Thank you for the response, I need to use certificate based authentication because I need to automate the whole process without any obvious security risks, My playbook along with other files (inventory, group_vars, roles) will be in a "semi public" repository so I can't hard code the passwords, even if I used vaulted passwords I would need to type the encryption passphrase in a clear text file and I can't risk having the same encryption passphrase for all hosts,
On Tuesday, April 4, 2017 at 9:55:45 PM UTC+1, Matt Davis wrote: > > Doesn't look like you actually set up the cert->user mapping. Take a look > at > http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm > > - it's a decent end-to-end tutorial on how to set it up. That said, I'd > strongly recommend you don't use it- the mapping is brittle, it doesn't > work for domain users, and underlying urllib3 requirements mean that the > cert has to be sitting on disk unencrypted. Most folks are better off just > using vaulted passwords. > > -Matt > > On Tuesday, April 4, 2017 at 9:03:10 AM UTC-7, Hmdi Bz wrote: >> >> Hi, >> >> I have two VMs the first one is centos 7 VM with ansible 2.2.1 installed >> (ip: 192.168.26.2) >> the second one is a windows 10 VM (ip: 192.168.26.3) >> >> I have managed to connect to windows VM from centos VM using basic >> authentication (username + password) >> >> I need to use certificate authentication between centos and windows and I >> did the following with no success: >> >> 1) I have generated a self-signed certificate in the windows VM then >> I have installed it with the following command >> $ip="192.168.26.3" >> $c = New-SelfSignedCertificate -DnsName $ip -CertStoreLocation >> cert:\LocalMachine\My >> >> 2) I have created the following winrm listener on the windows VM: >> winrm create winrm/config/Listener?Address=*+Transport=HTTPS >> "@{Hostname=`"$ip`";CertificateThumbprint=`"$($c.ThumbPrint)`"}" >> >> 3) I have generated a private key on centos VM: >> openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt >> rsa_keygen_bits:2048 >> >> 4) I have generated a csr on centos VM: >> openssl req -key private_key.pem -new -out ansible.csr >> >> 5) I have signed the csr (ansible.csr) using the self-generated >> certificate in windows VM >> openssl ca -out ansible.crt -infiles ansible.csr >> >> 6) I have edited the inventory file: >> [test] >> 192.168.26.2 >> [test:vars] >> ansible_user=administrator >> ansible_winrm_port=5986 >> ansible_connection=winrm >> ansible_winrm_scheme=https >> ansible_winrm_transport=certificate >> ansible_winrm_server_cert_validation=ignore >> ansible_winrm_cert_key_pem=path/to/private/key/ private_key.pem >> ansible_winrm_cert_pem=path/to/certificate/ansible.crt >> >> 7) I have executed the following command but it failed >> ansible -i pilote.ini test win_ping >> >> I had the following error: >> msg:"certificate: the specified credentials were rejected by the >> server >> >> >> >> can you point me what am I doing wrong?? >> Thank you >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0d589a82-0f5f-4379-ad1f-1c6a7f22a4c1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
