Awx: Provide custom CA certificate or skip-verify option for LDAP auth

It looks like we could expose this through the configuration interface or you could modify the settings file to change certificate checking: https://github.com/ansible/awx/blob/devel/awx/sso/backends.py#L89

We probably just need to do that.

i had a similar issue, don't know if this can help:
i copied my RootCa.pem to the host that hosts the containers.
then
docker cp RootCa.pem 34ad2609f00f:/RootCa.pem
docker exec -it 34ad2609f00f /bin/bash
cp /RootCa.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

cheers

This is related to the issue I opened earlier today, #442.

My solution was to bind-mount the CA trust from the host into the awx_web container. This means that the container trust matches the host's. On CentOS 7, this is mounting /etc/pki/ca-trust to the same path on the container.

I'm just passing following env var to awxweb container:
env: LDAPTLS_REQCERT: "never"

Hello,
Just to let you know that I'm installing version 1.0.6 and can see the option to bind-mount a certain directory through the installer named ca_trust_dir. Unfortunately though this does not seem to work and the container is launched without the mount.
I tried checking with some debug tasks, which turned out ok so it must be either a syntax issue or my ignorance.

Im also unable to mount ca_trust_dir even though i specified it in the inventory

Im also unable to mount ca_trust_dir even though i specified it in the inventory

I fixed it by myself but the pull request is still open... Look here: https://github.com/ansible/awx/pull/2156/commits/a294a6f06e85c630074ea337b2b9f6c4098a00fb

i tried this:

docker cp RootCa.pem 34ad2609f00f:/RootCa.pem
docker exec -it 34ad2609f00f /bin/bash
cp /RootCa.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract`

but i am unable to login:
got this error message:
2019-02-06 07:37:02,403 WARNING django_auth_ldap Caught LDAPError while authenticating UserX: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)'},)

unsecure ldap is working.

i am also able to curl other ssl trusted sides in our network inside the container.

[root@awxweb source]# curl https://xxxxxxxxxxx.com

...........................

where is my mistake?

restarting the web container solved the problem.

AWX has an option _ca_trust_dir_ which injects a directory as pki trust anchor. Unfortunately this doesn't help for ldap, as the openldap version used in AWX is buggy see: https://bugzilla.redhat.com/show_bug.cgi?id=1270678

The following patch helped to disable the certificate check:

--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@@ -45,6 +45,7 @@ services:
     dns: "{{ awx_alternate_dns_servers }}"
     {% endif %}
     environment:
+      LDAPTLS_REQCERT: "never"
       http_proxy: {{ http_proxy | default('') }}
       https_proxy: {{ https_proxy | default('') }}
       no_proxy: {{ no_proxy | default('') }}

Tested with
AWX version: 4.0.0
AWX install method: docker on linux

Another option is to add a config file with the specific options you want, e.g.:

[root@tower ~]# cat /etc/tower/conf.d/ldap.py
AUTH_LDAP_GLOBAL_OPTIONS = {
    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_ALLOW
}

This solved the cert verification error on a RH Tower 3.4 instance. Set ownership and permissions the same as other files in the same directory (root:awx, 640).