certificate: the specified credentials were rejected by the server

Archives Ansible Project
1

Hi, I’m using ansible on Ubuntu 16.04 LTS and try to mange my win10 server.

But met trouble when I using Certificate authentication:

`

gary@gary-HP-Pavilion-Notebook:~$ ansible win_test -m win_ping
192.168.1.207 | UNREACHABLE! => {
“changed”: false,
“msg”: “certificate: the specified credentials were rejected by the server”,
“unreachable”: true
}

`

I just follow the Ansible Document to setup environment step by step:
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#certificate

My WinRM setting:

`

PS C:\Users\Test> winrm get winrm/config/Service
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true

`

Host vars:

[win_test]
192.168.1.207

[win_test:vars]
ansible_connection=“winrm”
ansible_port=5985
ansible_winrm_cert_pem=“/home/gary/Documents/cert.pem”
ansible_winrm_cert_key_pem=“/home/gary/Documents/cert_key.pem”
ansible_winrm_transport=“certificate”

Anything wrong with my settings? Please help, thanks~

PS: It works when I use Basic anthentication.

2

Certificate auth does not work over http (port 5985). It’s part of the TLS protocol so you must use https.

Thanks

Jordan

3

Hi, Jordan. Thanks for your help~

After changing to HTTPS, I met such error:

`

192.168.1.207 | UNREACHABLE! => {
“changed”: false,
“msg”: “certificate: HTTPSConnectionPool(host=‘192.168.1.207’, port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))”,
“unreachable”: true
}

`

Here is my config of the listener:

`

PS C:\Temp> winrm enumerate winrm/config/Listener
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = desktop-9qa0b18
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78
ListeningOn =

`

I am not sure whether I generate the key in right way or not. In fact, I am not familiar to those things like SSL, HTTPS.
Here I write down the things I did to use HTTPS in WinRM:

  1. Use the IIS tool to create a Self-Signed Certificate for my PC: desktop-9qa0b18

  2. Run command:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986" ;Hostname="desktop-9qa0b18" ;CertificateThumbprint="4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78"}
to create listener

  1. Generate a certificate by openssl: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#generate-a-certificate

  2. Import a certificate: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#import-a-certificate-to-the-certificate-store

  3. Mapping the certificate to my account(username=Test) : https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#mapping-a-certificate-to-an-account

  4. Run command ansible win_test -m win_ping in linux side.

4

If you are using a self signed certificate for the https listener (different from the user mapped certificate) then you need to tell Ansible to not verify the server’s certificate with ‘ansible_winrm_server_cert_validation=ignore’. You can get Ansible to use a custom cert chain for verification once you get this working and you don’t want to use self signed certificate.