Red Hat SummitChapter 8. Renewing and changing the SSL certificate
If your current SSL certificate has expired or will expire soon, you can either renew or replace the SSL certificate used by Ansible Automation Platform.
You must renew the SSL certificate if you need to regenerate the SSL certificate with new information such as new hosts.
You must replace the SSL certificate if you want to use an SSL certificate signed by an internal certificate authority.
8.1. Renewing the self-signed SSL certificate
The following steps regenerate a new SSL certificate for both automation controller and automation hub.
Procedure
Add
aap_service_regen_cert=trueto the inventory file in the[all:vars]section:[all:vars] aap_service_regen_cert=true
[all:vars] aap_service_regen_cert=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the installer.
8.2. Changing SSL certificates
To change the SSL certificate, you can edit the inventory file and run the installer. The installer verifies that all Ansible Automation Platform components are working. The installer can take a long time to run.
Alternatively, you can change the SSL certificates manually. This is quicker, but there is no automatic verification.
8.2.1. Prerequisites
- If there is an intermediate certificate authority, you must append it to the server certificate.
- Both automation controller and automation hub use NGINX so the server certificate must be in PEM format.
- Use the correct order for the certificates: The server certificate comes first, followed by the intermediate certificate authority.
For further information, see the ssl certificate section of the NGINX documentation.
8.2.2. Changing the SSL certificate and key using the installer
The following procedure describes how to change the SSL certificate and key in the inventory file.
Procedure
- Copy the new SSL certificates and keys to a path relative to the Ansible Automation Platform installer.
Add the absolute paths of the SSL certificates and keys to the inventory file. Refer to the Automation controller variables and Automation hub variables sections of the Red Hat Ansible Automation Platform Installation Guide for guidance on setting these variables.
-
Automation controller:
web_server_ssl_cert,web_server_ssl_key,custom_ca_cert -
Automation hub:
automationhub_ssl_cert,automationhub_ssl_key,custom_ca_cert
NoteThe
custom_ca_certmust be the root certificate authority that signed the intermediate certificate authority. This file is installed in/etc/pki/ca-trust/source/anchors.-
Automation controller:
- Run the installer.
8.2.3. Changing the SSL certificate manually
8.2.3.1. Changing the SSL certificate and key manually on automation controller
The following procedure describes how to change the SSL certificate and key manually on Automation Controller.
Procedure
Backup the current SSL certificate:
cp /etc/tower/tower.cert /etc/tower/tower.cert-$(date +%F)
cp /etc/tower/tower.cert /etc/tower/tower.cert-$(date +%F)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Backup the current key files:
cp /etc/tower/tower.key /etc/tower/tower.key-$(date +%F)+
cp /etc/tower/tower.key /etc/tower/tower.key-$(date +%F)+Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Copy the new SSL certificate to
/etc/tower/tower.cert. -
Copy the new key to
/etc/tower/tower.key. Restore the SELinux context:
restorecon -v /etc/tower/tower.cert /etc/tower/tower.key
restorecon -v /etc/tower/tower.cert /etc/tower/tower.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set appropriate permissions for the certificate and key files:
chown root:awx /etc/tower/tower.cert /etc/tower/tower.key chmod 0600 /etc/tower/tower.cert /etc/tower/tower.key
chown root:awx /etc/tower/tower.cert /etc/tower/tower.key chmod 0600 /etc/tower/tower.cert /etc/tower/tower.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Test the NGINX configuration:
nginx -t
nginx -tCopy to Clipboard Copied! Toggle word wrap Toggle overflow Reload NGINX:
systemctl reload nginx.service
systemctl reload nginx.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that new SSL certificate and key have been installed:
true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443Copy to Clipboard Copied! Toggle word wrap Toggle overflow
The following procedure describes how to change the SSL certificate and key for automation controller running on OpenShift Container Platform.
Procedure
- Copy the signed SSL certificate and key to a secure location.
Create a TLS secret within OpenShift:
oc create secret tls ${CONTROLLER_INSTANCE}-certs-$(date +%F) --cert=/path/to/ssl.crt --key=/path/to/ssl.keyoc create secret tls ${CONTROLLER_INSTANCE}-certs-$(date +%F) --cert=/path/to/ssl.crt --key=/path/to/ssl.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Modify the automation controller custom resource to add
route_tls_secretand the name of the new secret to the spec section.oc edit automationcontroller/${CONTROLLER_INSTANCE}oc edit automationcontroller/${CONTROLLER_INSTANCE}Copy to Clipboard Copied! Toggle word wrap Toggle overflow ... spec: route_tls_secret: automation-controller-certs-2023-04-06 ...
... spec: route_tls_secret: automation-controller-certs-2023-04-06 ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
The name of the TLS secret is arbitrary. In this example, it is timestamped with the date that the secret is created, to differentiate it from other TLS secrets applied to the automation controller instance.
- Wait a few minutes for the changes to be applied.
Verify that new SSL certificate and key have been installed:
true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443Copy to Clipboard Copied! Toggle word wrap Toggle overflow
8.2.3.3. Changing the SSL certificate and key manually on automation hub
The following procedure describes how to change the SSL certificate and key manually on automation hub.
Procedure
Backup the current SSL certificate:
cp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt-$(date +%F)
cp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt-$(date +%F)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Backup the current key files:
cp /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key-$(date +%F)
cp /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key-$(date +%F)Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Copy the new SSL certificate to
/etc/pulp/certs/pulp_webserver.crt. -
Copy the new key to
/etc/pulp/certs/pulp_webserver.key. Restore the SELinux context:
restorecon -v /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.key
restorecon -v /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set appropriate permissions for the certificate and key files:
chown root:pulp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.key
chown root:pulp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow chmod 0600 /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.key
chmod 0600 /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Test the NGINX configuration:
nginx -t
nginx -tCopy to Clipboard Copied! Toggle word wrap Toggle overflow Reload NGINX:
systemctl reload nginx.service
systemctl reload nginx.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that new SSL certificate and key have been installed:
true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443true | openssl s_client -showcerts -connect ${CONTROLLER_FQDN}:443Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}