Hi,
Thank you in advance to anyone who helps here. So am unable to run playbooks against our windows AWS instances. I was able to perform a win_ping but when I attempt to run this task on the same instances that I am able to ping I get an SSL Cert error. I have displayed all relevant information down below, let me know if any other information is required.
PLAYBOOK
Try running “ConfigureRemotingForAnsible.ps1” on the windows host you are trying to manage with Ansible.
If that doesn’t work try this command on the ansible host
telnet windows-host-name 5985
telnet windows-host-name 5986
If you see “Trying …” but times out, the maybe the network ACL is not opened.
You can also try removing the existing listeners and then run ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl certificate using the following commands
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
Thank you for responding.
I am able to telnet to the windows machine without a problem. But the playbook still presented the same error when it was run.
I ran the following commands on the windwos machine:
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
followed up with with the ConfigureRemotingForAnsible.ps1. I was able to telnet and win_ping but error continues to occur when I run the playbook.
Hey there,
I was just cutting my teeth on executing playbooks against Windows. To add to Tony’s piece about the PowerShell script ConfiguringRemotingforAnsible.ps1 which I had to do I also had to pip install the following on the control machine within side my virtualenv:
pip install pywinrm
pip install pywinrm[kerberos]
Source: http://docs.ansible.com/ansible/latest/intro_windows.html
I’m not sure if this will help you or not but worth a shot if you haven’t already done so yet.
Good luck!
For some reason the ansible_winrm_server_cert_validation: ignore var is not being set for your Windows host hence the error. Can you test out the following before your win_stat task when running on the Windows host.
@jordan I completely agree. Although I have clearly stated in the group_vars/windwos.yml file to ignore cert validation it does not appear to acknowledge the setting.
With the tasks/main.yml file now looking like this:
I believe I may know what is happening and this was fixed in the latest devel branch so you can try that out if you like. Looks like it is failing to gather facts before it gets to your debug task, can you set gather_facts: no in your playbook as I’m really curious if the cert validation is being set properly.
A few other things that would be helpful to know
Looks like you are using a dynamic inventory for your AWS hosts, instead of having include_vars to point to the Windows vars file I would create a create an actual windows group in that inventory and add those hosts in there. In the end it would would look something similar to this (untested)
[tag_OSType_Windows]
[windows:children]
tag_OSType_Windows
… keep as normal, just to show how to mix/match dynamic and static inventories
… keep as normal
ansible_user: username
ansible_password: “#####”
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
ansible_winrm_server_cert_validation: ignore
From there you would add a tag to the newly created instances OSType: Windows so that when Ansible reads it from the inventory it is automatically put in the Windows group. Even though you are running the playbook on the one host it will inherit the group based on that tag which in turn get’s the Windows vars required.
Thanks
Jordan
Hi Jordan, Thank you for the suggestion on the inventory management. We can currently target any instance based on their tags. here is the command I am using to issue the playbook.
ansible-playbook playbooks/windows.yml -e “target=tag_product_cse”
Here is the information you requested.
$ pip list
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
ansible (2.3.2.0)
aws-amicleaner (0.1.2)
awscli (1.11.133)
blessings (1.6)
boto (2.48.0)
boto3 (1.4.6)
botocore (1.6.0)
certifi (2017.7.27.1)
cffi (1.9.1)
chardet (3.0.4)
colorama (0.3.7)
docutils (0.14)
ecdsa (0.13)
enum34 (1.1.6)
futures (3.1.1)
httplib2 (0.9.1)
hvac (0.3.0)
idna (2.5)
ipaddress (1.0.18)
Jinja2 (2.8)
jmespath (0.9.3)
kerberos (1.2.5)
MarkupSafe (0.23)
ntlm-auth (1.0.5)
ordereddict (1.1)
paramiko (1.16.0)
pip (9.0.1)
prettytable (0.7.2)
pyasn1 (0.2.3)
pycparser (2.17)
pycrypto (2.6.1)
python-dateutil (2.6.1)
pywinrm (0.3.0b1)
PyYAML (3.12)
requests (2.18.3)
requests-ntlm (1.0.0)
rsa (3.4.2)
s3transfer (0.1.10)
setuptools (20.7.0)
six (1.10.0)
termcolor (1.1.0)
urllib3 (1.22)
virtualenv (15.1.0)
wheel (0.29.0)
xmltodict (0.11.0)
$ ansible --version
ansible 2.3.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]
$ python --version
Python 2.7.12
Here are the changes I made to the following files:
playbooks/windows.yml, roles/windows/task/main.yml, inventory/group_vars/windows.yml
Playbook: playbooks/windows.yml
I believe your issue is that ansible_winrm_server_cert_validation is being loaded with your include_vars directive in the playbook and the way connection vars with Ansible before the current devel branch had a few issues. I would recommend you add
[all:vars]
ansible_winrm_server_cert_validation=ignore
to your inventory and try again. One more thing you can try is to use the latest checkout of Ansible and see if the issue is still there.
Thanks
Jordan