[ansible-project] Re: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

[Hugo Enrique Hernández Priego]

Hi

I remove that line and try again 

[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# # ansible-vault edit group_vars/windows.yml
ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm

but i getting the same error,

[ansible@ansible-server ansible-windows]$ ansible windows -i host -m 
win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on 
PORT 5986 TO srvspodvlmx01.wt.mx.corp
<mywindowshost.wt.mx.corp> WINRM CONNECT: transport=plaintext 
endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 
582, in _executor
    exec_rc = self._executor_internal(host, new_stdin)
  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 
785, in _executor_internal
    return self._executor_internal_inner(host, self.module_name, 
self.module_args, inject, port, complex_args=complex_args)
  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 
964, in _executor_internal_inner
    conn = self.connector.connect(actual_host, actual_port, actual_user, 
actual_pass, actual_transport, actual_private_key_file, delegate_host)
  File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", 
line 52, in connect
    self.active = conn.connect()
  File 
"/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", 
line 140, in connect
    self.protocol = self._winrm_connect()
  File 
"/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", 
line 96, in _winrm_connect
    protocol.send_message('')
  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in 
send_message
    return self.transport.send_message(message)
  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in 
send_message
    response = self.session.send(prepared_request, 
timeout=self.read_timeout_sec)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, 
in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, 
in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:765)

I follow all requeriments

any suggestion??

Regards

El miércoles, 29 de junio de 2016, 15:45:58 (UTC-5), Matt Davis escribió:
>
> You need to be using at least Ansible 1.9.4 (preferably 2.1) and pywinrm 
> 0.1.1 (preferably 0.2.0) to pass the certificate validation disable to 
> pywinrm. 1.9.2 will be *very* slow and suboptimal for Windows work in many 
> ways.
>
> On Wednesday, June 29, 2016 at 11:19:21 AM UTC-7, Hugo Enrique Hernández 
> Priego wrote:
>>
>> Hi Jon
>>
>>
>> My ansible control node have python 2.7.5
>>
>> [ansible@ansible-server ansible-windows]$ python --version
>> *Python 2.7.5*
>> [ansible@ansible-server ansible-windows]$ 
>>
>> So i follow this link http://docs.ansible.com/ansible/intro_windows.html 
>> <http://docs.ansible.com/ansible/intro_windows.html#inventory>
>>
>> My windows.yml
>>
>> [ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml 
>> # it is suggested that these be encrypted with ansible-vault:
>> # # ansible-vault edit group_vars/windows.yml
>> ansible_ssh_user: ansible
>> ansible_ssh_pass: xxxxxx
>> ansible_ssh_port: 5986
>> ansible_connection: winrm
>> # The following is necessary for Python 2.7.9+ when using default WinRM 
>> self-signed certificates:
>> ansible_winrm_server_cert_validation: ignore
>>
>> i try with the recomendation of python 2.7.9+ but fails anyway
>>
>> [ansible@ansible-server ansible-windows]$ ansible windows -i host -m 
>> win_ping -vvvvv
>> <mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible 
>> on PORT 5986 TO mywindowshost.wt.mx.corp
>> <mywindowshostwt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=
>> https://mywindowshost.wt.mx.corp:5986/wsman 
>> <https://www.google.com/url?q=https%3A%2F%2Fmywindowshost.wt.mx.corp%3A5986%2Fwsman&sa=D&sntz=1&usg=AFQjCNHoKwGx27zxHWFl_q1MbmbF4pgGiA>
>> mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>> line 582, in _executor
>>     exec_rc = self._executor_internal(host, new_stdin)
>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>> line 785, in _executor_internal
>>     return self._executor_internal_inner(host, self.module_name, 
>> self.module_args, inject, port, complex_args=complex_args)
>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>> line 964, in _executor_internal_inner
>>     conn = self.connector.connect(actual_host, actual_port, actual_user, 
>> actual_pass, actual_transport, actual_private_key_file, delegate_host)
>>   File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", 
>> line 52, in connect
>>     self.active = conn.connect()
>>   File 
>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py",
>>  
>> line 140, in connect
>>     self.protocol = self._winrm_connect()
>>   File 
>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py",
>>  
>> line 96, in _winrm_connect
>>     protocol.send_message('')
>>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in 
>> send_message
>>     return self.transport.send_message(message)
>>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, 
>> in send_message
>>     response = self.session.send(prepared_request, 
>> timeout=self.read_timeout_sec)
>>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, 
>> in send
>>     r = adapter.send(request, **kwargs)
>>   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, 
>> in send
>>     raise SSLError(e, request=request)
>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
>> (_ssl.c:765)
>>
>>
>> With both method fails, so i do a testing conection with Curl and its OK
>>
>> ansible@ansible-server ansible-windows]$ curl -vk -d "" -u 
>> "ansible:xxxxxxx" https://mywindowshost.wt.mx.corp:5986/wsman
>> * About to connect() to mywindowshost.wt.mx.corp port 5986 (#0)
>> *   Trying 22.134.234.100...
>> * Connected to mywindowshost.wt.mx.corp (22.134.234.100) port 5986 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * skipping SSL peer certificate verification
>> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
>> * Server certificate:
>> *     subject: CN=mywindowshost
>> *     start date: Jun 27 18:16:45 2016 GMT
>> *     expire date: Jun 27 18:16:45 2017 GMT
>> *     common name: mywindowshost
>> *     issuer: CN=mywindowshost
>> * Server auth using Basic with user 'ansible'
>> > POST /wsman HTTP/1.1
>> > Authorization: Basic cHJodGJsYWQ6QmxhKjg2LmxvZw==
>> > User-Agent: curl/7.29.0
>> > Host: mywindowshost.wt.mx.corp:5986
>> > Accept: */*
>> > Content-Length: 0
>> > Content-Type: application/x-www-form-urlencoded
>> > 
>> < HTTP/1.1 411 
>> < Server: Microsoft-HTTPAPI/2.0
>> < Date: Wed, 29 Jun 2016 18:19:37 GMT
>> < Connection: close
>> < Content-Length: 0
>> < 
>> * Closing connection 0
>>
>>
>> Any idea ?
>>
>> Thanks
>>
>>
>> El martes, 28 de junio de 2016, 2:59:13 (UTC-5), J Hawkesworth escribió:
>>>
>>> Hi,
>>>
>>> Since python 2.7.9  ( I think) python's default behavior has been to 
>>> validate certificates for any https connections.
>>>
>>> The certificate used by the windows hosts is likely self-generated, 
>>> therefore won't be fully trusted.
>>>
>>> So in order to avoid the certificate check, you have to set the 
>>> following var in your ansible inventory/group_vars that apply to your 
>>> windows hosts.
>>>
>>> # The following is necessary for Python 2.7.9+ when using default WinRM 
>>> self-signed certificates:ansible_winrm_server_cert_validation: ignore
>>>
>>>
>>> Its documented here: 
>>> http://docs.ansible.com/ansible/intro_windows.html#inventory
>>>
>>> If you would rather python did check the certificate then you will 
>>> either need to trust the cert for each of your windows hosts, or acquire 
>>> trusted (not self-signed) certificates for each of your windows hosts, add 
>>> them to the the computer certificate store and ensure that winrm is using 
>>> your new certificate.
>>>
>>> Hope this helps,
>>>
>>> Jon
>>>
>>>
>>> On Tuesday, June 28, 2016 at 1:37:59 AM UTC+1, Hugo Enrique Hernández 
>>> Priego wrote:
>>>>
>>>> Hi
>>>>
>>>> I'm running ansible against a windows host for testing purposes. but i 
>>>> am getting this error :
>>>>
>>>> Red Hat 7.2
>>>> Ansible 1.9.2
>>>>
>>>> [ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
>>>>
>>>> <srvspodvlmx01.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: 
>>>> prhtblad on PORT 5986 TO srvspodvlmx01.wt.mx.corp
>>>> <srvspodvlmx01.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=
>>>> https://srvspodvlmx01.wt.mx.corp:5986/wsman
>>>> srvspodvlmx01.wt.mx.corp | FAILED => Traceback (most recent call last):
>>>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>>>> line 582, in _executor
>>>>     exec_rc = self._executor_internal(host, new_stdin)
>>>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>>>> line 785, in _executor_internal
>>>>     return self._executor_internal_inner(host, self.module_name, 
>>>> self.module_args, inject, port, complex_args=complex_args)
>>>>   File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", 
>>>> line 964, in _executor_internal_inner
>>>>     conn = self.connector.connect(actual_host, actual_port, 
>>>> actual_user, actual_pass, actual_transport, actual_private_key_file, 
>>>> delegate_host)
>>>>   File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", 
>>>> line 52, in connect
>>>>     self.active = conn.connect()
>>>>   File 
>>>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py",
>>>>  
>>>> line 140, in connect
>>>>     self.protocol = self._winrm_connect()
>>>>   File 
>>>> "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py",
>>>>  
>>>> line 96, in _winrm_connect
>>>>     protocol.send_message('')
>>>>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, 
>>>> in send_message
>>>>     return self.transport.send_message(message)
>>>>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, 
>>>> in send_message
>>>>     response = self.session.send(prepared_request, 
>>>> timeout=self.read_timeout_sec)
>>>>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 
>>>> 585, in send
>>>>     r = adapter.send(request, **kwargs)
>>>>   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 
>>>> 477, in send
>>>>     raise SSLError(e, request=request)
>>>> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
>>>> (_ssl.c:765)
>>>>
>>>> Any idea about this error ?
>>>>
>>>> Thanks
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0fdd743f-f946-45fa-8be4-2de343011144%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.