Hello,
I have a problem with using Ansible to manage Windows machines.
I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
would like to send commands from Debian (Ansible) machine to Windows
machine using WinRM through HTTPS (I do not want to use Kerberos - I
need to connect to Windows local account), but something goes wrong. If
I use "ansible_winrm_server_cert_validation: ignore" conf option,
everything is fine - I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping
192.168.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
but that is something I do not want to use, because I considere that as
a security risk. When I turn the option off, I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext
endpoint=https://192.168.0.1:5986/wsman
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Traceback (most recent call last):
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
line 152, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
207, in send_message
return self.transport.send_message(message)
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
line 173, in send_message
response = self.session.send(prepared_request,
timeout=self.read_timeout_sec)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
line 477, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
192.168.0.1 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: (\"bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
"unreachable": true
}
does not matter, what certificate I am using. I tried to create CA on
Ansible machine, sign Windows CSR, import certificate to Windows,
reconfigure HTTPS listener and import CA certificate to trusted
certificates on Debian - does not help. I am sure I did everything OK,
because it is working for example on the test web server on Windows machine.
Is it possible to run Ansible with Windows really securelly? How? What
should I try?
Thanks for reply,
Frantisek Griga
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/576BA3E3.9060508%40unipo.sk.
For more options, visit https://groups.google.com/d/optout.
