Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Renewing and changing the SSL/TLS certificates

If your current SSL/TLS certificates have expired or will expire soon, you can either renew or replace the SSL/TLS certificates used by Ansible Automation Platform.

You must renew the SSL/TLS certificates if you need to regenerate them with new information such as new hosts.

You must replace the SSL/TLS certificates if you want to use certificates signed by an internal certificate authority.

6.1. Container-based installations
Copy link

You can change the TLS certificates and keys for your container-based Ansible Automation Platform installation. This process involves a preparation step, either providing new custom certificates or deleting or moving the old certificates, followed by running the installation program.

The following procedure describes how to update the TLS certificates and keys by using the installation program.

Procedure

  1. To prepare the certificates and keys, choose one of the following methods:

    • To provide custom certificates - For each service that requires updated TLS certificates, copy the new certificates and keys to a path relative to the Ansible Automation Platform installer. Then update the inventory file variables with the absolute paths to the new files. 

      # Platform gateway
gateway_tls_cert=<path_to_tls_certificate>
gateway_tls_key=<path_to_tls_key>
gateway_pg_tls_cert=<path_to_tls_certificate>
gateway_pg_tls_key=<path_to_tls_key>
gateway_redis_tls_cert=<path_to_tls_certificate>
gateway_redis_tls_key=<path_to_tls_key>

# Automation controller
controller_tls_cert=<path_to_tls_certificate>
controller_tls_key=<path_to_tls_key>
controller_pg_tls_cert=<path_to_tls_certificate>
controller_pg_tls_key=<path_to_tls_key>

# Automation hub
hub_tls_cert=<path_to_tls_certificate>
hub_tls_key=<path_to_tls_key>
hub_pg_tls_cert=<path_to_tls_certificate>
hub_pg_tls_key=<path_to_tls_key>

# Event-Driven Ansible
eda_tls_cert=<path_to_tls_certificate>
eda_tls_key=<path_to_tls_key>
eda_pg_tls_cert=<path_to_tls_certificate>
eda_pg_tls_key=<path_to_tls_key>
eda_redis_tls_cert=<path_to_tls_certificate>
eda_redis_tls_key=<path_to_tls_key>

# PostgreSQL
postgresql_tls_cert=<path_to_tls_certificate>
postgresql_tls_key=<path_to_tls_key>

# Receptor
receptor_tls_cert=<path_to_tls_certificate>
receptor_tls_key=<path_to_tls_key>
      Copy to Clipboard Toggle word wrap

    • To generate new certificates - If you want the installation program to generate a new certificate for a service, delete or move the existing certificates and keys.

      Expand
      Table 6.1. Certificate and key file paths per service
      ServiceCertificate file pathKey file path

      Automation controller

      ~/aap/controller/etc/tower.cert

      ~/aap/controller/etc/tower.key

      Event-Driven Ansible

      ~/aap/eda/etc/eda.cert

      ~/aap/eda/etc/eda.key

      Platform gateway

      ~/aap/gateway/etc/gateway.cert

      ~/aap/gateway/etc/gateway.key

      Automation hub

      ~/aap/hub/etc/pulp.cert

      ~/aap/hub/etc/pulp.key

      PostgreSQL

      ~/aap/postgresql/server.crt

      ~/aap/postgresql/server.key

      Receptor

      ~/aap/receptor/etc/receptor.crt

      ~/aap/receptor/etc/receptor.key

      Redis

      ~/aap/redis/server.crt

      ~/aap/redis/server.key

  2. After preparing your certificates, run the install playbook from your installation directory: 

    ansible-playbook -i <inventory_file_name> ansible.containerized_installer.install
    Copy to Clipboard Toggle word wrap

Verification

Verify that the new TLS certificates are in use by checking that the services are running and accessible. To do this, check a specific endpoint by using curl: 

$ curl -vk https://<hostname_or_ip>:<port_number>/api/v2/
Copy to Clipboard Toggle word wrap

The output of this command gives details about the TLS handshake. Look for the following output to confirm the correct certificate is being used: 

*  SSL certificate verify OK
Copy to Clipboard Toggle word wrap

6.2. Operator-based installations
Copy link

The following procedure describes how to change the SSL certificate and key for automation controller running on OpenShift Container Platform.

Procedure

  1. Copy the signed SSL certificate and key to a secure location.

  2. Create a TLS secret within OpenShift: 

    oc create secret tls ${CONTROLLER_INSTANCE}-certs-$(date +%F) --cert=/path/to/ssl.crt --key=/path/to/ssl.key
    Copy to Clipboard Toggle word wrap

  3. Modify the automation controller custom resource to add route_tls_secret and the name of the new secret to the spec section. 

    oc edit automationcontroller/${CONTROLLER_INSTANCE}
    Copy to Clipboard Toggle word wrap 
    ...
spec:
  route_tls_secret: automation-controller-certs-2023-04-06
...
    Copy to Clipboard Toggle word wrap

The name of the TLS secret is arbitrary. In this example, it is timestamped with the date that the secret is created, to differentiate it from other TLS secrets applied to the automation controller instance.

  1. Wait a few minutes for the changes to be applied.

  2. Verify that new SSL certificate and key have been installed: 

    true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443
    Copy to Clipboard Toggle word wrap

The following procedure describes how to change the SSL certificate and key for automation hub running on OpenShift Container Platform.

Procedure

  1. Copy the signed SSL certificate and key to a secure location.

  2. Create a TLS secret within OpenShift: 

    oc create secret tls ${AUTOMATION_HUB_INSTANCE}-certs-$(date +%F) --cert=/path/to/ssl.crt --key=/path/to/ssl.key
    Copy to Clipboard Toggle word wrap

  3. Modify the automation hub custom resource to add route_tls_secret and the name of the new secret to the spec section. 

    oc edit automationhub/${AUTOMATION_HUB_INSTANCE}
    Copy to Clipboard Toggle word wrap 
    ...
spec:
  route_tls_secret: automation-hub-certs-2023-04-06
...
    Copy to Clipboard Toggle word wrap

The name of the TLS secret is arbitrary. In this example, it is timestamped with the date that the secret is created, to differentiate it from other TLS secrets applied to the automation hub instance.

  1. Wait a few minutes for the changes to be applied.

  2. Verify that new SSL certificate and key have been installed: 

    true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443
    Copy to Clipboard Toggle word wrap

6.3. RPM-based installations
Copy link

To renew or change SSL certificates for RPM-based installations, you can edit the inventory file and run the installation program. The installation program verifies that all Ansible Automation Platform components are working.

Alternatively, you can change the SSL certificates manually. This is quicker, but there is no automatic verification.

Red Hat recommends that you use the installation program to make changes to your Ansible Automation Platform deployment.

The following steps regenerate new SSL/TLS certificates for all Ansible Automation Platform components.

Procedure

  1. Add aap_service_regen_cert=true to the inventory file in the [all:vars] section: 

    [all:vars]
aap_service_regen_cert=true
    Copy to Clipboard Toggle word wrap
  2. Run the installer.

Verification

  • Validate the CA file and certificate file on Event-Driven Ansible controller: 

    openssl verify -CAfile ansible-automation-platform-managed-ca-cert.crt /etc/ansible-automation-platform/eda/server.cert
openssl s_client -connect <EDA_FQDN>:443
    Copy to Clipboard Toggle word wrap

  • Validate the CA file and certificate file on platform gateway: 

    openssl verify -CAfile ansible-automation-platform-managed-ca-cert.crt /etc/ansible-automation-platform/gateway/gateway.cert
openssl s_client -connect <GATEWAY_FQDN>:443
    Copy to Clipboard Toggle word wrap

  • Validate the CA file and certificate file on automation hub: 

    openssl verify -CAfile ansible-automation-platform-managed-ca-cert.crt /etc/pulp/certs/pulp_webserver.crt
openssl s_client -connect <HUB_FQDN>:443
    Copy to Clipboard Toggle word wrap

  • Validate the CA file and certificate file on automation controller: 

    openssl verify -CAfile ansible-automation-platform-managed-ca-cert.crt /etc/tower/tower.cert
openssl s_client -connect <CONTROLLER_FQDN>:443
    Copy to Clipboard Toggle word wrap

The following procedure describes how to change the SSL/TLS certificate and key in the inventory file.

Prerequisites

  • The certificates must be in PEM format.
  • If there is an intermediate certificate authority, you must append it to the server certificate.
  • Use the correct order for the certificates: The server certificate comes first, followed by the intermediate certificate authority.

For further information, see the ssl certificate section of the NGINX documentation.

Procedure

  1. Copy the new SSL/TLS certificates and keys to a path relative to the Ansible Automation Platform installer.

  2. Add the absolute paths of the SSL/TLS certificates and keys to the inventory file. Refer to Inventory file variables for guidance on setting these variables.

    • Event-Driven Ansible controller: automationedacontroller_ssl_cert, automationedacontroller_ssl_key, custom_ca_cert
    • Platform gateway: automationgateway_ssl_cert, automationgateway_ssl_key, custom_ca_cert
    • Automation hub: automationhub_ssl_cert, automationhub_ssl_key, custom_ca_cert

    • Automation controller: web_server_ssl_cert, web_server_ssl_key, custom_ca_cert

      Note

      The custom_ca_cert must be the root certificate authority that signed the intermediate certificate authority. This file is installed in /etc/pki/ca-trust/source/anchors.

  3. Run the installation program.

The following procedure describes how to change SSL/TLS certificates and keys manually for all Ansible Automation Platform components.

Procedure

  1. Backup the current SSL/TLS certificate: 

    cp <CERT_PATH> <CERT_PATH>-$(date +%F)
    Copy to Clipboard Toggle word wrap

  2. Backup the current key files: 

    cp <KEY_PATH> <KEY_PATH>-$(date +%F)
    Copy to Clipboard Toggle word wrap
  3. Copy the new SSL/TLS certificate to the certificate path.
  4. Copy the new key to the key path.

  5. Restore the SELinux context: 

    restorecon -v <CERT_PATH> <KEY_PATH>
    Copy to Clipboard Toggle word wrap

  6. Set appropriate permissions for the certificate and key files: 

    chown <OWNER>:<GROUP> <CERT_PATH> <KEY_PATH>
chmod 0600 <CERT_PATH> <KEY_PATH>
    Copy to Clipboard Toggle word wrap

  7. Test the NGINX configuration: 

    nginx -t
    Copy to Clipboard Toggle word wrap

  8. Reload NGINX: 

    systemctl reload nginx.service
    Copy to Clipboard Toggle word wrap

  9. Verify that new SSL/TLS certificate and key have been installed: 

    true | openssl s_client -showcerts -connect <COMPONENT_FQDN>:443
    Copy to Clipboard Toggle word wrap
    Expand
    Table 6.2. SSL/TLS certificate and key file paths per service
    ServiceCertificate file pathKey file pathOwner:Group

    Automation controller

    /etc/tower/tower.cert

    /etc/tower/tower.key

    root:awx

    Automation hub

    /etc/pulp/certs/pulp_webserver.crt

    /etc/pulp/certs/pulp_webserver.key

    root:pulp

    Event-Driven Ansible controller

    /etc/ansible-automation-platform/eda/server.cert

    /etc/ansible-automation-platform/eda/server.key

    root:eda

    Platform gateway

    /etc/ansible-automation-platform/gateway/gateway.cert

    /etc/ansible-automation-platform/gateway/gateway.key

    root:gateway

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat