I'm trying to understand Ansible better in order to use it in my company's
production environment. In order to test and understand I've setup 2 VM's
with server 2019 and am using a Windows 2010 system with WSL enabled and
Ubuntu 22.04. There is no domain setup in this configuration and I don't
want to set one up. I do not want to use basic transport so I have created
a cert to use. Basically, I've followed these steps
<https://adamtheautomator.com/winrm-for-ansible/> and had success before.
A week ago I decided that I was going to try retracing my steps and see if
I could duplicate the results again. Sadly I have had no such luck. I get
the following error when I try running a straight-up ansible command or
using a playbook:
192.168.4.70 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
Obviously, I'm missing something that I had not before and I'm at my wit's
end. The fixes I've seen posted are to use ntlm/Kerberos or enable basic.
I'm not wanting to do either of these. I'm not sure about my cert. In
this article
<https://docs.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https>
it
states "If you have more than one local computer account server certificate
installed, confirm the Certificate Thumbprint displayed by Winrm enumerate
winrm/config/listener is the same Thumbprint on the *Details* tab of the
certificate.". In the steps I followed I have 2 thumb prints 1 for the
server and 1 from the ansible host.
$serverCert
Thumbprint Subject
---------- -------
65F93B914048C98A567C71B1F7831F9873C283DB CN=WIN-C3EQOG6836M
$ansibleCert
Thumbprint Subject
---------- -------
65D2499EB375E0B7064596D20AB096E21A184C69 CN=ansible
>From details tab in Cert MMC
Trusted Root Certification Authorities/ansible & Trusted People
65d2499eb375e0b7064596d20ab096e21a184c69
PS C:\Users\Administrator> Winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.4.70, ::1,
fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = WIN-C3EQOG6836M
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 65F93B914048C98A567C71B1F7831F9873C283DB
ListeningOn = 127.0.0.1, 192.168.4.70, ::1,
fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6
Should the thumbprint be the cert for the server or for the ansible user?
Here is my winrm/config:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL =
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Also my ansible Inventory file:
[windows]
192.168.4.70
192.168.4.71
[windows:vars]
ansible_user=ansible
ansible_password=Password1!
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cfe6eae4-6e7f-41e8-8dc9-2543c9f52b5an%40googlegroups.com.
