Hi J, Thanks for all the help. Actually it turned out that somebody already executed the script on the new machine with 365 days period before i did it for 3 days, that is why it was able to connect. I did not specify anything like ansible_winrm_server_cert_validation. I am very new to windows administration.
Since i need to see what happens when certificate expires, i am still trying to figure out a way to disable winrm again. Any ideas there? On Monday, 25 April 2016 13:38:40 UTC+5:30, J Hawkesworth wrote: > > > Have a read through the bug report above (which I have now closed). > > Do you have the following set in your windows inventory/ group vars: > > ansible_winrm_server_cert_validation: ignore > > > as described in; > http://docs.ansible.com/ansible/intro_windows.html#inventory > > If so the certificate is completely ignored. Traffic between the ansible > node and the windows winrm endpoint is still encrypted, but ansible doesn't > check anything to do with the certificate. So I think in your case the > certificate really has expired but the certificate is not getting checked. > > It would be good to have a documented way to retrieve the generated > certificate from the windows host and add it to the trusted certs on the > ansible controller, but I don't believe we have that right now. It might > be tedious and error prone if it requires manual steps on each host of > course so would be best automated. > > Depending on how you set things up, certificates aren't the only way in > which you can lock down access to a time period on windows hosts. If you > set up domain authentication then you can configure quite a short period > for the kerberos tickets to last (I think that the default is 10 hours > without renewal). > > Hope this helps > > Jon > > On Friday, April 22, 2016 at 12:24:08 PM UTC+1, ishan jain wrote: >> >> Do we have a way to undo whatever the script changed ? Or some other >> means where i can make the certificate expire ? >> I need that to test it out some more. >> >> On Friday, 22 April 2016 15:43:43 UTC+5:30, J Hawkesworth wrote: >>> >>> That sounds like a bug to me. I created a bug report here: >>> https://github.com/ansible/ansible/issues/15541 >>> >>> On Friday, April 22, 2016 at 10:20:11 AM UTC+1, ishan jain wrote: >>>> >>>> I configured winrm on my windows server 2012 R2 using the script listed >>>> at >>>> https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>>> >>>> To test the certificate expiration, i provided 3 days for >>>> -CertValidityDays parameter during script execution. I am not very >>>> well versed about powershell and winrm but i assume that after 3 days the >>>> self signed certificate should expire and after that i should expect >>>> Ansible to be unable to connect. >>>> >>>> But after 3 days, ansible is working just fine with no other setting >>>> changed. Can anyone please explain how this thing works ? >>>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/26f79b03-2d54-40f6-a4a1-68ea37f356e4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
