Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 7. Networking
Resolve networking issues including subnet conflicts and SSL/TLS certificate problems.
7.1. Issue - Container subnet conflicts with internal network
The default subnet used in Ansible Automation Platform containers conflicts with the internal network resulting in "No route to host" errors.
To resolve this issue, update the default classless inter-domain routing (CIDR) value so it does not conflict with the CIDR used by the default Podman networking plugin.
Procedure
In all controller and hybrid nodes, run the following commands to create a file called
custom.py:# touch /etc/tower/conf.d/custom.py# chmod 640 /etc/tower/conf.d/custom.py# chown root:awx /etc/tower/conf.d/custom.pyAdd the following to the
/etc/tower/conf.d/custom.pyfile:DEFAULT_CONTAINER_RUN_OPTIONS = ['--network', 'slirp4netns:enable_ipv6=true,cidr=192.168.1.0/24']-
192.168.1.0/24is the value for the new CIDR in this example.
-
Stop and start the automation controller service in all controller and hybrid nodes:
# automation-controller-service stop# automation-controller-service startAll containers will start on the new CIDR.
7.2. Troubleshooting SSL/TLS issues
To troubleshoot SSL/TLS issues, verify the certificate chain, use the correct certificates, and confirm that a trusted Certificate Authority (CA) signed the certificate.
Procedure
Check if the server is reachable over SSL/TLS.
Run the following command to confirm whether the server is reachable over SSL/TLS and to see the full certificate chain:
# true | openssl s_client -showcerts -connect <fqdn_or_ip>:<port>-
Replace
<fqdn_or_ip>and<port>with suitable values.
Verify the certificate details.
Run the following command to view the details of a certificate:
# openssl x509 -in <path_to_certificate> -noout -text
Replace
<path_to_certificate>with the path to the certificate file you want to inspect.The result of the command shows information such as:
- Subject - The entity the certificate has been issued to.
- Issuer - The CA that issued the certificate.
- Validity "Not Before" - The date the certificate was issued.
- Validity "Not After" - The date the certificate expires.
Verify a trusted CA signed the certificate.
Run the following command to verify that a specific certificate is valid and was signed by a trusted CA:
openssl verify -CAfile <path_to_ca_public_certificate> <path_to_server_certificate_file_to_verify>-
If the command returns
OK, it means the certificate file is valid and signed by a trusted CA.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}