Hi,
You can create / install a new certificate and then use winrm to use the
new certificate using a command like this:
winrm set winrm/config/listener?Address=IP:8.8.8.8+Transport=HTTPS
@{Hostname="mydomain.com";CertificateThumbprint="
CB7434F35E3EA11D49D209F41BB16E96B472D30E";Port="5986"}
You will probably have to do this logged in to the windows machine as an
Administrator. I think modifying winrm configuration is not allowed from
remote winrm sessions.
You can probably delete the https transport listener altogether if you
prefer and then run the ConfigureRemotingForAnsible.ps1 script again too.
Hope this helps,
Jon
On Monday, April 25, 2016 at 10:03:41 AM UTC+1, ishan jain wrote:
>
> Hi J,
>
> Thanks for all the help. Actually it turned out that somebody already
> executed the script on the new machine with 365 days period before i did it
> for 3 days, that is why it was able to connect. I did not specify anything
> like ansible_winrm_server_cert_validation. I am very new to windows
> administration.
>
> Since i need to see what happens when certificate expires, i am still
> trying to figure out a way to disable winrm again. Any ideas there?
>
>
> On Monday, 25 April 2016 13:38:40 UTC+5:30, J Hawkesworth wrote:
>>
>>
>> Have a read through the bug report above (which I have now closed).
>>
>> Do you have the following set in your windows inventory/ group vars:
>>
>> ansible_winrm_server_cert_validation: ignore
>>
>>
>> as described in;
>> http://docs.ansible.com/ansible/intro_windows.html#inventory
>>
>> If so the certificate is completely ignored. Traffic between the ansible
>> node and the windows winrm endpoint is still encrypted, but ansible doesn't
>> check anything to do with the certificate. So I think in your case the
>> certificate really has expired but the certificate is not getting checked.
>>
>> It would be good to have a documented way to retrieve the generated
>> certificate from the windows host and add it to the trusted certs on the
>> ansible controller, but I don't believe we have that right now. It might
>> be tedious and error prone if it requires manual steps on each host of
>> course so would be best automated.
>>
>> Depending on how you set things up, certificates aren't the only way in
>> which you can lock down access to a time period on windows hosts. If you
>> set up domain authentication then you can configure quite a short period
>> for the kerberos tickets to last (I think that the default is 10 hours
>> without renewal).
>>
>> Hope this helps
>>
>> Jon
>>
>> On Friday, April 22, 2016 at 12:24:08 PM UTC+1, ishan jain wrote:
>>>
>>> Do we have a way to undo whatever the script changed ? Or some other
>>> means where i can make the certificate expire ?
>>> I need that to test it out some more.
>>>
>>> On Friday, 22 April 2016 15:43:43 UTC+5:30, J Hawkesworth wrote:
>>>>
>>>> That sounds like a bug to me. I created a bug report here:
>>>> https://github.com/ansible/ansible/issues/15541
>>>>
>>>> On Friday, April 22, 2016 at 10:20:11 AM UTC+1, ishan jain wrote:
>>>>>
>>>>> I configured winrm on my windows server 2012 R2 using the script
>>>>> listed at
>>>>> https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
>>>>>
>>>>> To test the certificate expiration, i provided 3 days for
>>>>> -CertValidityDays parameter during script execution. I am not very
>>>>> well versed about powershell and winrm but i assume that after 3 days the
>>>>> self signed certificate should expire and after that i should expect
>>>>> Ansible to be unable to connect.
>>>>>
>>>>> But after 3 days, ansible is working just fine with no other setting
>>>>> changed. Can anyone please explain how this thing works ?
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/df9fb03b-38f2-441c-99c8-75df79e7f60e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
