Re: [ansible-project] Re: winrm and https

[František Griga]

Hello,

thanks for answers. I tried that, but hostnames does not help. Any other 
ideas? Is anybody who use Ansible on Debian (successfuly)?

FG


Dňa 23. 6. 2016 o 19:18 Matt Davis napísal(a):
This. Python is unfortunately not very verbose about *why* cert 
validation fails, but you absolutely need to be using ansible_host or 
the inventory hostname that matches the CN or a SAN in the certificate 
you created. Python 2.x does *not* support IP CN/SANs yet (3.x does, 
but IIRC it hasn't been backported), so you *must* use a symbolic 
hostname.

On Thursday, June 23, 2016 at 10:00:00 AM UTC-7, J Hawkesworth wrote:

    As well as getting a valid, trusted cert generated for your host
    (and each of your windows hosts), I believe you should use the
    hostname rather than ip address.


    On Thursday, June 23, 2016 at 3:32:51 PM UTC+1, František Griga
    wrote:

        Hello,

        I have a problem with using Ansible to manage Windows machines.

        I have one virtual machine with Debian 8, Ansible 2.1.0.0
        installed
        through PPA and Python 2.7.9. Then I have a second VM with
        Windows 10. I
        would like to send commands from Debian (Ansible) machine to
        Windows
        machine using WinRM through HTTPS (I do not want to use
        Kerberos - I
        need to connect to Windows local account), but something goes
        wrong. If
        I use "ansible_winrm_server_cert_validation: ignore" conf option,
        everything is fine - I have this:

        root@debx-test:~# ansible 192.168.0.1 -m win_ping
        192.168.0.1 | SUCCESS => {
             "changed": false,
             "ping": "pong"
        }

        but that is something I do not want to use, because I
        considere that as
        a security risk. When I turn the option off, I have this:

        root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
        Using /etc/ansible/ansible.cfg as config file
        Loaded callback minimal of type stdout, v2.0
        <192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on
        PORT 5986 TO
        192.168.0.1
        <192.168.0.1> WINRM CONNECT: transport=plaintext
        endpoint=https://192.168.0.1:5986/wsman
        <https://192.168.0.1:5986/wsman>
        <192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake:
        Error([('SSL
        routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
        failed')],)",)
        Traceback (most recent call last):
           File
        "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",

        line 152, in _winrm_connect
             self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
           File
        "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
        132, in open_shell
             res = self.send_message(xmltodict.unparse(req))
           File
        "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
        207, in send_message
             return self.transport.send_message(message)
           File
        "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
        line 173, in send_message
             response = self.session.send(prepared_request,
        timeout=self.read_timeout_sec)
           File
        "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
        line 585, in send
             r = adapter.send(request, **kwargs)
           File
        "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
        line 477, in send
             raise SSLError(e, request=request)
        SSLError: ("bad handshake: Error([('SSL routines',
        'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

        192.168.0.1 | UNREACHABLE! => {
             "changed": false,
             "msg": "plaintext: (\"bad handshake: Error([('SSL routines',
        'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
        failed')],)\",)",
             "unreachable": true
        }

        does not matter, what certificate I am using. I tried to
        create CA on
        Ansible machine, sign Windows CSR, import certificate to Windows,
        reconfigure HTTPS listener and import CA certificate to trusted
        certificates on Debian - does not help. I am sure I did
        everything OK,
        because it is working for example on the test web server on
        Windows machine.

        Is it possible to run Ansible with Windows really securelly?
        How? What
        should I try?

        Thanks for reply,
        Frantisek Griga

--
You received this message because you are subscribed to the Google 
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ansible-project+unsubscr...@googlegroups.com 
<mailto:ansible-project+unsubscr...@googlegroups.com>.
To post to this group, send email to ansible-project@googlegroups.com 
<mailto:ansible-project@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com 
<https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible 
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/576CCFB3.3090600%40unipo.sk.
For more options, visit https://groups.google.com/d/optout.