This blog describes the process required to replace the certificates for PAH.
The Ansible Automation Hub is made up of two nodes, aaph01 and aaph02, that both utilise the shared NFS storage to store execution environment images (containers) and ansible collections. The hub is configured for high availability and a Load Balancer is used to distribute traffic to available nodes. The Load Balancer can be accessed using the fully qualified domain name(FQDN): aaph.example.net. To renew the certificates, a new certificate for aaph.example.net has to be generated and installed on the Load Balancer and on both nodes of the Private Automation Hub (PAH).
- Generate the certificate for aaph.example.net
- Replace the certificates on the Load Balancer
- Copy the certificate and key to both nodes of the PAH: aaph01 and aaph02
- Make sure to rename the certificates to: pulp_webserver.crt and pulp_webserver.key
- Login to both servers. Root permissions are required
- Navigate to /etc/pulp/certs
- Backup existing certificates
cp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt.date cp /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key.date
- Copy new certificates to /etc/pulp/certs:
cp /home/temp/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt cp /home/temp/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key
- Ensure that the permissions match those of the original files
chown root:pulp /etc/pulp/certs/pulp_webserver.crt chown root:pulp /etc/pulp/certs/pulp_webserver.key chmod 600 /etc/pulp/certs/pulp_webserver.crt chmod 600 /etc/pulp/certs/pulp_webserver.key
- Restore SELinux context on the certificates
restorecon -v /etc/pulp/certs/pulp_webserver.crt restorecon -v /etc/pulp/certs/pulp_webserver.key
- Restart nginx on both servers
systemctl restart nginx systemctl status nginx
In conclusion, ensuring your Private Automation Hub (PAH) is secure is essential for your organization’s overall cybersecurity. With our step-by-step guide, replacing the certificates for your PAH with Ansible Automation is easy and secure. By generating and installing new certificates for the Load Balancer and both nodes, you can keep your automation up-to-date and secure. Don’t risk your organization’s security – replace your certificates today. Contact us if you need further assistance with replacing your Private Automation Hub certificates with Ansible Automation.
Related ArticlesIntroduction to Ansible Builder
Ansible Disaster Recovery Guide AWS
How to configure Ansible Automation SAML SSO with Red Hat SSO