Here is a list of 9 items to check. You may already have done all of these but skipping any one of them will prevent it from working.
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/ansible-project/HKgh7jtsFsk On Thursday, June 23, 2016 at 9:32:51 AM UTC-5, František Griga wrote: > > Hello, > > I have a problem with using Ansible to manage Windows machines. > > I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed > through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I > would like to send commands from Debian (Ansible) machine to Windows > machine using WinRM through HTTPS (I do not want to use Kerberos - I > need to connect to Windows local account), but something goes wrong. If > I use "ansible_winrm_server_cert_validation: ignore" conf option, > everything is fine - I have this: > > root@debx-test:~# ansible 192.168.0.1 -m win_ping > 192.168.0.1 | SUCCESS => { > "changed": false, > "ping": "pong" > } > > but that is something I do not want to use, because I considere that as > a security risk. When I turn the option off, I have this: > > root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv > Using /etc/ansible/ansible.cfg as config file > Loaded callback minimal of type stdout, v2.0 > <192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO > 192.168.0.1 > <192.168.0.1> WINRM CONNECT: transport=plaintext > endpoint=https://192.168.0.1:5986/wsman > <192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL > routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify > failed')],)",) > Traceback (most recent call last): > File > "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", > line 152, in _winrm_connect > self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 > File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line > 132, in open_shell > res = self.send_message(xmltodict.unparse(req)) > File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line > 207, in send_message > return self.transport.send_message(message) > File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", > line 173, in send_message > response = self.session.send(prepared_request, > timeout=self.read_timeout_sec) > File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", > line 585, in send > r = adapter.send(request, **kwargs) > File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", > line 477, in send > raise SSLError(e, request=request) > SSLError: ("bad handshake: Error([('SSL routines', > 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",) > > 192.168.0.1 | UNREACHABLE! => { > "changed": false, > "msg": "plaintext: (\"bad handshake: Error([('SSL routines', > 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)", > "unreachable": true > } > > does not matter, what certificate I am using. I tried to create CA on > Ansible machine, sign Windows CSR, import certificate to Windows, > reconfigure HTTPS listener and import CA certificate to trusted > certificates on Debian - does not help. I am sure I did everything OK, > because it is working for example on the test web server on Windows > machine. > > Is it possible to run Ansible with Windows really securelly? How? What > should I try? > > Thanks for reply, > Frantisek Griga > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c6473957-6c88-4c45-b5ba-daf76edef608%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
