SSH certificate not added to job runner

[dincho]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
• [X] I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

Try to use machine credentials with SSH certificate for authentication, but the certificate didn't seems to be included in the job runner during execution: Of course I triple checked that the key and certificate works find outside of AWX.

AWX version

24.6.1

Select the relevant components

• [ ] UI
• [ ] UI (tech preview)
• [ ] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [ ] Other

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

I've created a machine credentials with SSH private key and signed certificate:

Then used that credentials in a job template that I've run.

Expected results

Identity added: /runner/artifacts/34/ssh_key_data (root@b910556ae2cd)
Certificate added: /runner/artifacts/34/ssh_key_data-cert.pub
ansible-playbook [core 2.15.12]
---SNIP---

I'm using AWX for the first time, so I'm not sure if my exceptions are correct, but I've found an old PR that shows an output with both the private key and certificate log lines in the job output

Actual results

Identity added: /runner/artifacts/34/ssh_key_data (root@b910556ae2cd)
ansible-playbook [core 2.15.12]
  config file = None
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.11.10 (main, Sep  9 2024, 00:00:00) [GCC 11.5.0 20240719 (Red Hat 11.5.0-2)] (/usr/bin/python3.11)
  jinja version = 3.1.4
  libyaml = True
No config file found; using defaults
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /runner/inventory/hosts as it did not pass its verify_file() method
Parsed /runner/inventory/hosts inventory source with script plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python3.11/site-packages/ansible/plugins/callback/default.py
Loading callback plugin awx_display of type stdout, v2.0 from /usr/local/lib/python3.11/site-packages/ansible_runner/display_callback/callback/awx_display.py
Datadog callback disabled because of a dependency problem: No module named 'datadog'. Please install requirements with "pip install -r requirements.txt"
Skipping callback 'awx_display', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
---SNIP---

And of course the playbook authentication fails because of missing certificate in the ssh-agent.

Additional information

Please let me know if this needs further debugging to help find the cause.

[onefourfive]

I'm having this same issue once I update to a newer execution environment. I'm running AWX 23.7.0.

More details in my forum post, but essentially I'm seeing:

• EE with ansible-core 2.12: works
• EE with ansible-core 2.17: does not work

I've tried the latest community-ee as well, which also does not work.

[onefourfive]

We've been able to resolve this by updating the signature algorithm from ssh-rsa to ssh-rsa2-256 or ssh-rsa2-512.

ssh-rsa is no longer supported by openssl.