So I could not be sure, if the Debian version has cert validation
ability, but upstream version should have.
https://www.python.org/downloads/release/python-279/
Dňa 24. 6. 2016 o 8:55 Mike Fennemore napísal(a):
Is there a method for using HTTPS with certificate validation with
Python 2.79? Have been reading this
http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure .
Admittedly this is Chef but I would assume the WinRM concepts remain
the same.
On Thursday, June 23, 2016 at 7:18:44 PM UTC+2, Matt Davis wrote:
This. Python is unfortunately not very verbose about *why* cert
validation fails, but you absolutely need to be using ansible_host
or the inventory hostname that matches the CN or a SAN in the
certificate you created. Python 2.x does *not* support IP CN/SANs
yet (3.x does, but IIRC it hasn't been backported), so you *must*
use a symbolic hostname.
On Thursday, June 23, 2016 at 10:00:00 AM UTC-7, J Hawkesworth wrote:
As well as getting a valid, trusted cert generated for your
host (and each of your windows hosts), I believe you should
use the hostname rather than ip address.
On Thursday, June 23, 2016 at 3:32:51 PM UTC+1, František
Griga wrote:
Hello,
I have a problem with using Ansible to manage Windows
machines.
I have one virtual machine with Debian 8, Ansible 2.1.0.0
installed
through PPA and Python 2.7.9. Then I have a second VM with
Windows 10. I
would like to send commands from Debian (Ansible) machine
to Windows
machine using WinRM through HTTPS (I do not want to use
Kerberos - I
need to connect to Windows local account), but something
goes wrong. If
I use "ansible_winrm_server_cert_validation: ignore" conf
option,
everything is fine - I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping
192.168.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
but that is something I do not want to use, because I
considere that as
a security risk. When I turn the option off, I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin
on PORT 5986 TO
192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext
endpoint=https://192.168.0.1:5986/wsman
<https://192.168.0.1:5986/wsman>
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake:
Error([('SSL
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate
verify failed')],)",)
Traceback (most recent call last):
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
line 152, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) #
UTF-8
File
"/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File
"/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
207, in send_message
return self.transport.send_message(message)
File
"/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
line 173, in send_message
response = self.session.send(prepared_request,
timeout=self.read_timeout_sec)
File
"/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
line 585, in send
r = adapter.send(request, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
line 477, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
failed')],)",)
192.168.0.1 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: (\"bad handshake: Error([('SSL
routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
failed')],)\",)",
"unreachable": true
}
does not matter, what certificate I am using. I tried to
create CA on
Ansible machine, sign Windows CSR, import certificate to
Windows,
reconfigure HTTPS listener and import CA certificate to
trusted
certificates on Debian - does not help. I am sure I did
everything OK,
because it is working for example on the test web server
on Windows machine.
Is it possible to run Ansible with Windows really
securelly? How? What
should I try?
Thanks for reply,
Frantisek Griga
--
You received this message because you are subscribed to the Google
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/21a76037-8a36-409a-8153-340f50354130%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/21a76037-8a36-409a-8153-340f50354130%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/576CDF63.7050600%40unipo.sk.
For more options, visit https://groups.google.com/d/optout.
