Ansible Automation Platform 2.5 containerized `receptor` container fails to start with false ssl certificates

Solution Verified - Updated -

Environment

  • Ansible Automation Platform 2.5 containerized setup

Issue

  • Ansible Automation Platform 2.5 containerized "receptor" container fails to start with false ssl certificates.

  • Inventory-growth file contains the Receptor TLS certificate and key variables receptor_tls_cert and receptor_tls_key. The actual ssl certificates were stored in the inventory-growth file, but they do not transfer correctly. The installer also runs successfully with no errors.

  • The following error is observed in the podman receptor logs:

    Error: error preparing tls server config: nodeID=<containerized_host>  not found in certificate name(s); names found=[]; cfg section=tls_server; server cert=/etc/receptor/tls/receptor.crt

  • Entry in the inventory-growth file for receptor cert validation:

    # Receptor  
receptor_tls_cert=/etc/ssl/certs/<receptor_tls_cert>.crt
receptor_tls_key=/etc/ssl/certs/<receptor_tls_key>.key

  • openssl verify results OK:

    # openssl verify -CAfile <custom_ca_cert> /etc/ssl/certs/<receptor_tls_cert>.crt:  OK

Resolution

  • Add the option skipreceptornamescheck: true at the receptor configuration file ~/aap/receptor/etc/receptor.conf manually and restart the receptor container:

    - tls-server:
    name: tls_server
    cert: /etc/receptor/tls/receptor.crt
    key: /etc/receptor/tls/receptor.key
    clientcas: /etc/receptor/tls/ca/mesh-CA.crt
    requireclientcert: true
    mintls13: False
    skipreceptornamescheck: true

- tls-client:
    name: tls_client
    cert: /etc/receptor/tls/receptor.crt
    key: /etc/receptor/tls/receptor.key
    rootcas: /etc/receptor/tls/ca/mesh-CA.crt
    insecureskipverify: false
    mintls13: False
    skipreceptornamescheck: true

Root Cause

  • Receptor does not support custom SSL certificate as wildcard, it requires CNAME/DNS for validation to connect the receptor nodes. The workaround is to use the option skipreceptornamescheck, which as of now not available at the installer yet. However, it will be removed when rerunning the installer again.

Diagnostic Steps

  • Error observed in podman logs receptor command:

    Error: error preparing tls server config: nodeID=<containerized_host>  not found in certificate name(s); names found=[]; cfg section=tls_server; server cert=/etc/receptor/tls/receptor.crt

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments