Uploaded image for project: 'FlightPath'
  1. FlightPath
  2. FLPATH-3196

x2a-convertor publish AAP sync fails with SSL certificate verification error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Summary

      The x2a-convertor publish command fails to sync to AAP (Ansible Automation Platform) when the AAP controller uses a self-signed SSL certificate. The AAP sync step raises an SSLError(SSLCertVerificationError) and fails, even though the GitHub publish portion completes successfully.

      The tool should either:

      • Support a -no-verify-ssl or -insecure flag for AAP connections
      • Honor standard environment variables like REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, or PYTHONHTTPSVERIFY=0 to disable SSL verification
      • Allow specifying a custom CA bundle path

      Steps to Reproduce

      1. Configure an AAP controller with a self-signed certificate (e.g., aap-aap.apps.x2ansible.apps.eco-engineering.lab.eng.tlv2.redhat.com)
      2. Run x2a-convertor publish with AAP integration enabled: 
        podman run --rm \
    -e AAP_CONTROLLER_URL=https://aap-aap.apps.x2ansible.apps.eco-engineering.lab.eng.tlv2.redhat.com \
    -e AAP_ORG_NAME=Default \
    -e AAP_OAUTH_TOKEN=<token> \
    -e REQUESTS_CA_BUNDLE="" \
    -e CURL_CA_BUNDLE="" \
    quay.io/x2ansible/x2a-convertor:latest \
    publish "fastapi_tutorial" \
    --source-paths /app/source/ansible/roles/fastapi_tutorial \
    --github-owner <owner> --github-branch main

      Expected Behavior

      The AAP sync should either:

      • Succeed when SSL verification is explicitly disabled via environment variables
      • Provide a CLI flag to skip SSL verification for the AAP connection
      • Clearly document the requirement for a trusted CA certificate

      Actual Behavior

      The AAP sync fails with the following error:

      ERROR:x2convertor.src.publishers.publish: AAP sync failed: HTTPSConnectionPool(host=aap-aap.apps.x2ansible.apps.eco-engineering.lab.eng.tlv2.redhat.com, port=443): Max retries exceeded with url: /api/controller/v2/organizations/?name=Default (Caused by SSLError(SSLCertVerificationError(1, [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1032))))

      Note: Setting REQUESTS_CA_BUNDLE="" and CURL_CA_BUNDLE="" environment variables does not suppress the SSL verification error.

      The publish still reports overall success because the GitHub portion completes, but the AAP sync is silently skipped.

      Environment

      • x2a-convertor image: quay.io/x2ansible/x2a-convertor:latest
      • AAP controller: self-signed certificate
      • Container runtime: podman
      • Invoked via: Jenkins CI pipeline

      Workaround

      Currently the only workaround is to omit the AAP credentials entirely, which causes the publish command to skip AAP sync altogether. This means AAP collections are not synced during CI runs.

              rh-ee-eshalev Elai Shalev
              gharden1 Gary Harden
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: