You need to be using at least Ansible 1.9.4 (preferably 2.1) and pywinrm 0.1.1 (preferably 0.2.0) to pass the certificate validation disable to pywinrm. 1.9.2 will be *very* slow and suboptimal for Windows work in many ways.
On Wednesday, June 29, 2016 at 11:19:21 AM UTC-7, Hugo Enrique Hernández Priego wrote: > > Hi Jon > > > My ansible control node have python 2.7.5 > > [ansible@ansible-server ansible-windows]$ python --version > *Python 2.7.5* > [ansible@ansible-server ansible-windows]$ > > So i follow this link http://docs.ansible.com/ansible/intro_windows.html > <http://docs.ansible.com/ansible/intro_windows.html#inventory> > > My windows.yml > > [ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml > # it is suggested that these be encrypted with ansible-vault: > # # ansible-vault edit group_vars/windows.yml > ansible_ssh_user: ansible > ansible_ssh_pass: xxxxxx > ansible_ssh_port: 5986 > ansible_connection: winrm > # The following is necessary for Python 2.7.9+ when using default WinRM > self-signed certificates: > ansible_winrm_server_cert_validation: ignore > > i try with the recomendation of python 2.7.9+ but fails anyway > > [ansible@ansible-server ansible-windows]$ ansible windows -i host -m > win_ping -vvvvv > <mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on > PORT 5986 TO mywindowshost.wt.mx.corp > <mywindowshostwt.mx.corp> WINRM CONNECT: transport=plaintext endpoint= > https://mywindowshost.wt.mx.corp:5986/wsman > mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line > 582, in _executor > exec_rc = self._executor_internal(host, new_stdin) > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line > 785, in _executor_internal > return self._executor_internal_inner(host, self.module_name, > self.module_args, inject, port, complex_args=complex_args) > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line > 964, in _executor_internal_inner > conn = self.connector.connect(actual_host, actual_port, actual_user, > actual_pass, actual_transport, actual_private_key_file, delegate_host) > File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", > line 52, in connect > self.active = conn.connect() > File > "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", > > line 140, in connect > self.protocol = self._winrm_connect() > File > "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", > > line 96, in _winrm_connect > protocol.send_message('') > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in > send_message > return self.transport.send_message(message) > File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in > send_message > response = self.session.send(prepared_request, > timeout=self.read_timeout_sec) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, > in send > r = adapter.send(request, **kwargs) > File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, > in send > raise SSLError(e, request=request) > SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:765) > > > With both method fails, so i do a testing conection with Curl and its OK > > ansible@ansible-server ansible-windows]$ curl -vk -d "" -u > "ansible:xxxxxxx" https://mywindowshost.wt.mx.corp:5986/wsman > * About to connect() to mywindowshost.wt.mx.corp port 5986 (#0) > * Trying 22.134.234.100... > * Connected to mywindowshost.wt.mx.corp (22.134.234.100) port 5986 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA > * Server certificate: > * subject: CN=mywindowshost > * start date: Jun 27 18:16:45 2016 GMT > * expire date: Jun 27 18:16:45 2017 GMT > * common name: mywindowshost > * issuer: CN=mywindowshost > * Server auth using Basic with user 'ansible' > > POST /wsman HTTP/1.1 > > Authorization: Basic cHJodGJsYWQ6QmxhKjg2LmxvZw== > > User-Agent: curl/7.29.0 > > Host: mywindowshost.wt.mx.corp:5986 > > Accept: */* > > Content-Length: 0 > > Content-Type: application/x-www-form-urlencoded > > > < HTTP/1.1 411 > < Server: Microsoft-HTTPAPI/2.0 > < Date: Wed, 29 Jun 2016 18:19:37 GMT > < Connection: close > < Content-Length: 0 > < > * Closing connection 0 > > > Any idea ? > > Thanks > > > El martes, 28 de junio de 2016, 2:59:13 (UTC-5), J Hawkesworth escribió: >> >> Hi, >> >> Since python 2.7.9 ( I think) python's default behavior has been to >> validate certificates for any https connections. >> >> The certificate used by the windows hosts is likely self-generated, >> therefore won't be fully trusted. >> >> So in order to avoid the certificate check, you have to set the following >> var in your ansible inventory/group_vars that apply to your windows hosts. >> >> # The following is necessary for Python 2.7.9+ when using default WinRM >> self-signed certificates:ansible_winrm_server_cert_validation: ignore >> >> >> Its documented here: >> http://docs.ansible.com/ansible/intro_windows.html#inventory >> >> If you would rather python did check the certificate then you will either >> need to trust the cert for each of your windows hosts, or acquire trusted >> (not self-signed) certificates for each of your windows hosts, add them to >> the the computer certificate store and ensure that winrm is using your new >> certificate. >> >> Hope this helps, >> >> Jon >> >> >> On Tuesday, June 28, 2016 at 1:37:59 AM UTC+1, Hugo Enrique Hernández >> Priego wrote: >>> >>> Hi >>> >>> I'm running ansible against a windows host for testing purposes. but i >>> am getting this error : >>> >>> Red Hat 7.2 >>> Ansible 1.9.2 >>> >>> [ansible-windows]$ ansible windows -i host -m win_ping -vvvvv >>> >>> <srvspodvlmx01.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: prhtblad >>> on PORT 5986 TO srvspodvlmx01.wt.mx.corp >>> <srvspodvlmx01.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint= >>> https://srvspodvlmx01.wt.mx.corp:5986/wsman >>> srvspodvlmx01.wt.mx.corp | FAILED => Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >>> line 582, in _executor >>> exec_rc = self._executor_internal(host, new_stdin) >>> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >>> line 785, in _executor_internal >>> return self._executor_internal_inner(host, self.module_name, >>> self.module_args, inject, port, complex_args=complex_args) >>> File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", >>> line 964, in _executor_internal_inner >>> conn = self.connector.connect(actual_host, actual_port, actual_user, >>> actual_pass, actual_transport, actual_private_key_file, delegate_host) >>> File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", >>> line 52, in connect >>> self.active = conn.connect() >>> File >>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", >>> >>> line 140, in connect >>> self.protocol = self._winrm_connect() >>> File >>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", >>> >>> line 96, in _winrm_connect >>> protocol.send_message('') >>> File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, >>> in send_message >>> return self.transport.send_message(message) >>> File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, >>> in send_message >>> response = self.session.send(prepared_request, >>> timeout=self.read_timeout_sec) >>> File "/usr/lib/python2.7/site-packages/requests/sessions.py", line >>> 585, in send >>> r = adapter.send(request, **kwargs) >>> File "/usr/lib/python2.7/site-packages/requests/adapters.py", line >>> 477, in send >>> raise SSLError(e, request=request) >>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >>> (_ssl.c:765) >>> >>> Any idea about this error ? >>> >>> Thanks >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1fa1741c-d944-4ed0-867b-c666e717fe96%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
