@Hmdi Did you have any progress on the issue? I am trying to achieve the same result with the same level of success. I came across the blog post that Matt had referenced. Unfortunately, it explains how do it for Windows-to-Windows but omit the part how Windows created certificate is translated to pair private/public keys.
On Wednesday, April 5, 2017 at 9:37:16 AM UTC+3, Hmdi Bz wrote: > > Thank you for the response, > > I need to use certificate based authentication because I need to automate > the whole process without any obvious security risks, My playbook along > with other files (inventory, group_vars, roles) will be in a "semi public" > repository so I can't hard code the passwords, even if I used vaulted > passwords I would need to type the encryption passphrase in a clear text > file and I can't risk having the same encryption passphrase for all hosts, > > On Tuesday, April 4, 2017 at 9:55:45 PM UTC+1, Matt Davis wrote: >> >> Doesn't look like you actually set up the cert->user mapping. Take a look >> at >> http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm >> >> - it's a decent end-to-end tutorial on how to set it up. That said, I'd >> strongly recommend you don't use it- the mapping is brittle, it doesn't >> work for domain users, and underlying urllib3 requirements mean that the >> cert has to be sitting on disk unencrypted. Most folks are better off just >> using vaulted passwords. >> >> -Matt >> >> On Tuesday, April 4, 2017 at 9:03:10 AM UTC-7, Hmdi Bz wrote: >>> >>> Hi, >>> >>> I have two VMs the first one is centos 7 VM with ansible 2.2.1 installed >>> (ip: 192.168.26.2) >>> the second one is a windows 10 VM (ip: 192.168.26.3) >>> >>> I have managed to connect to windows VM from centos VM using basic >>> authentication (username + password) >>> >>> I need to use certificate authentication between centos and windows and >>> I did the following with no success: >>> >>> 1) I have generated a self-signed certificate in the windows VM >>> then I have installed it with the following command >>> $ip="192.168.26.3" >>> $c = New-SelfSignedCertificate -DnsName $ip -CertStoreLocation >>> cert:\LocalMachine\My >>> >>> 2) I have created the following winrm listener on the windows VM: >>> winrm create winrm/config/Listener?Address=*+Transport=HTTPS >>> "@{Hostname=`"$ip`";CertificateThumbprint=`"$($c.ThumbPrint)`"}" >>> >>> 3) I have generated a private key on centos VM: >>> openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt >>> rsa_keygen_bits:2048 >>> >>> 4) I have generated a csr on centos VM: >>> openssl req -key private_key.pem -new -out ansible.csr >>> >>> 5) I have signed the csr (ansible.csr) using the self-generated >>> certificate in windows VM >>> openssl ca -out ansible.crt -infiles ansible.csr >>> >>> 6) I have edited the inventory file: >>> [test] >>> 192.168.26.2 >>> [test:vars] >>> ansible_user=administrator >>> ansible_winrm_port=5986 >>> ansible_connection=winrm >>> ansible_winrm_scheme=https >>> ansible_winrm_transport=certificate >>> ansible_winrm_server_cert_validation=ignore >>> ansible_winrm_cert_key_pem=path/to/private/key/ private_key.pem >>> ansible_winrm_cert_pem=path/to/certificate/ansible.crt >>> >>> 7) I have executed the following command but it failed >>> ansible -i pilote.ini test win_ping >>> >>> I had the following error: >>> msg:"certificate: the specified credentials were rejected by the >>> server >>> >>> >>> >>> can you point me what am I doing wrong?? >>> Thank you >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f3567be3-6228-434a-9314-e35c1e35ab72%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
