Cannot pull bespoke EE: x509: certificate signed by unknown authority


Running awx-operator 2.5.0 in minikube

PEM files have been added to awx-task and awx-web pods and have been verified as working.
I have an EE stored on a server that uses our in-house certificate authority. When “automation-job-xxxx” attempts to pull this image it fails with x509: certificate signed by unknown authority.
So it looks like the automation-job pod needs the certificate defining (or the awx-bundle-cacert needs mounting)
Any ideas how I can configure this?

While there are parts of AWX where you need to provide it with your internal root CA, the image pulls are executed at the hypervisor level (the kubernetes platform, or the host if you have execution nodes). This means your minikube cluster doesn’t trust your internal CA.

Certificates | minikube (

Once your minikube trusts the internal CA, you will also want to make sure AWX trusts the CA as well.

Trusting a custom certificate authority - Ansible AWX Operator Documentation

And for jobs specifically, @kurokobo has a few methods covered here:
awx-on-k3s/tips/ at main · kurokobo/awx-on-k3s (
Personally, I use Method 3 since I’m using a base image to build EE that already contains our internal CA, so I just need to worry about the ENV step.

1 Like

You are absolutely correct - thank you. I just applied the fix 5 minutes ago.
I had to put the PRM file under ~/.minikube/certs and restart minikube using:
minikube start --embed-certs

I tried to apply it in the minikube container directly then apply update-ca-certificates but I couldn’t get it to work.

1 Like