because you're using the official Ansible-built images. For example, in the generated docker-compose.yml file, you can see it's pulling the image from ansible/awx_web. The nginx conf is set during the build phase, and the official images were simply built without the ssl_certificate option.

The quick fix for you would be to simply run the installer playbook again and ensure the dockerhub_base is not defined in the inventory file (or anywhere else a variable might be defined in your set up). If that variable isn't defined, it forces the images to be built from scratch and it will contain the TLS settings that you would expect.

[nickjmv]

@Ernst-LRZ, how did you modify the /etc/nginx/nginx.conf INSIDE the docker container? When I try to do this I get an unwritable file so I can't modify anything

[pisceno]

Have to modify all in to the inventory file and then run the playbook