ca_path in play and EE container

Archives AWX Project
,
1

We’re making a GET call using uri module and passing CA certificate using ca_path value.
For some reason we’re randomly seeing following error for that play/job run in AWX 19.2.2.

“Status code was -1 and not [200]: Connection failure: [Errno 2] No such file or directory: b’/home/runner/ca-cert.pem’”

Any clues on what the issue could be since I added the ca-cert.pem to the custom EE docker image at above path and verified that it exists in the container.

Thanks

2

Here is the playbook YAML for the call. I don’t get why the calls are failing though the EE container image has the certificate at the given path.

  • name: “GET something”
    uri:
    url: “https://{{hostname }}/api/somecall”
    method: GET
    url_username: ‘{{ lookup(“env”, “ANSIBLE_NET_USERNAME”) }}’
    url_password: ‘{{ lookup(“env”, “ANSIBLE_NET_PASSWORD”) }}’
    status_code: 200
    ca_path: “'/home/runner/ca-cert.pem”
    register: results
    ignore_errors: yes
3

Any clues from Ansible or AWX gurus as we’re still having this issue though the ca-cert.pem exists in the EE container?
Does it have to done in a different way since AWX 19.x is now using Ansible Execution Environments for running the plays and jobs?
There is not much documentation for using ca_path other that referencing the path, so wondering why this wouldn’t work.

Thanks

4

There are multiple ways you can do this. One is through ee. Including it in a project. I wouldn’t recommend those ways because yoy are including the secret inside the artifact.

Another way is to create a custom credential. With A custom credential you can create a Credential object. One type of properties that you can create is Multiline object.
So yoy could for example create a custom credential for certificates say.

Then In that credential type you can create a Multiline property which is encrypted which houses your credential. Then in your playbook you can reference that object

https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html

5

Thanks for the suggestions, will try that route if we run into this issue again.
It’s weird, but I noticed that restarting the AWX pod has resolved the issue. Same play that failed few minutes ago ran to success and it’s able to find ca_opath file from the same location. Not sure if there was something going on with the EE container as I don’t recall seeing any errors in the logs, but the job was failing earlier.

6

Getting the same error intermittently, not sure if it’s related to SELinux or some security components are blocking anything or other weird issues.
On a side note, if we place .pem file in the AWX project, what changes are required for the ‘ca_path’ entry to refer to that file?
Would it work if it’s referenced as ca_path: “ca-cert.pem” or some other way?

Thanks

7

Yoy would do a lookup plugin if you referenced the file in the project