Ansible 1.9.4 CERTIFICATE_VERIFY_FAILED when connecting to Windows Server

Archives Ansible Project
1

Using Ansible 1.9.4 and Python 2.7.10 on MacOSX 10.10.5

When attempting:

`

env ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ansible winserv -i …/windows_servers -m win_ping

`

I get:

`

54.68.166.123 | FAILED => 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
`

As suggested in previous postings, I have a file named fix-ssl.py in my callback_plugins folder:

`

import ssl
if hasattr(ssl, ‘_create_default_https_context’) and hasattr(ssl, ‘_create_unverified_context’):
ssl._create_default_https_context = ssl._create_unverified_context

class CallbackModule(object):
pass

`

And in my ansible.cfg file, I have:

bin_ansible_callbacks=True callback_plugins = /callback_plugins/fix-ssl.py

How can I get this to work?

2

Has anyone gotten Ansible 1.9.4 to work with Windows Server using the “ansible” (not ansible-playbook) command?

J

3

Just wondering if the callback plugin is actually getting loaded.

You have

callback_plugins = /callback_plugins/fix-ssl.py

configured but that would be an unusual location if you intended an absolute path. I think you need to configure a full path to the folder, not the name of a file for callback_plugins if I recall.

So something like

callback_plugins = /usr/share/local/callback_plugins/

(and obviously you'd need to put ``fix-ssl.py into /usr/share/local/callback_plugins). I'm not familiar with OSX paths so /usr/share/local/callback_plugins is just intended to be an example folder.

Hope this helps,

Jon

4

I shortened the path to make the posting easier to read. The actual
path is something
much longer. :slight_smile:

Thanks for taking the time to look though.

5

As far as I can see this works differently when using OSX as a control node as opposed to Ubuntu, Centos or other Linux distros. I’m seeing a lot of these errors when Ansible is running from OSX. Not sure if pywinrm behaves differently on osx than on Linux?

6

My impression is this is because of the python version that you get with recent OSX.

If I recall it was python 2.7.9 that introduced the cert checking in python.

7

There is quite a bit of noise about this issue under Ansible 1.94 and 2.00 here:

https://github.com/ansible/ansible/issues/10294

But no resolution.

J

8

Ok. Here’s something that works though it shouldn’t be done as it’s a security risk.

So, if you’re using the “ansible” command under MacOSX Yosemite, here’s how to get things to work:

  1. Edit (or create) the file /Library/Python/2.7/site-packages/sitecustomize.py
  2. Add this code to the file:

`
import ssl

try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:

Legacy Python that doesn’t verify HTTPS certificates by default

pass
else:

Handle target environment that doesn’t support HTTPS verification

ssl._create_default_https_context = _create_unverified_https_context
`

That’s it. Works great now. Security risk, obviously, but I consider this a
temporary fix.

J

9

So just sharing the solution presented below by Slim Slam, also works on Fedora 23. Again, I understand it is not an ideal solution but if you are tied on any Ansible version < 2 and can’t upgrade, it works as a temporally solution or workaround.