Issue & Renew Let's Encrypt SSL for Ansible Automation Platform 2
Deploying Ansible Automation Platform 2 generates untrusted self-signed certificates. Follow this guide to use Certbot to issue free Let's Encrypt SSL certificates.
When you deploy Red Hat's Ansible Automation Platform 2 for the first time, it will generate self-signed certificates for the Management Console user interface. This isn't quite a secured method of trusting what is being presented in the user interface and it is recommended to use third-party trusted SSL certificates instead.
In certain circumstances, it may not be feasible to purchase a third-party signed SSL certificate from a vendor for something you're just trying to use to sandbox an idea or test an integration. In these cases, Let's Encrypt is available as a free means of providing SSL certificates that are trusted for a short time-to-live (TTL). Although Let's Encrypt SSL certificates require renewal every 90 days, this shouldn't be an issue for sandbox and testing environments that should be short-lived in their own right.
Here is how you can issue and renew Let's Encrypt SSL certificates using an automation tool called Certbot to handle the lifecycle management for Ansible Automation Platform 2.
Install Snapd on RHEL 8
In order to install Certbot, we'll need to first install and setup Snapd. This is a package manager that is available for many distributions of Linux and is the preferred method of installing Certbot.
Install EPEL-Release repository & update repo cache
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y upgrade
Install snapd package from EPEL-Release
sudo yum install -y snapd
Enable Snap to be available at start-up & become available now
sudo systemctl enable --now snapd.socket
Link modern Snap directory to classic Snap directory
This will be necessary for when we install "classic" Snaps that use the --classic
switch, just like we will in a few steps when we install Certbot.
sudo ln -s /var/lib/snapd/snap /snap
Reboot the machine to put all changes into effect
sudo reboot now
Install Certbot
With Snapd installed and ready for use, we'll install Certbot from the classic Snap repository. Certbot will make the lifecycle management of our Let's Encrypt SSL Certificates a lot easier.
Install Core repositories for Snap
sudo snap install core
Cache Core repositories for Snap
sudo snap refresh core
Install Certbot
sudo snap install --classic certbot
Link Certbot installation path with $PATH for execution anywhere
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Issue Let's Encrypt SSL Certificates
Now that Certbot is installed, it can be used to issue our SSL certificates for the DNS we'll be connecting to our Ansible Automation Platform's Management Console user interface from. An example would be if the UI was accessible via https://aap.example.com
the DNS for Let's Encrypt to use on the SSL certificate issued would be aap.example.com
.
Stop the Automation Controller Service
Many changes need to take place that will not be able to be made if the Automation Controller Service is still active, so it will need to be turned off.
sudo automation-controller-service stop
Option 1: Use Certbot to issue SSL certificates using http-01 challenge
The following command will kick off a wizard that Certbot will take you through. It will ask a series of questions that you can answer which will then be used to generate the SSL certificates for use later.
sudo certbot certonly --standalone
Option 2: Use Certbot to issue SSL certificates using dns-01 challenge
To use the dns-01 challenge when issuing SSL certificates from Let's Encrypt, a couple extra steps are required. A Python script will need to be downloaded to be used for the dns-01 challenge and certificates will need to be issued using a few extra arguments to ensure it is the primary challenge over http-01.
Follow the guide Issue Let's Encrypt SSL Certificates using DNS Validation for more information on how to setup this process.
Remove the self-signed SSL certificates
In order to link the newly issues SSL certificates to where Ansible Automation Platform 2 expects them to be located (/etc/tower/tower.cert
and /etc/tower/tower.key
), they need to be removed first.
sudo rm -f /etc/tower/tower.cert
sudo rm -f /etc/tower/tower.key
Link new SSL certificates
Linking the newly issued SSL certificates from Let's Encrypt will make it easier to renew them in the future. They will be renewed and immediately available where Ansible Automation Platform 2 is expecting them to be, only requiring a service restart to consume them. In the command below, replace aap.example.com
with the DNS you used when issuing the Let's Encrypt SSL certificates.
sudo ln -s /etc/letsencrypt/live/aap.example.com/fullchain.pem /etc/tower/tower.cert
sudo ln -s /etc/letsencrypt/live/aap.example.com/privkey.pem /etc/tower/tower.key
Start the Automation Controller Service
After starting the Automation Controller Service back up, you should be able to browse to https://aap.example.com
without any SSL warnings from your browser prior to it loading. Remember to replace aap.example.com
with the DNS of your Ansible Automation Platform 2 host.
sudo automation-controller-service start
Renew Let's Encrypt SSL Certificates
Around the 80 day mark after initially issuing your SSL certificates, you'll begin to receive e-mail notifications from Let's Encrypt about the upcoming expiration of the time-to-live (TTL) set to your current SSL certificates on Ansible Automation Platform 2. To extend the TTL another 90 days, a renewal will need to be processed with Let's Encrypt. Certbot can make this a simple task, as well.
Renew SSL certificates using Certbot
Just like when the SSL certificates were issued by Let's Encrypt, Certbot will walk through a wizard that simplifies the renewal process.
sudo certbot renew
Restart Automation Controller Service
For the Automation Controller Service to use the newly renewed SSL certificates, the service will need to be restarted.
sudo automation-controller-service restart