Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL #3751

Closed
bvandermeersch opened this issue Apr 22, 2019 · 5 comments

Comments

@bvandermeersch
Copy link

commented Apr 22, 2019

ISSUE TYPE
  • Bug Report
SUMMARY

Can get SSL working on AWX

Went into in inventory file and changed host_port to 443 and set ssl_certificate to /home/ec2-user/ssl/servername.pem

then I run the ansible install.

doesnt seem to create a volume in the docker-compose or add an entry in the container nginx file

am i doing somthing wrong?

@devops-42

This comment has been minimized.

Copy link

commented Apr 24, 2019

Same here, it seems, that the parameter ssl_certificate doesn't mount host paths into the awx_web container (at least there's not placeholder in the docker-compose template for it)

/edit
PR seems to be pending: https://github.com/ansible/awx/pull/3604/files#submit-review

So there should be a solution (hopefully) soon :)

@ssaammoo

This comment has been minimized.

Copy link

commented May 27, 2019

was this bug fixed please ?

@ryanpetrello

This comment has been minimized.

Copy link
Contributor

commented May 28, 2019

Should be resolved by #3604

@Ernst-LRZ

This comment has been minimized.

Copy link

commented Aug 8, 2019

Hello,
I am new to Github, Docker and AWX, but anyway, I have a similar problem. I installed AWX on a Debian 10 machine which worked very well. However, switching from http to https is much more difficult than expected. I got myself an official certificate and built a certificate bundle with the certificate, the chain and the private key in .pem (or .crt) format, and configured the followingin the file /root/awx/installer/inventory:

ssl_certificate=/etc/ssl/bvbawx1_bundle_key.crt

Then I installed the Docker containers with the command

ansible-playbook install.yml -i inventory

docker container ls shows me the following:


c0845791bb95 ansible/awx_web:6.1.0 "/tini -- /bin/sh -c…" 4 hours ago Up 25 minutes 0.0.0.0:80->8052/tcp, 0.0.0.0:443->8053/tcp awx_web

https is being directed into the awx_web containe port 8053. Inside the container there is a file /etc/nginx/awxweb.pem which contains the certificate, the chain and the private key. So this part seems OK, too.
However, the configuration file nginx.conf knows nothing about ssl:

server {
            listen 8052 default_server;

I separated the private key out of the bundle and changed the configuration manually to

server {
            listen 8053 ssl;
    server_name bvbawx1,bib-bvb.de;
    keepalive_timeout 65;
    ssl_certificate     /etc/nginx/awxweb.pem;
    ssl_certificate_key /etc/nginx/key.pem;
    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

With this, https works. But to my understanding, this is supposed to configure itself automatically. Did I do something wrong or is it a bug?

@fxfitz

This comment has been minimized.

Copy link

commented Aug 27, 2019

@Ernst-LRZ The problem you're having is because you're using the official Ansible-built images. For example, in the generated docker-compose.yml file, you can see it's pulling the image from ansible/awx_web. The nginx conf is set during the build phase, and the official images were simply built without the ssl_certificate option.

The quick fix for you would be to simply run the installer playbook again and ensure the dockerhub_base is not defined in the inventory file (or anywhere else a variable might be defined in your set up). If that variable isn't defined, it forces the images to be built from scratch and it will contain the TLS settings that you would expect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.