Awx: Cannot clone GIT repo over HTTPS (self-signed server cert issue)

Created on 24 Oct 2017  路  8Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • API
  • UI
SUMMARY

I am trying to clone a repository from our internal Bitbucket server. The server runs with a self signed certificate. The clone operation breaks due to Peer's Certificate issuer is not recognized.

As a workaround, I tried to disabled SSL verification via the .gitconfig for the root user on the awx-task container, but with no luck. The process forked by AWX seems to ignore that. Second problem would be that this is just a transient solution.

The following Stackoverflow post describes another issue related to this:
https://serverfault.com/questions/877530/git-called-by-awx-ignores-manually-installed-root-ca

This is essentially a showstopper for us, as we cannot clone Ansible provisioning code without pain.

ENVIRONMENT
  • AWX version: 1.0.1.81
  • AWX install method: docker on CentOS 7
  • Ansible version: 2.4.0.0
  • Web Browser: Chrome 62.0.3202.62
STEPS TO REPRODUCE
  • Create new credential entity for your repo via UI
  • Create new Project via the UI

    • Use afore created credentials

    • Use HTTPS protocol, use Git repo secured by self signed certificate

EXPECTED RESULTS
  • Add a checkbox to the Project creation page that disables SSL verification for the given project
  • The forked git clone task command needs to leverage that setting
  • In result, the repo with the self-signed cert can be cloned
ACTUAL RESULTS
  • Repo cannot be cloned due to certificate trust error
ADDITIONAL INFORMATION

awx-git-clone-error

api ui duplicate bug
Source
picture holgerstolzenberg
👍5

Most helpful comment

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it.
A nicer solution is to copy the self-signed certificate (not the key) to /etc/pki/ca-trust/source/anchors/ on awx_task container and run update-ca-trust extract within. Make sure to configure AWX with the correct hostname of the git server, matching the certificate subject.

picture kuklis on 26 Dec 2017
👍3

All 8 comments

closing as duplicate of #416

wenottingham picture wenottingham on 24 Oct 2017

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it.
A nicer solution is to copy the self-signed certificate (not the key) to /etc/pki/ca-trust/source/anchors/ on awx_task container and run update-ca-trust extract within. Make sure to configure AWX with the correct hostname of the git server, matching the certificate subject.

kuklis picture kuklis on 26 Dec 2017
👍3

This is not working.. Any ideas?

PATCH /api/v1/settings/jobs/

{
    "AWX_TASK_ENV": {
        "GIT_SSL_NO_VERIFY": "True"
    }
}

EDIT: AWX_TASK_ENV has "defined_in_file": true, is possible to override it somehow?

lukasmrtvy picture lukasmrtvy on 20 Feb 2018

@muhahacz after running a job, can you visit:

GET /api/v2/project_updates/N/

...and confirm that GIT_SSL_NO_VERIFY is properly set under the job_env key?

ryanpetrello picture ryanpetrello on 20 Feb 2018

@ryanpetrello
GIT_SSL_NO_VERIFY is not set ..

In fact I guess that I cannot set any AWX_TASK_ENV variable, if this option has "defined_in_file": true set.

I can not event set it in web gui ( http://awx/#/configuration/jobs )
Extra environment variables: (This setting has been manually in a setting file and is now disabled)

lukasmrtvy picture lukasmrtvy on 21 Feb 2018

@muhahacz you've defined AWX_TASK_ENV in a .py setting file somewhere on the file system, which makes it read-only (and not editable from the API).

ryanpetrello picture ryanpetrello on 21 Feb 2018

This is not working.. Any ideas?

PATCH /api/v1/settings/jobs/

{
    "AWX_TASK_ENV": {
        "GIT_SSL_NO_VERIFY": "True"
    }
}

EDIT: AWX_TASK_ENV has "defined_in_file": true, is possible to override it somehow?

@lukasmrtvy The following response above you from @kuklis helped me in the workaround.

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it.

zakstar picture zakstar on 28 Sep 2018

@ryanpetrello
GIT_SSL_NO_VERIFY is not set ..

In fact I guess that I cannot set any AWX_TASK_ENV variable, if this option has "defined_in_file": true set.

I can not event set it in web gui ( http://awx/#/configuration/jobs )
Extra environment variables: (This setting has been manually in a setting file and is now disabled)

I know it's been a while for that issue, but hope it will assist others.

You can add this extra variable in the Jobs Settings via the AWX web interface (http://awx/#/settings/jobs) under "EXTRA ENVIRONMENT VARIABLES"
Additional information in the documentation: https://docs.ansible.com/ansible-tower/latest/html/administration/configure_tower_in_tower.html#jobs

{
"GIT_SSL_NO_VERIFY": "True"
}

ylebi picture ylebi on 4 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

agaffney picture agaffney  路  3Comments
mwiora picture mwiora  路  3Comments
gamuniz picture gamuniz  路  3Comments
IshwarKanse picture IshwarKanse  路  3Comments
astraios picture astraios  路  3Comments