skip to Main Content

I am setting up a web service that is reachable over HTTPS and it uses an internal CA. I want Ansible to verify the certificate so I need to make it trust this CA. I am running Ansible on both macOS and CentOS, so I need to make it trust my custom CA on both these types of operating systems.

I have tried to put my CA certificate inside /etc/ssl/certs/ and added it as to /usr/local/etc/openssl/cert.pem using blockinfile but none of those have worked. I would prefer a way that is easy to clean up, like adding the CA file to a directory instead of appending it to a file.

I am running Ansible 2.8 and have figured out that it uses urllib to make the HTTP requests. But I cannot find any information on where it looks for CA certs on different operating systems.

Any ideas? Thanks!

2

Answers


  1. Partial answer for Centos (other distros use different paths/binaries and I have no clue how this is managed on macintosh).

    • Add your CA certificate file with a .pem extension to the /etc/pki/ca-trust/source/anchors/ folder
    • Run as root the command update-ca-certificates

    The cert should now be recognized by ansible (and all other environments/softwares using openssl like e.g. curl)

    If you still get validation errors, you can check what is the default path used by openssl

     openssl version -a | grep -i openssldir
    

    In this directory, there should be a symbolic link cert.pem pointing to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (i.e. the CA Bundle file updated by update-ca-certificates). If this is missing, try to create it.

    Login or Signup to reply.
  2. Usually there are not less than 3 environment variables that you need to set with path to custom CA. Look at https://github.com/tox-dev/tox/pull/1439 for their exact names. Also be sure they are set on the machine that runs the http requests!!

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search