This. Python is unfortunately not very verbose about *why* cert validation
fails, but you absolutely need to be using ansible_host or the inventory
hostname that matches the CN or a SAN in the certificate you created.
Python 2.x does *not* support IP CN/SANs yet (3.x does, but IIRC it hasn't
been backported), so you *must* use a symbolic hostname.
On Thursday, June 23, 2016 at 10:00:00 AM UTC-7, J Hawkesworth wrote:
>
> As well as getting a valid, trusted cert generated for your host (and each
> of your windows hosts), I believe you should use the hostname rather than
> ip address.
>
>
> On Thursday, June 23, 2016 at 3:32:51 PM UTC+1, František Griga wrote:
>>
>> Hello,
>>
>> I have a problem with using Ansible to manage Windows machines.
>>
>> I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
>> through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
>> would like to send commands from Debian (Ansible) machine to Windows
>> machine using WinRM through HTTPS (I do not want to use Kerberos - I
>> need to connect to Windows local account), but something goes wrong. If
>> I use "ansible_winrm_server_cert_validation: ignore" conf option,
>> everything is fine - I have this:
>>
>> root@debx-test:~# ansible 192.168.0.1 -m win_ping
>> 192.168.0.1 | SUCCESS => {
>> "changed": false,
>> "ping": "pong"
>> }
>>
>> but that is something I do not want to use, because I considere that as
>> a security risk. When I turn the option off, I have this:
>>
>> root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
>> Using /etc/ansible/ansible.cfg as config file
>> Loaded callback minimal of type stdout, v2.0
>> <192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
>> 192.168.0.1
>> <192.168.0.1> WINRM CONNECT: transport=plaintext
>> endpoint=https://192.168.0.1:5986/wsman
>> <192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
>> routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
>> failed')],)",)
>> Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
>> line 152, in _winrm_connect
>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
>> File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
>> 132, in open_shell
>> res = self.send_message(xmltodict.unparse(req))
>> File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
>> 207, in send_message
>> return self.transport.send_message(message)
>> File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
>> line 173, in send_message
>> response = self.session.send(prepared_request,
>> timeout=self.read_timeout_sec)
>> File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
>> line 585, in send
>> r = adapter.send(request, **kwargs)
>> File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
>> line 477, in send
>> raise SSLError(e, request=request)
>> SSLError: ("bad handshake: Error([('SSL routines',
>> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
>>
>> 192.168.0.1 | UNREACHABLE! => {
>> "changed": false,
>> "msg": "plaintext: (\"bad handshake: Error([('SSL routines',
>> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
>> "unreachable": true
>> }
>>
>> does not matter, what certificate I am using. I tried to create CA on
>> Ansible machine, sign Windows CSR, import certificate to Windows,
>> reconfigure HTTPS listener and import CA certificate to trusted
>> certificates on Debian - does not help. I am sure I did everything OK,
>> because it is working for example on the test web server on Windows
>> machine.
>>
>> Is it possible to run Ansible with Windows really securelly? How? What
>> should I try?
>>
>> Thanks for reply,
>> Frantisek Griga
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
