Issue & Renew Let's Encrypt SSL for Ansible Automation Platform 2

When you deploy Red Hat's Ansible Automation Platform 2 for the first time, it will generate self-signed certificates for the Management Console user interface. This isn't quite a secured method of trusting what is being presented in the user interface and it is recommended to use third-party trusted SSL certificates instead.

In certain circumstances, it may not be feasible to purchase a third-party signed SSL certificate from a vendor for something you're just trying to use to sandbox an idea or test an integration. In these cases, Let's Encrypt is available as a free means of providing SSL certificates that are trusted for a short time-to-live (TTL). Although Let's Encrypt SSL certificates require renewal every 90 days, this shouldn't be an issue for sandbox and testing environments that should be short-lived in their own right.

Here is how you can issue and renew Let's Encrypt SSL certificates using an automation tool called Certbot to handle the lifecycle management for Ansible Automation Platform 2.

Install Snapd on RHEL 8

In order to install Certbot, we'll need to first install and setup Snapd. This is a package manager that is available for many distributions of Linux and is the preferred method of installing Certbot.

Install EPEL-Release repository & update repo cache

sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y upgrade

Install snapd package from EPEL-Release

sudo yum install -y snapd

Enable Snap to be available at start-up & become available now

sudo systemctl enable --now snapd.socket

Link modern Snap directory to classic Snap directory

This will be necessary for when we install "classic" Snaps that use the --classic switch, just like we will in a few steps when we install Certbot.

sudo ln -s /var/lib/snapd/snap /snap

Reboot the machine to put all changes into effect

sudo reboot now

Install Certbot

With Snapd installed and ready for use, we'll install Certbot from the classic Snap repository. Certbot will make the lifecycle management of our Let's Encrypt SSL Certificates a lot easier.

Install Core repositories for Snap

sudo snap install core

Cache Core repositories for Snap

sudo snap refresh core

Install Certbot

sudo snap install --classic certbot

Link Certbot installation path with $PATH for execution anywhere

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Issue Let's Encrypt SSL Certificates

Now that Certbot is installed, it can be used to issue our SSL certificates for the DNS we'll be connecting to our Ansible Automation Platform's Management Console user interface from. An example would be if the UI was accessible via https://aap.example.com the DNS for Let's Encrypt to use on the SSL certificate issued would be aap.example.com.

Stop the Automation Controller Service

Many changes need to take place that will not be able to be made if the Automation Controller Service is still active, so it will need to be turned off.

sudo automation-controller-service stop

Option 1: Use Certbot to issue SSL certificates using http-01 challenge

The following command will kick off a wizard that Certbot will take you through. It will ask a series of questions that you can answer which will then be used to generate the SSL certificates for use later.

sudo certbot certonly --standalone

Option 2: Use Certbot to issue SSL certificates using dns-01 challenge

To use the dns-01 challenge when issuing SSL certificates from Let's Encrypt, a couple extra steps are required.  A Python script will need to be downloaded to be used for the dns-01 challenge and certificates will need to be issued using a few extra arguments to ensure it is the primary challenge over http-01.

Follow the guide Issue Let's Encrypt SSL Certificates using DNS Validation for more information on how to setup this process.

Remove the self-signed SSL certificates

In order to link the newly issues SSL certificates to where Ansible Automation Platform 2 expects them to be located (/etc/tower/tower.cert and /etc/tower/tower.key), they need to be removed first.

sudo rm -f /etc/tower/tower.cert
sudo rm -f /etc/tower/tower.key

Link new SSL certificates

Linking the newly issued SSL certificates from Let's Encrypt will make it easier to renew them in the future. They will be renewed and immediately available where Ansible Automation Platform 2 is expecting them to be, only requiring a service restart to consume them. In the command below, replace aap.example.com with the DNS you used when issuing the Let's Encrypt SSL certificates.

sudo ln -s /etc/letsencrypt/live/aap.example.com/fullchain.pem /etc/tower/tower.cert
sudo ln -s /etc/letsencrypt/live/aap.example.com/privkey.pem /etc/tower/tower.key

Start the Automation Controller Service

After starting the Automation Controller Service back up, you should be able to browse to https://aap.example.com without any SSL warnings from your browser prior to it loading. Remember to replace aap.example.com with the DNS of your Ansible Automation Platform 2 host.

sudo automation-controller-service start

Renew Let's Encrypt SSL Certificates

Around the 80 day mark after initially issuing your SSL certificates, you'll begin to receive e-mail notifications from Let's Encrypt about the upcoming expiration of the time-to-live (TTL) set to your current SSL certificates on Ansible Automation Platform 2. To extend the TTL another 90 days, a renewal will need to be processed with Let's Encrypt. Certbot can make this a simple task, as well.

Renew SSL certificates using Certbot

Just like when the SSL certificates were issued by Let's Encrypt, Certbot will walk through a wizard that simplifies the renewal process.

sudo certbot renew

Restart Automation Controller Service

For the Automation Controller Service to use the newly renewed SSL certificates, the service will need to be restarted.

sudo automation-controller-service restart