SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Hi

I’m running ansible against a windows host for testing purposes. but i am getting this error :

Red Hat 7.2
Ansible 1.9.2

[ansible-windows]$ ansible windows -i host -m win_ping -vvvvv

<srvspodvlmx01.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: prhtblad on PORT 5986 TO srvspodvlmx01.wt.mx.corp
<srvspodvlmx01.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://srvspodvlmx01.wt.mx.corp:5986/wsman
srvspodvlmx01.wt.mx.corp | FAILED => Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 585, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

Any idea about this error ?

Thanks

Hi,

Since python 2.7.9 ( I think) python’s default behavior has been to validate certificates for any https connections.

The certificate used by the windows hosts is likely self-generated, therefore won’t be fully trusted.

So in order to avoid the certificate check, you have to set the following var in your ansible inventory/group_vars that apply to your windows hosts.

# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore

Its documented here: http://docs.ansible.com/ansible/intro_windows.html#inventory

If you would rather python did check the certificate then you will either need to trust the cert for each of your windows hosts, or acquire trusted (not self-signed) certificates for each of your windows hosts, add them to the the computer certificate store and ensure that winrm is using your new certificate.

Hope this helps,

Jon

Hi Jon

My ansible control node have python 2.7.5

[ansible@ansible-server ansible-windows]$ python --version
Python 2.7.5
[ansible@ansible-server ansible-windows]$

So i follow this link http://docs.ansible.com/ansible/intro_windows.html

My windows.yml

[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml

it is suggested that these be encrypted with ansible-vault:

# ansible-vault edit group_vars/windows.yml

ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm

The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:

ansible_winrm_server_cert_validation: ignore

i try with the recomendation of python 2.7.9+ but fails anyway

[ansible@ansible-server ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO mywindowshost.wt.mx.corp
<mywindowshostwt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 585, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

With both method fails, so i do a testing conection with Curl and its OK

ansible@ansible-server ansible-windows]$ curl -vk -d “” -u “ansible:xxxxxxx” https://mywindowshost.wt.mx.corp:5986/wsman

  • About to connect() to mywindowshost.wt.mx.corp port 5986 (#0)
  • Trying 22.134.234.100…
  • Connected to mywindowshost.wt.mx.corp (22.134.234.100) port 5986 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
  • Server certificate:
  • start date: Jun 27 18:16:45 2016 GMT
  • expire date: Jun 27 18:16:45 2017 GMT
  • common name: mywindowshost
  • issuer: CN=mywindowshost
  • Server auth using Basic with user ‘ansible’

POST /wsman HTTP/1.1
Authorization: Basic cHJodGJsYWQ6QmxhKjg2LmxvZw==
User-Agent: curl/7.29.0
Host: mywindowshost.wt.mx.corp:5986
Accept: /
Content-Length: 0
Content-Type: application/x-www-form-urlencoded

< HTTP/1.1 411
< Server: Microsoft-HTTPAPI/2.0
< Date: Wed, 29 Jun 2016 18:19:37 GMT
< Connection: close
< Content-Length: 0
<

  • Closing connection 0

Any idea ?

Thanks

You need to be using at least Ansible 1.9.4 (preferably 2.1) and pywinrm 0.1.1 (preferably 0.2.0) to pass the certificate validation disable to pywinrm. 1.9.2 will be very slow and suboptimal for Windows work in many ways.

Hi

I remove that line and try again

[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml

it is suggested that these be encrypted with ansible-vault:

# ansible-vault edit group_vars/windows.yml

ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm

but i getting the same error,

[ansible@ansible-server ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO srvspodvlmx01.wt.mx.corp
<mywindowshost.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 585, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)

I follow all requeriments

any suggestion??

Regards

Just out of curiosity, why are you still using Ansible 1.9? The Windows support was barely working there- things are much faster and more supported in the 2.x series. You’ll absolutely need the ansible_winrm_server_cert_validation: ignore to get past this, and you need to be on a minimum of 1.9.5 (I think I might’ve said 1.9.4 before).