Ansible Tower Access issues

RajeshKumar1

When i browser
Hmmm… can't reach this page
It looks like the webpage at https://13.233.139.133/ might be having issues, or it may have moved permanently to a new web address.
ERR_SSL_KEY_USAGE_INCOMPATIBLE

RajeshKumar1

You’re seeing the ERR_SSL_KEY_USAGE_INCOMPATIBLE error in your browser when trying to access Ansible Tower at https://13.233.139.133/. This is a modern browser error indicating a problem with the way your server’s SSL certificate was generated or used.

Why This Happened

Chrome v119+ and other browsers have become much stricter about SSL certificate settings and extensions.
If the Key Usage or Extended Key Usage fields in your SSL certificate are missing, incomplete, or incorrect, browsers will block the connection even if the server responds with valid HTML.
This is especially common if you use the default self-signed certificate (nginx/Tower auto-generated) or a broken manual self-signed cert—a change that may have come with a browser update, not any config change on your server.[1][2][3]

Technical Details

Your TLS/SSL certificate must have the Key Usage extension set to allow:
- digitalSignature
- keyEncipherment
And the Extended Key Usage extension must contain:
- serverAuth (OID 1.3.6.1.5.5.7.3.1)
If these extensions are missing, or if Key Usage is set to critical but does not include the right flags, Chrome/Edge/Safari will not allow the connection—even if you try to "proceed anyway".[4][2]
Nginx is not at fault: this is a cert-generation issue.

How to Fix (Best-Practices)

1. RECOMMENDED: Get a Real SSL Certificate

Use Let’s Encrypt for a free, valid SSL certificate:

  sudo dnf install certbot
  sudo certbot certonly --standalone -d 13.233.139.133

(or use your FQDN).

Update your Nginx config to use the new cert and key:

  ssl_certificate /etc/letsencrypt/live/13.233.139.133/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/13.233.139.133/privkey.pem;

Restart nginx:

  sudo systemctl reload nginx

2. Generate a Standards-Compliant Self-Signed Cert (if just for testing)

Create an OpenSSL config with proper Key Usage and Extended Key Usage:

  [ req ]
  distinguished_name = req_distinguished_name
  x509_extensions = v3_req
  prompt = no

  [ req_distinguished_name ]
  CN = 13.233.139.133

  [ v3_req ]
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names

  [ alt_names ]
  IP.1 = 13.233.139.133

Generate the cert:

  openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/nginx/ssl/selfsigned.key \
    -out /etc/nginx/ssl/selfsigned.crt \
    -config req.conf \
    -extensions 'v3_req'

Point nginx to these files and reload nginx.

3. Verify and Restart

After updating the cert, restart nginx:

  sudo systemctl restart nginx

Then, access your site again—browser should now present the usual "self-signed/non-trusted" warning, but you won't see ERR_SSL_KEY_USAGE_INCOMPATIBLE, and you’ll be able to proceed.

Summary & Next Steps

This problem is caused by an out-of-spec certificate, not by nginx or AWS.
Fix by replacing your cert with a real (Let’s Encrypt) or properly generated self-signed certificate including correct Key Usage and Extended Key Usage fields.
After replacing, reload nginx and try again; the error will disappear, and you can access Ansible Tower as normal.

If you need step-by-step commands for your environment, or guidance with Let’s Encrypt/manual cert creation, just let me know!

[1] https://forum.proxmox.com/threads/self-sign-certs-got-err_ssl_key_usage_incompatible.114690/
[2] https://cheapsslweb.com/resources/how-to-fix-the-err_ssl_key_usage_incompatible-error-multiple-ways
[3] https://hexeract.wordpress.com/2019/06/13/google-chrome-75-x-a-self-signed-certificate-and-err_ssl_key_usage_incompatible/
[4] https://my.f5.com/manage/s/article/K000151249
[5] https://stackoverflow.com/questions/59730898/cant-connect-browsersync-with-ddev-nginx-server-because-ssl-error
[6] https://support.google.com/chrome/thread/239508594/err-ssl-key-usage-incompatible-error-in-chrome-but-not-edge-for-all-google-sites-and-some-others?hl=en
[7] https://github.com/leokhoa/laragon/issues/292
[8] https://www.reddit.com/r/nginxproxymanager/comments/1e5555d/internal_error_when_making_ssl_cert/
[9] https://docs.syteca.com/view/how-to-fix-the-err_ssl_key-usage-incompatible-erro

RajeshKumar1

Excellent, you are very close!
Your Tower UI is running and serving HTTPS, but your browser is showing:

ERR_SSL_KEY_USAGE_INCOMPATIBLE

This is a browser SSL error that almost always means:

The self-signed SSL certificate generated by Tower/NGINX is missing a key usage extension required by modern browsers.
Chrome and Edge (especially) have become stricter about certificate requirements.

Root Cause

Ansible Tower’s (or AAP’s) default self-signed SSL certificate is sometimes generated without digitalSignature and keyEncipherment in its Key Usage field.
Recent browser updates refuse to load sites with these “old style” self-signed certs.

How To Fix: Regenerate SSL Certificate for NGINX (Quick Solution)

You need to generate a new self-signed certificate with the correct Key Usage and Extended Key Usage for web server SSL.

Step-by-Step: Create and Use a Modern Self-Signed Cert

1. Create a new SSL private key and certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/tower/tower.key \
    -out /etc/tower/tower.crt \
    -subj "/CN=13.233.139.133" \
    -addext "keyUsage = digitalSignature, keyEncipherment" \
    -addext "extendedKeyUsage = serverAuth"

If /etc/tower does not exist, use /etc/nginx instead.
You can adjust the CN (Common Name) to your server’s hostname if you wish.

2. Update your nginx SSL configuration:

Edit /etc/nginx/conf.d/tower.conf (or /etc/nginx/nginx.conf depending on your version).

Make sure the SSL settings point to the new files:

  ssl_certificate     /etc/tower/tower.crt;
  ssl_certificate_key /etc/tower/tower.key;

Or use /etc/nginx/ if that is where your certs are.

3. Restart nginx and Tower services:

sudo systemctl restart nginx
sudo systemctl restart ansible-tower

Or for AAP/Controller:

sudo systemctl restart automation-controller

4. Try the browser again:

Go to https://13.233.139.133/
You will see a certificate warning (because it is self-signed), but you should NOT see the ERR_SSL_KEY_USAGE_INCOMPATIBLE error.
Click "Advanced" > "Proceed anyway" to reach the login page.

Extra: If You Need a Real Certificate

For production, use a cert from Let’s Encrypt or a real CA.

Summary Table

| Step | Command/Path | Notes |
| ------------------- | ----------------------------------------- | ------------------------- |
| Generate new cert | openssl req ... -addext ... | Use correct key usage |
| Update nginx config | /etc/nginx/conf.d/tower.conf or similar | Set to new cert/key files |
| Restart services | systemctl restart nginx ansible-tower | |
| Test in browser | https://13.233.139.133/ | Accept cert warning |

Try the above fix. Your Tower UI will be accessible in all browsers!
If you run into any trouble, paste your nginx SSL section or let me know any error messages.
I’ll get you up and running!