Why does the Dynamic Inventory sync from Satellite fails with an error "certificate verify failed" in Ansible Automation Platform?

Solution Verified - Updated -

Environment

  • Red Hat® Ansible Automation Platform >= 1.2
  • Red Hat® Satellite 6.x

Issue

  • Dynamic Inventory Sync from Red Hat Satellite to Ansible Automation Platform fails with certificate verify failed error

Resolution

  • There are 2 solutions that can be performed in order to sync the Satellite resources to Automation Controller GUI:

    • Disable the verification of the TLS certificates of the Foreman server by passing the validate_certs: false in the inventory sources. Check the doc for more information on the same.

      Inventories >> Satellite Inventory >> Sources >> Satellite Inventory Source >> Source variables

      In most scenarios, katello-ca certificates are installed, or the Foreman server is enforced with custom SSL certificates issued by a Certificate Authority. In that case, it's not recommended to simply ignore the certificate validation. The system's default bundle can be updated with the respective CA authorities. In such a scenario, run the following commands on the Controller server.

      # cd /etc/pki/ca-trust/source/anchors/
# wget --no-check-certificate https://non-prod-satellite-server.com/pub/katello-server-ca.crt
# update-ca-trust extract

    • If the Dynamic inventory from multiple Satellite servers (For eg. prod, non prod etc.) are required to be imported into Single Automation Controller, then corresponding CA certificates can be copied to system's default trust store.

      # cd /etc/pki/ca-trust/source/anchors/
# wget --no-check-certificate https://non-prod-satellite-server.com/pub/katello-server-ca.crt
# wget --no-check-certificate https://prod-satellite-server.com/pub/katello-server-ca.crt
# update-ca-trust extract

Diagnostic Steps

  • The following error can be seen while syncing the inventory into Automation Platform in the standard job output:

    ansible-inventory [core 2.13.2]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
ansible collection location = /home/runner/.ansible/collections:/usr/share/ansible/collections:/usr/share/automation-controller/collections
executable location = /usr/bin/ansible-inventory
python version = 3.9.7 (default, Sep 13 2021, 08:18:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
jinja version = 3.0.3
libyaml = True
Using /etc/ansible/ansible.cfg as config file
Using inventory plugin 'ansible_collections.redhat.satellite.plugins.inventory.foreman' to process inventory source '/runner/inventory/foreman.yml'
[WARNING]:  * Failed to parse /runner/inventory/foreman.yml with auto plugin:
HTTPSConnectionPool(host='satellite-server', port=443): Max retries
exceeded with url: /api/v2/status?page=1&per_page=250 (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: self signed certificate in certificate chain
(_ssl.c:1129)')))
File "/usr/lib/python3.9/site-packages/ansible/inventory/manager.py", line 290, in parse_source
plugin.parse(self._inventory, self._loader, source, cache=cache)
File "/usr/lib/python3.9/site-packages/ansible/plugins/inventory/auto.py", line 59, in parse
plugin.parse(inventory, loader, path, cache=cache)
File "/usr/share/ansible/collections/ansible_collections/redhat/satellite/plugins/inventory/foreman.py", line 662, in parse
self._populate()
File "/usr/share/ansible/collections/ansible_collections/redhat/satellite/plugins/inventory/foreman.py", line 415, in _populate
if self._use_inventory_report():
File "/usr/share/ansible/collections/ansible_collections/redhat/satellite/plugins/inventory/foreman.py", line 378, in _use_inventory_report
result = self._get_json(status_url)
File "/usr/share/ansible/collections/ansible_collections/redhat/satellite/plugins/inventory/foreman.py", line 243, in _get_json
ret = s.get(url, params=params, verify=self.get_option('validate_certs'))
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 555, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
[WARNING]: Unable to parse /runner/inventory/foreman.yml as an inventory source
ERROR! No inventory was parsed, please check your configuration and options.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments