Cannot clone GIT repo over HTTPS (self-signed server cert issue)

[holgerstolzenberg]

ISSUE TYPE

• Bug Report

COMPONENT NAME

• API
• UI

SUMMARY

I am trying to clone a repository from our internal Bitbucket server. The server runs with a self signed certificate. The clone operation breaks due to Peer's Certificate issuer is not recognized.

As a workaround, I tried to disabled SSL verification via the .gitconfig for the root user on the awx-task container, but with no luck. The process forked by AWX seems to ignore that. Second problem would be that this is just a transient solution.

The following Stackoverflow post describes another issue related to this:
https://serverfault.com/questions/877530/git-called-by-awx-ignores-manually-installed-root-ca

This is essentially a showstopper for us, as we cannot clone Ansible provisioning code without pain.

ENVIRONMENT

• AWX version: 1.0.1.81
• AWX install method: docker on CentOS 7
• Ansible version: 2.4.0.0
• Web Browser: Chrome 62.0.3202.62

STEPS TO REPRODUCE

• Create new credential entity for your repo via UI
• Create new Project via the UI
  • Use afore created credentials
  • Use HTTPS protocol, use Git repo secured by self signed certificate

EXPECTED RESULTS

• Add a checkbox to the Project creation page that disables SSL verification for the given project
• The forked git clone task command needs to leverage that setting
• In result, the repo with the self-signed cert can be cloned

ACTUAL RESULTS

• Repo cannot be cloned due to certificate trust error

ADDITIONAL INFORMATION

[wenottingham]

closing as duplicate of #416

[kuklis]

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it.
A nicer solution is to copy the self-signed certificate (not the key) to /etc/pki/ca-trust/source/anchors/ on awx_task container and run update-ca-trust extract within. Make sure to configure AWX with the correct hostname of the git server, matching the certificate subject.

[lukasmrtvy]

This is not working.. Any ideas?

PATCH /api/v1/settings/jobs/

{
    "AWX_TASK_ENV": {
        "GIT_SSL_NO_VERIFY": "True"
    }
}

EDIT: AWX_TASK_ENV has "defined_in_file": true, is possible to override it somehow?

[ryanpetrello]

@muhahacz after running a job, can you visit:

GET /api/v2/project_updates/N/

...and confirm that GIT_SSL_NO_VERIFY is properly set under the job_env key?

[lukasmrtvy]

@ryanpetrello
GIT_SSL_NO_VERIFY is not set ..

In fact I guess that I cannot set any AWX_TASK_ENV variable, if this option has "defined_in_file": true set.

I can not event set it in web gui ( http://awx/#/configuration/jobs )
Extra environment variables: (This setting has been manually in a setting file and is now disabled)

[ryanpetrello]

@muhahacz you've defined AWX_TASK_ENV in a .py setting file somewhere on the file system, which makes it read-only (and not editable from the API).

[zakstar]

This is not working.. Any ideas?

PATCH /api/v1/settings/jobs/

{
    "AWX_TASK_ENV": {
        "GIT_SSL_NO_VERIFY": "True"
    }
}

EDIT: AWX_TASK_ENV has "defined_in_file": true, is possible to override it somehow?

@lukasmrtvy The following response above you from @kuklis helped me in the workaround.

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it.

[ylebi]

@ryanpetrello
GIT_SSL_NO_VERIFY is not set ..

In fact I guess that I cannot set any AWX_TASK_ENV variable, if this option has "defined_in_file": true set.

I can not event set it in web gui ( http://awx/#/configuration/jobs )
Extra environment variables: (This setting has been manually in a setting file and is now disabled)

I know it's been a while for that issue, but hope it will assist others.

You can add this extra variable in the Jobs Settings via the AWX web interface (http://awx/#/settings/jobs) under "EXTRA ENVIRONMENT VARIABLES"
Additional information in the documentation: https://docs.ansible.com/ansible-tower/latest/html/administration/configure_tower_in_tower.html#jobs

{
"GIT_SSL_NO_VERIFY": "True"
}

[4F2E4A2E]

Thanks to this post, I was able to pass the config in the following way:

• Install the awx cli

python3 -m pip install awxkit

• Get a token https://awx/#/applications

awx -k settings modify AWX_TASK_ENV '{ "HOME": "/var/lib/awx", "GIT_SSL_NO_VERIFY": "True" }' --conf.token <xyz>

[martpp]

To turn off certificate verification completely add AWX_TASK_ENV['GIT_SSL_NO_VERIFY'] = 'True' to /etc/tower/settings.py within the awx_task container and restart it. A nicer solution is to copy the self-signed certificate (not the key) to /etc/pki/ca-trust/source/anchors/ on awx_task container and run update-ca-trust extract within. Make sure to configure AWX with the correct hostname of the git server, matching the certificate subject.

Addition: In the new AWX-Version (20.0.1) the awx_task container is now called tools_awx_1 and the settings file is under /etc/tower/conf.d/local_settings.py.