Excellent, you are very close!
Your Tower UI is running and serving HTTPS, but your browser is showing:
ERR_SSL_KEY_USAGE_INCOMPATIBLE
This is a browser SSL error that almost always means:
- The self-signed SSL certificate generated by Tower/NGINX is missing a key usage extension required by modern browsers.
- Chrome and Edge (especially) have become stricter about certificate requirements.
Root Cause
- Ansible Tower’s (or AAP’s) default self-signed SSL certificate is sometimes generated without
digitalSignature
and keyEncipherment
in its Key Usage field.
- Recent browser updates refuse to load sites with these “old style” self-signed certs.
How To Fix: Regenerate SSL Certificate for NGINX (Quick Solution)
You need to generate a new self-signed certificate with the correct Key Usage and Extended Key Usage for web server SSL.
Step-by-Step: Create and Use a Modern Self-Signed Cert
1. Create a new SSL private key and certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/tower/tower.key \
-out /etc/tower/tower.crt \
-subj "/CN=13.233.139.133" \
-addext "keyUsage = digitalSignature, keyEncipherment" \
-addext "extendedKeyUsage = serverAuth"
- If
/etc/tower
does not exist, use /etc/nginx
instead.
- You can adjust the CN (Common Name) to your server’s hostname if you wish.
2. Update your nginx SSL configuration:
Edit /etc/nginx/conf.d/tower.conf
(or /etc/nginx/nginx.conf
depending on your version).
Make sure the SSL settings point to the new files:
ssl_certificate /etc/tower/tower.crt;
ssl_certificate_key /etc/tower/tower.key;
Or use /etc/nginx/
if that is where your certs are.
3. Restart nginx and Tower services:
sudo systemctl restart nginx
sudo systemctl restart ansible-tower
Or for AAP/Controller:
sudo systemctl restart automation-controller
4. Try the browser again:
- Go to
https://13.233.139.133/
- You will see a certificate warning (because it is self-signed), but you should NOT see the
ERR_SSL_KEY_USAGE_INCOMPATIBLE
error.
- Click "Advanced" > "Proceed anyway" to reach the login page.
Extra: If You Need a Real Certificate
Summary Table
| Step | Command/Path | Notes |
| ------------------- | ----------------------------------------- | ------------------------- |
| Generate new cert | openssl req ... -addext ...
| Use correct key usage |
| Update nginx config | /etc/nginx/conf.d/tower.conf
or similar | Set to new cert/key files |
| Restart services | systemctl restart nginx ansible-tower
| |
| Test in browser | https://13.233.139.133/
| Accept cert warning |
Try the above fix. Your Tower UI will be accessible in all browsers!
If you run into any trouble, paste your nginx SSL section or let me know any error messages.
I’ll get you up and running!