I’m trying to understand Ansible better in order to use it in my company’s production environment. In order to test and understand I’ve setup 2 VM’s with server 2019 and am using a Windows 2010 system with WSL enabled and Ubuntu 22.04. There is no domain setup in this configuration and I don’t want to set one up. I do not want to use basic transport so I have created a cert to use. Basically, I’ve followed these steps and had success before. A week ago I decided that I was going to try retracing my steps and see if I could duplicate the results again. Sadly I have had no such luck. I get the following error when I try running a straight-up ansible command or using a playbook:
192.168.4.70 | UNREACHABLE! => {
“changed”: false,
“msg”: “ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}
Obviously, I’m missing something that I had not before and I’m at my wit’s end. The fixes I’ve seen posted are to use ntlm/Kerberos or enable basic. I’m not wanting to do either of these. I’m not sure about my cert. In this article it states “If you have more than one local computer account server certificate installed, confirm the Certificate Thumbprint displayed by Winrm enumerate winrm/config/listener is the same Thumbprint on the Details tab of the certificate.”. In the steps I followed I have 2 thumb prints 1 for the server and 1 from the ansible host.
$serverCert
Thumbprint Subject
65F93B914048C98A567C71B1F7831F9873C283DB CN=WIN-C3EQOG6836M
$ansibleCert
Thumbprint Subject
65D2499EB375E0B7064596D20AB096E21A184C69 CN=ansible
From details tab in Cert MMC
Trusted Root Certification Authorities/ansible & Trusted People
65d2499eb375e0b7064596d20ab096e21a184c69
PS C:\Users\Administrator> Winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.4.70, ::1, fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = WIN-C3EQOG6836M
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 65F93B914048C98A567C71B1F7831F9873C283DB
ListeningOn = 127.0.0.1, 192.168.4.70, ::1, fd5e:d04:f269:1:6014:e42c:ba33:80ab, fe80::6014:e42c:ba33:80ab%6
Should the thumbprint be the cert for the server or for the ansible user?
Here is my winrm/config:
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 2147483647
MaxShellsPerUser = 2147483647
Also my ansible Inventory file:
[windows]
192.168.4.70
192.168.4.71
[windows:vars]
ansible_user=ansible
ansible_password=Password1!
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986