Have a read through the bug report above (which I have now closed). Do you have the following set in your windows inventory/ group vars:
ansible_winrm_server_cert_validation: ignore as described in; http://docs.ansible.com/ansible/intro_windows.html#inventory If so the certificate is completely ignored. Traffic between the ansible node and the windows winrm endpoint is still encrypted, but ansible doesn't check anything to do with the certificate. So I think in your case the certificate really has expired but the certificate is not getting checked. It would be good to have a documented way to retrieve the generated certificate from the windows host and add it to the trusted certs on the ansible controller, but I don't believe we have that right now. It might be tedious and error prone if it requires manual steps on each host of course so would be best automated. Depending on how you set things up, certificates aren't the only way in which you can lock down access to a time period on windows hosts. If you set up domain authentication then you can configure quite a short period for the kerberos tickets to last (I think that the default is 10 hours without renewal). Hope this helps Jon On Friday, April 22, 2016 at 12:24:08 PM UTC+1, ishan jain wrote: > > Do we have a way to undo whatever the script changed ? Or some other means > where i can make the certificate expire ? > I need that to test it out some more. > > On Friday, 22 April 2016 15:43:43 UTC+5:30, J Hawkesworth wrote: >> >> That sounds like a bug to me. I created a bug report here: >> https://github.com/ansible/ansible/issues/15541 >> >> On Friday, April 22, 2016 at 10:20:11 AM UTC+1, ishan jain wrote: >>> >>> I configured winrm on my windows server 2012 R2 using the script listed >>> at >>> https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>> >>> To test the certificate expiration, i provided 3 days for >>> -CertValidityDays parameter during script execution. I am not very well >>> versed about powershell and winrm but i assume that after 3 days the self >>> signed certificate should expire and after that i should expect Ansible to >>> be unable to connect. >>> >>> But after 3 days, ansible is working just fine with no other setting >>> changed. Can anyone please explain how this thing works ? >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3cc97cc4-08c4-434d-b897-0760140ef75e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
