As well as getting a valid, trusted cert generated for your host (and each
of your windows hosts), I believe you should use the hostname rather than
ip address.
On Thursday, June 23, 2016 at 3:32:51 PM UTC+1, František Griga wrote:
>
> Hello,
>
> I have a problem with using Ansible to manage Windows machines.
>
> I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
> through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
> would like to send commands from Debian (Ansible) machine to Windows
> machine using WinRM through HTTPS (I do not want to use Kerberos - I
> need to connect to Windows local account), but something goes wrong. If
> I use "ansible_winrm_server_cert_validation: ignore" conf option,
> everything is fine - I have this:
>
> root@debx-test:~# ansible 192.168.0.1 -m win_ping
> 192.168.0.1 | SUCCESS => {
> "changed": false,
> "ping": "pong"
> }
>
> but that is something I do not want to use, because I considere that as
> a security risk. When I turn the option off, I have this:
>
> root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
> Using /etc/ansible/ansible.cfg as config file
> Loaded callback minimal of type stdout, v2.0
> <192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
> 192.168.0.1
> <192.168.0.1> WINRM CONNECT: transport=plaintext
> endpoint=https://192.168.0.1:5986/wsman
> <192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
> routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
> failed')],)",)
> Traceback (most recent call last):
> File
> "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
> line 152, in _winrm_connect
> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
> File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
> 132, in open_shell
> res = self.send_message(xmltodict.unparse(req))
> File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
> 207, in send_message
> return self.transport.send_message(message)
> File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
> line 173, in send_message
> response = self.session.send(prepared_request,
> timeout=self.read_timeout_sec)
> File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
> line 585, in send
> r = adapter.send(request, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
> line 477, in send
> raise SSLError(e, request=request)
> SSLError: ("bad handshake: Error([('SSL routines',
> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
>
> 192.168.0.1 | UNREACHABLE! => {
> "changed": false,
> "msg": "plaintext: (\"bad handshake: Error([('SSL routines',
> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
> "unreachable": true
> }
>
> does not matter, what certificate I am using. I tried to create CA on
> Ansible machine, sign Windows CSR, import certificate to Windows,
> reconfigure HTTPS listener and import CA certificate to trusted
> certificates on Debian - does not help. I am sure I did everything OK,
> because it is working for example on the test web server on Windows
> machine.
>
> Is it possible to run Ansible with Windows really securelly? How? What
> should I try?
>
> Thanks for reply,
> Frantisek Griga
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e8400177-ce2c-42bb-8db7-874b1d826888%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
