LDAP Certificate not loading

rrobe53 · November 14, 2021, 10:33pm

I have a .crt file for an internal CA that I can call against an internal resource, using curl --cafile ca.crt ldaps://xyz:636, and that works in terms of verifying the certificate. However, adding it as a secret and referencing it in the manifest continues to show errors. Running this in k3s.

Creating the secret
kubectl -n awx create secret generic awx-custom-certs --from-file=ldap-ca.crt=./ca.crt --from-file=bundle-ca.crt=./ca.crt

secret/awx-custom-certs created

Basic deploy

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
namespace: awx
spec:
service_type: nodeport
ldap_cacert_secret: awx-custom-certs
bundle_cacert_secret: awx-custom-certs
hostname: xxx
web_resource_requirements: {}
ee_resource_requirements: {}
task_resource_requirements: {}

After deploy I see this in the manager logs, no errors:
kubectl -n awx logs deployments/awx-operator-controller-manager -c manager

PLAY RECAP *********************************************************************
localhost : ok=58 changed=0 unreachable=0 failed=0 skipped=37 rescued=0 ignored=0

awx-custom-certs in same namespace, again expected since I didn’t get any errors from the operator.

kubectl -n awx get awx,all,ingress,secrets,persistentvolume

NAME AGE
awx.awx.ansible.com/awx 5m55s

NAME READY STATUS RESTARTS AGE
pod/awx-operator-controller-manager-68d787cfbd-fnv9c 2/2 Running 0 7m5s
pod/awx-postgres-0 1/1 Running 0 5m36s
pod/awx-559fcd895-tfxl9 4/4 Running 0 5m27s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/awx-operator-controller-manager-metrics-service ClusterIP 10.43.6.215 <none> 8443/TCP 7m5s
service/awx-postgres ClusterIP None <none> 5432/TCP 5m36s
service/awx-service NodePort 10.43.230.186 <none> 80:30098/TCP 5m29s

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/awx-operator-controller-manager 1/1 1 1 7m5s
deployment.apps/awx 1/1 1 1 5m27s

NAME DESIRED CURRENT READY AGE
replicaset.apps/awx-operator-controller-manager-68d787cfbd 1 1 1 7m5s
replicaset.apps/awx-559fcd895 1 1 1 5m27s

NAME READY AGE
statefulset.apps/awx-postgres 1/1 5m36s

NAME TYPE DATA AGE
secret/default-token-bdtcs kubernetes.io/service-account-token 3 7m5s
secret/awx-operator-controller-manager-token-t4bcn kubernetes.io/service-account-token 3 7m5s
secret/awx-custom-certs Opaque 2 6m26s
secret/awx-app-credentials Opaque 3 5m32s
secret/awx-token-qtdrv kubernetes.io/service-account-token 3 5m31s
secret/awx-admin-password Opaque 1 5m45s
secret/awx-secret-key Opaque 1 5m49s
secret/awx-postgres-configuration Opaque 6 5m38s
secret/awx-broadcast-websocket Opaque 1 5m42s

NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
persistentvolume/pvc-a88f849b-93e3-4014-8a6b-1b4e63762bc0 8Gi RWO Delete Bound awx/postgres-awx-postgres-0 local-path 5m34s

Yet LDAPS still doesn’t function

kubectl -n awx logs awx-559fcd895-tfxl9 -c awx-web

2021-11-11 13:34:12,888 WARNING [e1a9950bf56e4dac94410d3c1a42a4aa] django_auth_ldap Caught LDAPError while authenticating xxxx: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)'})

Topic		Replies	Views
Unable To Configure LDAPS AWX Project awx	4	2	August 2, 2023
Custom Root CA Certificate issue for AWX LDAP connectivity AWX Project awx , kubernetes	4	2	January 21, 2021
CA Certificate for LDAP SSL/TLS communication AWX Project awx , kubernetes	2	1	January 21, 2021
AWX LDAPS authentication - disable REQUIRE CERT AWX Project awx , ee	4	3	January 4, 2023
Trusting a Custom Certificate Authority does not work Get Help awx , collections , kubernetes	0	291	December 21, 2023

LDAP Certificate not loading

Related topics