Setting certificate verify locations error when syncing project from local GIT server using custom CA bundle
Environment
- Ansible Automation Platform 2.x
Issue
- Project sync is failing with the following error :
'stderr': "fatal: unable to access 'https://[GIT SERVER]': SSL certificate problem: unable to get local issuer certificate\n", 'msg': "fatal: unable to access 'https://[GIT SERVER]': SSL certificate problem: unable to get local issuer certificate
- After adding the CA bundle certificate "GIT_SSL_CAINFO": "/etc/custom-ca/CA-BUNDLE.crt" under Extra Environment Variables , the project sync still fails with the following error :
"fatal: unable to access 'https://[GIT SERVER]': error setting certificate verify locations:\n CAfile: /etc/custom-ca/CA-BUNDLE.crt\n CApath: none
Resolution
1) The the path of the CA bundle certificate to Ansible controllers Web UI > Settings > Job Settings > Paths to expose to isolated jobs:
"/etc/custom-ca:/etc/custom-ca:O"
2) Another alternative is to copy the CA bundle cert file to one of the default exposed paths :
/etc/pki/ca-trust
/usr/share/pki
Root Cause
- The path where the CA bundle cert file is located is not exposed to isolated jobs.
Diagnostic Steps
- The error when syncing the project after already adding the CA bundle certificate "GIT_SSL_CAINFO": "/etc/custom-ca/CA-BUNDLE.crt" under Extra Environment Variables:
"fatal: unable to access 'https://[GIT SERVER]': error setting certificate verify locations:\n CAfile: /etc/custom-ca/CA-BUNDLE.crt\n CApath: none
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments