- Overview
- Architecture Explanation
- How the Setup Works
- Port Configuration Discovery
- The nginx Proxy Solution
- Traffic Flow
- Why This Approach
- Key Configuration Files
This document explains how the issue_cert role implements SSL certificates for Ansible Automation Platform (AAP) workshops without modifying AAP itself. Instead of reconfiguring AAP's SSL certificates (which would require re-running the entire installer), this solution installs a separate nginx instance that acts as an SSL-terminating reverse proxy.
Important: This setup does NOT modify AAP's configuration or install nginx "into" AAP. Instead, it:
- Installs a standalone nginx service on the same host as AAP
- Configures nginx as a reverse proxy with SSL termination
- Leaves AAP completely unchanged - AAP continues running on its original port with its original configuration
- AAP is installed during the Packer AMI build process
- The
extra_vars.ymlfile specifiesaap_port: 8501 - AAP's envoy gateway is configured to listen on port 8501 instead of the default 443
- AAP runs with its own self-signed certificates on port 8501
- The
issue_certrole installs a separate nginx instance - nginx obtains proper SSL certificates from Let's Encrypt
- nginx is configured to listen on port 443 (the standard HTTPS port)
- nginx proxies all traffic to AAP running on localhost:8501
The mystery of port 8501 is solved by examining the Packer build configuration:
File: /provisioner/packer/extra_vars.yml
aap_port: 8501This variable is used during AMI creation, causing AAP to be installed with:
envoy_https_port: 8501 # Instead of default 443The issue_cert role performs these steps:
- Installs nginx (separate from AAP)
- name: Make sure nginx and certbot are installed
ansible.builtin.dnf:
name:
- nginx
- certbot- Obtains SSL certificates from Let's Encrypt
- name: Issue SSL cert
ansible.builtin.shell: certbot certonly --standalone -d {{ dns_name }}- Configures nginx as SSL proxy
# HTTPS server block
server {
listen 443 ssl;
server_name {{ dns_name }};
# SSL certificates from Let's Encrypt
ssl_certificate /etc/nginx/ssl/aap.crt;
ssl_certificate_key /etc/nginx/ssl/aap.key;
# Proxy all traffic to AAP
location / {
proxy_pass https://127.0.0.1:8501;
proxy_ssl_verify off;
# ... additional proxy headers
}
}Internet Request (HTTPS:443)
↓
nginx (Port 443) - SSL Termination with Let's Encrypt Certs
↓
Proxy Pass to AAP (localhost:8501) - Original AAP with Self-Signed Certs
↓
AAP Response back through nginx
↓
Encrypted Response to Client
- No AAP Modification: AAP installation remains completely untouched
- No Installer Re-run: Avoids the time and complexity of reconfiguring AAP
- Proper SSL Certificates: Uses Let's Encrypt for trusted certificates
- Clean Separation: nginx handles SSL, AAP handles application logic
- Easy Maintenance: SSL certificate renewal happens independently of AAP
- Modifying AAP SSL: Would require re-running the AAP installer with new certificate paths
- Direct Certificate Replacement: Would require stopping AAP services and complex certificate management
File: provisioner/packer/extra_vars.yml
aap_port: 8501 # Forces AAP to use port 8501 during AMI buildFile: roles/control_node/templates/controller_install.j2
envoy_https_port={{ aap_port | default('443') | int }}File: roles/issue_cert/templates/nginx.conf.j2
server {
listen 443 ssl;
location / {
proxy_pass https://127.0.0.1:8501; # Proxy to AAP
}
}File: provisioner/group_vars/all/vpc_rules.yml
- proto: tcp
to_port: 8501
from_port: 8501
cidr_ip: 0.0.0.0/0
rule_desc: receptor # AAP internal portSummary: This is an elegant solution that provides proper SSL certificates for workshop participants without the complexity and time required to modify AAP's native SSL configuration. The separate nginx proxy handles all SSL concerns while AAP continues running unchanged on its internal port.