I am setting up a web service that is reachable over HTTPS and it uses an internal CA. I want Ansible to verify the certificate so I need to make it trust this CA. I am running Ansible on both macOS and CentOS, so I need to make it trust my custom CA on both these types of operating systems.
I have tried to put my CA certificate inside /etc/ssl/certs/
and added it as to /usr/local/etc/openssl/cert.pem
using blockinfile
but none of those have worked. I would prefer a way that is easy to clean up, like adding the CA file to a directory instead of appending it to a file.
I am running Ansible 2.8 and have figured out that it uses urllib
to make the HTTP requests. But I cannot find any information on where it looks for CA certs on different operating systems.
Any ideas? Thanks!
2
Answers
Partial answer for Centos (other distros use different paths/binaries and I have no clue how this is managed on macintosh).
.pem
extension to the/etc/pki/ca-trust/source/anchors/
folderupdate-ca-certificates
The cert should now be recognized by ansible (and all other environments/softwares using openssl like e.g. curl)
If you still get validation errors, you can check what is the default path used by openssl
In this directory, there should be a symbolic link
cert.pem
pointing to/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
(i.e. the CA Bundle file updated byupdate-ca-certificates
). If this is missing, try to create it.Usually there are not less than 3 environment variables that you need to set with path to custom CA. Look at https://github.com/tox-dev/tox/pull/1439 for their exact names. Also be sure they are set on the machine that runs the http requests!!