Custom Root CA Certificate issue for AWX LDAP connectivity

Archives AWX Project
,
1

Hi,

We have deployed latest AWX version(16.0.0) containers in Kubernetes environment and used API settings to configure LDAP configuration but getting following error when we try to login to AWX using LDAP credentials.

2021-01-20 17:33:37,328 WARNING django_auth_ldap Caught LDAPError while authenticating user1: SERVER_DOWN({‘result’: -1, ‘desc’: “Can’t contact LDAP server”, ‘ctrls’: , ‘info’: ‘error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)’},)

I have created a configmap with our internal Root CA and updated volumes and volumemounts sections for awx-web and awx-task containers in deployment.yml.j2. Tried mounting to /etc/pki/ca-trust/custom-ca-cert.perm and different options as below, but still getting the same error.

volumeMounts:

  • name: custom-root-ca-cert
    mountPath: “/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt”
    subPath: ca-bundle.trust.crt
    readOnly: true

volumes:

  • name: custom-root-ca-cert
    configMap:
    name: certs-cmap

Really appreciate any clues to resolve this issue.

Thanks

2

Added following environment variable to Kubernetes deployment.yml.j2 to temporarily fix the issue. Still researching how to make it work with internal Root CA certificate as it’s not picking up the certificate from above mentioned and other standard OS locations.

env:

  • name: LDAPTLS_REQCERT
    value: “never”
3

Following.

We are facing the same problem right now.

4

Hi Ankit and others,

I have solved this issue, see details below for AWX Kubernetes environment. Changed the configmap to use the host server /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file that has our internal CA Root certificates as well.

kubectl -n awx create configmap certs-cmap --from-file=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Then got some insight from below post(little old but still works) that talks about django LDAP set up. It doesn’t match the path completely but poked around until I came across following entry inside the awx-web container in /etc/openldap/ldap.conf file that talks about TLS_CACERT location.

When no CA certificates are specified the Shared System Certificates

are in use. In order to have these available along with the ones specified

by TLS_CACERTDIR one has to include them explicitly:

#TLS_CACERT /etc/pki/tls/cert.pem

https://www.djm.org.uk/posts/using-django-auth-ldap-active-directory-ldaps/

Make below changes to Kubernetes deployment.yml.j2 file.

volumeMounts:

  • name: ca-certs
    mountPath: “/etc/pki/tls/cert.pem”
    subPath: cert.pem
    readOnly: true

volumes:

  • name: ca-certs
    configMap:
    name: certs-cmap

I had to go this route since we cannot build AWX images in our environment due to restrictions, so I created a custom image off of the AWX docker hub image and pushed to our internal registry. Run Ansible playbook steps after making changes

5

Just to clarify the volumes part is common in the deployment.yml.j2 for awx-web and awx-task containers but volumeMounts are per containers, so I added the volumeMounts entry for both containers. I have tested LDAPS connectivity for the awx-web container and it’s working fine.