Hi All,
I would like to have SSL connection with my windows machine using SSL cert validation.
Currently I am able to connect to Windows machine using winrm_server_cert_validation variable as ignore.
Below is the configuration -
Ansible node on Ubuntu 64 bit , version: 2.1.1.0
Python version - 2.7.12+
Windows - Windows 10 OS
Please let me know how can we make SSL connection with cert validation as I dont want to ignore it. i.e. winrm_server_cert_validation = validate
Please also note my HTTPS port is 5896 and is currently has the self-signed cert thumbprint as well.
Do i need to set any other variables in inventory ? or Do i need to install any certs in Ansible node ? Do we need trusted certs ?
Please help me.
WinRM is implemented as an HTTPS service, and if you want to be able to
verify the certificates of that connection, you have to set them up first.
As can be seen from the docs at
http://docs.ansible.com/ansible/intro_windows.html:
ansible_winrm_server_cert_validation: Specify the server certificate
validation mode (ignore or validate). Ansible defaults to validate on
Python 2.7.9 and higher, which will result in certificate validation
errors against the Windows self-signed certificates. Unless verifiable
certificates have been configured on the WinRM listeners, this should
be set to ignore.
Note that this doesn't have anything to do with ansible, but is a
generic systems administration issue.
For completeness: by default a self-signed cert is set-up, but that
will give you said warning.
If you control both ends (i.e. the boxes you want to manage, as well
as the management station), you can deploy your own CA and sign
clients certs using that.
Another option is to get (commercial) certificates from a CA that is
also available on your management station.
Which option you choose depends on your situation and requirements.
BTW I assume that TCP port 5896 is a typ0?
Because according to
https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx the
well known port is 5986...
Dick