Install with SSL Certificate

Hi All,

I am attempting to install AWX and have it run with our own SSL certificate. I have a (PEM) certificate file and a private key. However, whilst I can see the line in the inventory file to specify the ssl_certificate, I do not see anywhere to specify the private key.

Please advise how to install the latest AWX with my own SSL certificate?

Many thanks.

1 Like

Hi Adam

I'll write it using google translation

If you can read Japanese or use google translation, please read this page.
https://qiita.com/nakacya/items/e17580fb0d94cd4ac6ed

Now, please try the following contents.
-Added the following to inventory
/ root / awx / installer / inventory
-------------------------------------------------- ------
ssl_certificate = / path / your.pem
ssl_certificate_key = / path / your.key
-------------------------------------------------- ------

-Fixed some sources
roles / local_docker / templates / docker-compose.yml.j2
-------------------------------------------------- ------
volumes:
-"{{docker_compose_dir}} / SECRET_KEY: / etc / tower / SECRET_KEY"
-"{{docker_compose_dir}} / environment.sh:/etc/tower/conf.d/environment.sh"
-"{{docker_compose_dir}} / credentials.py:/etc/tower/conf.d/credentials.py"
Add this ---->-"{{docker_compose_dir}} / nginx.conf: /etc/nginx/nginx.conf"

<snip>

 \{% if ssl\_certificate is defined%\}
   \-&quot;\{\{ssl\_certificate \+ &#39;: / etc / nginx / awxweb\.pem: ro&#39;\}\}&quot;

Add this ---->-"{{ssl_certificate_key + ': / etc / nginx / awxweb.key: ro'}}"
{% endif%}
-------------------------------------------------- ------

・ There is a bug that doesn't expand nginx.conf.j2, so add the following files
/tmp/awxcompose/nginx.conf
-------------------------------------------------- -------------------
#user awx;

worker_processes 1;

pid /tmp/nginx.pid;

events {
     worker_connections 1024;
}

http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;

     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';

     access_log /dev/stdout main;
#X# access_log /var/log/nginx/nginx_access.log main;
     error_log /var/log/nginx/nginx_error.log;

     map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;
     }

     sendfile on;
     #tcp_nopush on;
     #gzip on;

     upstream uwsgi {
         server 127.0.0.1:8050;
         }

     upstream daphne {
         server 127.0.0.1:8051;
     }

         server {
#X# listen 8052 default_server;
         listen 8052;
         server_name _;

         # Redirect all HTTP links to the matching HTTPS page
         return 301 https://$host$request_uri;
     }

     server {
         listen 8053 ssl default_server;

         ssl_certificate /etc/nginx/awxweb.pem;
         ssl_certificate_key /etc/nginx/awxweb.key;

         ssl_session_cache builtin:1000 shared:SSL:10m;
         ssl_prefer_server_ciphers on;
         ssl_protocols TLSv1.2;
         ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

         ssl_stapling on;
         ssl_stapling_verify on;
         ssl_session_timeout 20m;

         # If you have a domain name, this is where to add it
         server_name _;
         keepalive_timeout 65;

         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
         add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; img-src 'self' data:; report-uri /csp-violation/";
         add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; img-src 'self' data:; report-uri /csp-violation/";

         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";

         location /nginx_status {
           stub_status on;
           access_log off;
           allow 127.0.0.1;
           deny all;
         }

         location /static/ {
             alias /var/lib/awx/public/static/;
         }

         location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }

         location /websocket {
             # Pass request to the upstream alias
             proxy_pass http://daphne;
             # Require http version 1.1 to allow for upgrade requests
             proxy_http_version 1.1;
             # We want proxy_buffering off for proxying to websockets.
             proxy_buffering off;
             # http://en.wikipedia.org/wiki/X-Forwarded-For
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             # enable this if you use HTTPS:
             proxy_set_header X-Forwarded-Proto https;
             # pass the Host: header from the client for the sake of redirects
             proxy_set_header Host $http_host;
             # We've set the Host header, so we don't need Nginx to muddle
             # about with redirects
             proxy_redirect off;
             # Depending on the request value, set the Upgrade and
             # connection headers
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header Connection $connection_upgrade;
         }

         location / {
             # Add trailing / if missing
             rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
             uwsgi_read_timeout 120s;
             uwsgi_pass uwsgi;
             include /etc/nginx/uwsgi_params; proxy_set_header X-Forwarded-Port 443;
         }
     }
}
-------------------------------------------------- -------------------

-Reinstall AWX (container remake)
ansible-playbook -i inventory install.yml

You can specify the key using ssl_certificate_key in the inventory file, alongside ssl_certificate for the cert.

Thanks,

-Graham

My mistake. Looks like it’s expecting you to concatenate the certificate and key into a single .pem file and specify that in the inventory as ssl_certificate.

Thanks,

-Graham

Hello:

Right, you need to define path to a concatenated (cert + private key) file by using ssl_certificate directive, but also you need to comment out dockerhub_ansible, as this instructs awx installer to run a local build which configures your own certificate file as expected.