search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.89k stars 3.4k forks source link

SSL: Unsupported protocol (_ssl.c:1124) #11015

Open nicolaibaralmueller opened 3 years ago

nicolaibaralmueller commented 3 years ago

Please confirm the following

Summary

Running VSphere 5.5 which is still using TLS 1.0.

I was able to solve this issue by executing docker exec awx_web bash -c "/usr/bin/update-crypto-policies --set LEGACY" in the docker containers before AWX kubes.

Is there any way to enable legacy support?

AWX version

19.3.0

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

Execute any module, ex. community.vmware.vmware_guest_info against a vsphere 5.5 using TLS 1.0.

Expected results

Error is expected, but how to bypass?

Actual results

Unable to connect to vCenter or ESXi API at virtualcenter.domain.local on TCP/443: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1124)

Additional information

No response

eherce commented 3 years ago

Similar issue here but with the length of the key.

I'm running AWX 19.2.2 over k3s in a single node.

I cannot login with my internal LDAP getting this error: django_auth_ldap Caught LDAPError while authenticating xxxxxx: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (EE certificate key too weak)'})

Unfortunately I cannot upgrade the LDAP certificate as it's outside my scope.

While in earlier versions of AWX over docker I could apply the same workaround provided by @nicolaibaralmueller, I wasn't able to find a solution in kubernetes. Once inside the awx-web container in the pod: bash-4.4$ update-crypto-policies --set LEGACY You must be root to run update-crypto-policies.

I also tried with sudo but password for user awx is required (I believe it's not customizable).

Any hints?

eherce commented 2 years ago

@nicolaibaralmueller, in the meantime I may have found a temporary solution which cannot be said as best practice, but should work (at least in k3s running kubernetes in one node)

After deploying the awx-operator you can edit from the host the awx-operator file mapped as /opt/ansible/roles/installer/templates/ldap.py.j2 changing: ldap.OPT_X_TLS_REQUIRE_CERT: True,

for: ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,

After that change, you can deploy your AWX environment as usual (not 100% sure if ldap_cacert_secret and bundle_cacert_secret are required. I used them though).

Finally, in the awx-web container on the created pod, the file /etc/tower/conf.d/ldap.py should look like this: AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" }

And LDAP insecure connection is working :)

nicolaibaralmueller commented 2 years ago

@nicolaibaralmueller, in the meantime I may have found a temporary solution which cannot be said as best practice, but should work (at least in k3s running kubernetes in one node)

After deploying the awx-operator you can edit from the host the awx-operator file mapped as /opt/ansible/roles/installer/templates/ldap.py.j2 changing: ldap.OPT_X_TLS_REQUIRE_CERT: True,

for: ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,

After that change, you can deploy your AWX environment as usual (not 100% sure if ldap_cacert_secret and bundle_cacert_secret are required. I used them though).

Finally, in the awx-web container on the created pod, the file /etc/tower/conf.d/ldap.py should look like this: AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" }

And LDAP insecure connection is working :)

Awesome @eherce. A work-around is very acceptable to me as our vcenter will be decommissioned this year.

tanganellilore commented 1 year ago

@nicolaibaralmueller and @eherce, one possible solution is to run the AWX deployment with user uid 0 (root), in that way you can run the update-crypto-policies command.

This is the standard parameter on hel example of awx, but is not mentioned on kustomize. On the operator spec, the property should be like this:

security_context_settings:`
  runAsGroup: 0
  runAsUser: 0
  fsGroup: 0
  fsGroupChangePolicy: OnRootMismatch

Good luck