Skip to content

Connecting Ansible Tower to Git Server with Self Signed Certificates


So many questioned me when I mention git server in an Ansible Tower environment; and later I realized that, most of them are keeping their projects inside Ansible Tower !!!

Okay, that is just an option in Ansible Tower and Highly NOT Recommended for production setup or for environment with multiple teams accessing the Ansible Tower.

Why Should Not ?

Creating a new Project in Ansible Tower
  • You need to give permission for each and every user to this Ansible Tower node and to this directory – /var/lib/awx/projects
  • It won’t be effective when you deploy Ansible Tower as multi-node cluster as you need to update the playbooks and project files in every node, under /var/lib/awx/projects
  • Less control on editing playbooks or files as you have to do everything from CLI (mostly Ansible Tower nodes installs on nodes without GUI)
  • Other users can easily access other projects and files if you didn’t configure your directory properly.
  • and many other reasons…

Also Read : How to Add Custom modules in Ansible

Ansible Tower supports most of the common SCM (Source Control Management) technologies as you can see below and yes, the easiest and simple one is using a Git server.

It can be GitHub, GitLab, BitBucket etc but most of the time, enterprise environments will be in a disconnected network – without internet access – and accessing those services will not work. So what, we have so many FREE/OpenSource/Enterprise git server alternatives like GiLab, BitBucket, Gogs etc and we can deploy this in our environment and keep our Ansible playbooks and project files there.

Read : How to install Git Server using Gogs

So, you have deployed a local git server using Gogs or GitLab CE/EE and connected project repos from there.

And you found the there is an error to connect to the git server from Ansible Tower !

{
    "stderr_lines": [
        "fatal: unable to access 'https://$encrypted$:[email protected]://git.lab.local/ansible/dev-proj.git/': Peer's certificate issuer has been marked as not trusted by the user."
    ],
    .
    .
    .
    <truncated...>
    .
    .
    "stderr": "fatal: unable to access 'https://$encrypted$:[email protected]://git.lab.local/ansible/dev-proj.git/': Peer's certificate issuer has been marked as not trusted by the user.\n",
    .
    .
    <truncated...>
    .
    .
    "msg": "fatal: unable to access 'https://$encrypted$:[email protected]://git.lab.local/ansible/dev-proj.git/': Peer's certificate issuer has been marked as not trusted by the user."
}

And yes, most of the organizations will not spend money for CA/SSL Certificates and use self-signed certificates instead; even for Ansible Tower. And sometimes, even with CA Certificate, Ansible tower may not able to validate the Certificate.

And in our case, Ansible Tower cannot verify the certificate authority and shows Peer's certificate issuer has been marked as not trusted by the user Error. So, what is next ?

The Solution

Actually this is very simple, you can easily configure the same in Ansible Tower as EXTRA ENVIRONMENT VARIABLES.

Option 1 – Ignore SSL Verification

You can tell Ansible Tower to ignore the SSL verification as below.

{
  "GIT_SSL_NO_VERIFY": "True"
}

Option 2 – Provide Root Bundle Certificate

You can mention the root bundle Certificate from Certificate Authority

{
 "GIT_SSL_CAINFO": "/etc/custom-ca/bundle-ca.crt",
}

Where Should I Do this ?

Inside Ansible Tower GUI, goto Settings -> Job, and find the EXTRA ENVIRONMENT VARIABLES. Add variable in JSON format and Save it.

Test your project by syncing again and that’s it.

Disclaimer: The views expressed and the content shared are those of the author and do not reflect the views of the author’s employer or techbeatly platform.

Gineesh Madapparambath is the author of the book - 𝗔𝗻𝘀𝗶𝗯𝗹𝗲 𝗳𝗼𝗿 𝗥𝗲𝗮𝗹-𝗟𝗶𝗳𝗲 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻. He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform). (aka Gini Gangadharan - iamgini.com)

Comments

5 Responses

  1. Mike says:

    For defining the ca authority, where would that be uploaded or added for a local ca?

  2. If you are using custom CA or ICA, then you can add the CA certificate on the Ansible Tower machine.

    Read: How to install a CA certificate on Red Hat Enterprise Linux 7 and later (https://access.redhat.com/solutions/5868401)

  3. mahdi says:

    Hi Gineesh, Thanks a lot for your informative solution,
    In ansible automation platform everything runs by containers so we need an extra step for customizing the controller container image and adding the required CA-Bundle to the path in that image.
    Best Regards

  4. Ed McGuigan says:

    I am having a similar problem with an internal Automation Hub I deployed. When I try to sync a job and pull in the playbook requirements I get a failure because of a self-signed certificate in the chain. That certificate is an internal CA and I did install that CA on the system but is seems as though the system CA store is not checked.

    I guess I need to set a different environment variable for the Ansible Repository so I will do a search on what variables are available. Thanks for the article though – given me a path forward.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: