Ansible with verify ssl

I ran into a problem trying out the awx.awx collection, to export the assets through Ansible Automation Platform’s api.

So although the ca trust store of the machine is setup correctly (includes my self-signed certificates), I kept getting this error.

TASK [export] ***************************************************************************************************************************
fatal: [tower.local]: FAILED! => {"changed": false, "msg": "Failed to export assets HTTPSConnectionPool(host='tower.local', port=443): 
Max retries exceeded with url: /api/v2/ (Caused by SSLError(SSLCertVerificationError(1, 
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"}

Connecting using curl from the same machine over https worked fine, as did openssl .

The first step of course , was to disable SSL verification, but that is not a good solution.

So I went digging a little bit further.

Requests

Ansible modules (in particular the ones in awx.awx) use the ansible.module_utils.urls.Request Class to create https connections. (https://github.com/ansible/awx/blob/devel/awx_collection/plugins/module_utils/controller_api.py)

Little snippet of example code of this module, showing the imports:

from __future__ import absolute_import, division, print_function

__metaclass__ = type

from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible.module_utils.urls import Request, SSLValidationError, ConnectionError
from ansible.module_utils.parsing.convert_bool import boolean as strtobool

As far as I can tell, this does not use the Python requests module …

Hint

Searching a little bit on the internet, I did come across this module`s documentation.

https://docs.ansible.com/ansible/latest/collections/community/vmware/docsite/vmware_scenarios/vmware_requirements.html

They mention setting the REQUESTS_CA_BUNDLE environment variable.

Alter the playbook

So I added that environment variable, explicitly pointing to my system’s default CA keystore (/etc/pki/tls/certs/ca-bundle.crt)

 environment:
   REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt

Notice how I also commented out validate_certs: no .

---
- name: export aap configuration
  hosts: all
  connection: local
  tasks:
   - name: export
     awx.awx.export:
       controller_host: ""
       controller_oauthtoken: ""
       # validate_certs: no
       projects:
         - my-first-project
         - my-second-project
     environment:
       REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt
     register: aap_export_projects

This resolves the initial error!

NOTE : I’m still confused why this environment variable would be relevant at all.

Conclusion

You may need to set the REQUESTS_CA_BUNDLE environment variable to point to the correct trust store when working with Ansible modules that use ansible.module_utils.urls.Request or Python’s requests .