certificate: the specified credentials were rejected by the server

Hi, I’m using ansible on Ubuntu 16.04 LTS and try to mange my win10 server.

But met trouble when I using Certificate authentication:

`

gary@gary-HP-Pavilion-Notebook:~$ ansible win_test -m win_ping
192.168.1.207 | UNREACHABLE! => {
“changed”: false,
“msg”: “certificate: the specified credentials were rejected by the server”,
“unreachable”: true
}

`

I just follow the Ansible Document to setup environment step by step:
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#certificate

My WinRM setting:

`

PS C:\Users\Test> winrm get winrm/config/Service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true

`

Host vars:

[win_test]
192.168.1.207

[win_test:vars]
ansible_connection=“winrm”
ansible_port=5985
ansible_winrm_cert_pem=“/home/gary/Documents/cert.pem”
ansible_winrm_cert_key_pem=“/home/gary/Documents/cert_key.pem”
ansible_winrm_transport=“certificate”

Anything wrong with my settings? Please help, thanks~

PS: It works when I use Basic anthentication.

Certificate auth does not work over http (port 5985). It’s part of the TLS protocol so you must use https.

Thanks

Jordan

Hi, Jordan. Thanks for your help~

After changing to HTTPS, I met such error:

`

192.168.1.207 | UNREACHABLE! => {
“changed”: false,
“msg”: “certificate: HTTPSConnectionPool(host=‘192.168.1.207’, port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))”,
“unreachable”: true
}

`

Here is my config of the listener:

`

PS C:\Temp> winrm enumerate winrm/config/Listener
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = desktop-9qa0b18
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78
ListeningOn =

`

I am not sure whether I generate the key in right way or not. In fact, I am not familiar to those things like SSL, HTTPS.
Here I write down the things I did to use HTTPS in WinRM:

  1. Use the IIS tool to create a Self-Signed Certificate for my PC: desktop-9qa0b18

  2. Run command:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986" ;Hostname="desktop-9qa0b18" ;CertificateThumbprint="4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78"}
to create listener

  1. Generate a certificate by openssl: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#generate-a-certificate

  2. Import a certificate: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#import-a-certificate-to-the-certificate-store

  3. Mapping the certificate to my account(username=Test) : https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#mapping-a-certificate-to-an-account

  4. Run command ansible win_test -m win_ping in linux side.

If you are using a self signed certificate for the https listener (different from the user mapped certificate) then you need to tell Ansible to not verify the server’s certificate with ‘ansible_winrm_server_cert_validation=ignore’. You can get Ansible to use a custom cert chain for verification once you get this working and you don’t want to use self signed certificate.