New Zealand | Replacing Ansible Automation Private Automation Hub (PAH) Certificates

Sebastian Baszcyj - 23.02.202320230223

Replacing Ansible Automation Private Automation Hub (PAH) Certificates

New Zealand | Replacing Ansible Automation Private Automation Hub (PAH) Certificates

This blog describes the process required to replace the certificates for PAH. 

The Ansible Automation Hub is made up of two nodes, aaph01 and aaph02, that both utilise the shared NFS storage to store execution environment images (containers) and ansible collections. The hub is configured for high availability and a Load Balancer is used to distribute traffic to available nodes. The Load Balancer can be accessed using the fully qualified domain name(FQDN): To renew the certificates, a new certificate for has to be generated and installed on the Load Balancer and on both nodes of the Private Automation Hub (PAH). 


  • Generate the certificate for  
  • Replace the certificates on the Load Balancer 
  • Copy the certificate and key to both nodes of the PAH: aaph01 and aaph02 
  • Make sure to rename the certificates to: pulp_webserver.crt and pulp_webserver.key 
  • Login to both servers. Root permissions are required 
  • Navigate to /etc/pulp/certs 
  • Backup existing certificates 
cp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/   cp /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/ 
  • Copy new certificates to /etc/pulp/certs:  
cp /home/temp/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt   cp /home/temp/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key 
  • Ensure that the permissions match those of the original files 
chown root:pulp /etc/pulp/certs/pulp_webserver.crt   chown root:pulp /etc/pulp/certs/pulp_webserver.key   chmod 600 /etc/pulp/certs/pulp_webserver.crt   chmod 600 /etc/pulp/certs/pulp_webserver.key 
  • Restore SELinux context on the certificates 
restorecon -v /etc/pulp/certs/pulp_webserver.crt   restorecon -v /etc/pulp/certs/pulp_webserver.key 
  • Restart nginx on both servers 
systemctl restart nginx   systemctl status nginx 

In conclusion, ensuring your Private Automation Hub (PAH) is secure is essential for your organization’s overall cybersecurity. With our step-by-step guide, replacing the certificates for your PAH with Ansible Automation is easy and secure. By generating and installing new certificates for the Load Balancer and both nodes, you can keep your automation up-to-date and secure. Don’t risk your organization’s security – replace your certificates today. Contact us if you need further assistance with replacing your Private Automation Hub certificates with Ansible Automation.  

Related Articles

Introduction to Ansible Builder
Ansible Disaster Recovery Guide AWS
How to configure Ansible Automation SAML SSO with Red Hat SSO

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

New Zealand | Replacing Ansible Automation Private Automation Hub (PAH) Certificates

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

New Zealand | Replacing Ansible Automation Private Automation Hub (PAH) Certificates

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.