Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom CA certs not loaded into python by default #15741

Open
5 of 11 tasks
archer31 opened this issue Jan 10, 2025 · 0 comments
Open
5 of 11 tasks

Custom CA certs not loaded into python by default #15741

archer31 opened this issue Jan 10, 2025 · 0 comments
Labels
community needs_triage type:bug

Comments

@archer31
Copy link

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.
  • I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

#10787 adds support for auto loading the system certificate store into the execution environment. But since a few python versions ago, Python no longer respects the system certificate store instead opting to use the certifi package. Unfortunately that means that manual work arounds are needed to load the custom certificates into python.

Currently to load my custom certificates i have added this value to Paths to expose to isolated jobs:

[
  "/usr/local/lib/python3.9/site-packages/certifi/cacert.pem:/usr/local/lib/python3.11/site-packages/certifi/:O",
]

I know that this is a very bad workaround and it also seems like this does not only copy the cacerts.pem file into the container but the entire directory instead.

AWX version

24.6.2.dev0+g94e5795dfc.d20240705

Select the relevant components

  • UI
  • UI (tech preview)
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

kubernetes

Modifications

yes

Ansible version

No response

Operating system

RHEL9

Web browser

No response

Steps to reproduce

  1. Create an inventory
  2. Create a source for that inventory
    The source should use a custom inventory plugin that uses the requests library
  3. Sync the inventory

Expected results

There should be a way to load custom certificates into the python environment.

Actual results

python returns a certificate verify failed error:

[WARNING]:  * Failed to parse
/runner/project/inventories/inventory.custom_plugin.yaml with auto plugin:
HTTPSConnectionPool(host='hostname', port=443): Max retries exceeded
with url: /api/v1/hosts (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1006)')))

Additional information

awx installed through the awx-rpm project https://awx.wiki/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community needs_triage type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@archer31