Open nicolaibaralmueller opened 3 years ago
Similar issue here but with the length of the key.
I'm running AWX 19.2.2 over k3s in a single node.
I cannot login with my internal LDAP getting this error: django_auth_ldap Caught LDAPError while authenticating xxxxxx: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (EE certificate key too weak)'})
Unfortunately I cannot upgrade the LDAP certificate as it's outside my scope.
While in earlier versions of AWX over docker I could apply the same workaround provided by @nicolaibaralmueller, I wasn't able to find a solution in kubernetes. Once inside the awx-web container in the pod: bash-4.4$ update-crypto-policies --set LEGACY You must be root to run update-crypto-policies.
I also tried with sudo but password for user awx is required (I believe it's not customizable).
Any hints?
@nicolaibaralmueller, in the meantime I may have found a temporary solution which cannot be said as best practice, but should work (at least in k3s running kubernetes in one node)
After deploying the awx-operator you can edit from the host the awx-operator file mapped as /opt/ansible/roles/installer/templates/ldap.py.j2 changing: ldap.OPT_X_TLS_REQUIRE_CERT: True,
for: ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
After that change, you can deploy your AWX environment as usual (not 100% sure if ldap_cacert_secret and bundle_cacert_secret are required. I used them though).
Finally, in the awx-web container on the created pod, the file /etc/tower/conf.d/ldap.py should look like this: AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" }
And LDAP insecure connection is working :)
@nicolaibaralmueller, in the meantime I may have found a temporary solution which cannot be said as best practice, but should work (at least in k3s running kubernetes in one node)
After deploying the awx-operator you can edit from the host the awx-operator file mapped as /opt/ansible/roles/installer/templates/ldap.py.j2 changing: ldap.OPT_X_TLS_REQUIRE_CERT: True,
for: ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
After that change, you can deploy your AWX environment as usual (not 100% sure if ldap_cacert_secret and bundle_cacert_secret are required. I used them though).
Finally, in the awx-web container on the created pod, the file /etc/tower/conf.d/ldap.py should look like this: AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" }
And LDAP insecure connection is working :)
Awesome @eherce. A work-around is very acceptable to me as our vcenter will be decommissioned this year.
@nicolaibaralmueller and @eherce, one possible solution is to run the AWX deployment with user uid 0 (root), in that way you can run the update-crypto-policies command.
This is the standard parameter on hel example of awx, but is not mentioned on kustomize. On the operator spec, the property should be like this:
security_context_settings:`
runAsGroup: 0
runAsUser: 0
fsGroup: 0
fsGroupChangePolicy: OnRootMismatch
Good luck
Please confirm the following
Summary
Running VSphere 5.5 which is still using TLS 1.0.
I was able to solve this issue by executing
docker exec awx_web bash -c "/usr/bin/update-crypto-policies --set LEGACY"
in the docker containers before AWX kubes.Is there any way to enable legacy support?
AWX version
19.3.0
Installation method
kubernetes
Modifications
no
Ansible version
No response
Operating system
No response
Web browser
No response
Steps to reproduce
Execute any module, ex. community.vmware.vmware_guest_info against a vsphere 5.5 using TLS 1.0.
Expected results
Error is expected, but how to bypass?
Actual results
Unable to connect to vCenter or ESXi API at virtualcenter.domain.local on TCP/443: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1124)
Additional information
No response