In my Ansible playbook I have a task that calls the “uri” module when running on Linux systems and “win_uri” when run on Windows systems. The remainder of the task is identical:

• name: init
  win_uri:
  url: “https://ucp01/_thereisnosuchpage”
  headers:
  Content-Type: application/json
  method: POST
  status_code: 200,500
  validate_certs: no
  register: checks

failed_when: false
changed_when: false

The code executes fine on the Linux systems but win_uri on the Windows systems returns:

ok: [nm-win-worker01] => {
“changed”: false,
“content_type”: null,
“failed_when_result”: false,
“method”: “POST”,
“msg”: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”,
“url”: “https://ucp01/_thereisnosuchpage”,
“use_basic_parsing”: true
}

The task has “validate_certs: no” and I’m using the following WinRM configuration:

ansible_winrm_server_cert_validation: ignore

Is there any way to get win_uri to ignore this SSL/TLS issue and query the remote web server?

This could be either 2 things;

• The validate_certs option is not removing the certificate check like it should
• The TLS endpoint only works with TLS 1.2 and not TLS 1.0

The error message you are getting definitely sounds like the first one but it could technically be the 2nd. The win_uri module had a bit of an overhaul for the 2.5 release as there were a few issues with the previous form and hopefully it has been fixed. It would be great if you could test it out and leave some feedback if it doesn’t before the final release happens. You can either install it directly from pypi or just copy the file from https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_uri.ps1 into the library folder adjacent to your role or playbook and it will override the default one.

Let me know if you have any troubles but I expect the 2.5 version to fix both of the issues I listed.

Thanks

Jordan

Thanks for your help Jordan.

I’ve pulled down the latest win_uri.ps1 code from GitHub and placed it in a “library” directory in my role. When I attempt to run the playbook I get this:

fatal: [nm-win-worker01]: FAILED! => {
“msg”: “Could not find imported module support code for ‘Ansible.ModuleUtils.FileUtil’.”
}

Looking in my powershell module directory:

ll /usr/lib/python2.7/site-packages/ansible/module_utils/powershell

total 52
-rw-r–r–. 1 root root 2430 Nov 29 21:08 Ansible.ModuleUtils.CamelConversion.psm1
-rw-r–r–. 1 root root 17047 Nov 29 21:08 Ansible.ModuleUtils.CommandUtil.psm1
-rw-r–r–. 1 root root 13670 Nov 29 21:08 Ansible.ModuleUtils.Legacy.psm1
-rw-r–r–. 1 root root 3345 Nov 29 21:08 Ansible.ModuleUtils.SID.psm1
-rw-r–r–. 1 root root 0 Nov 29 21:08 init.py
-rw-r–r–. 2 root root 163 Jan 16 18:28 init.pyc
-rw-r–r–. 2 root root 163 Jan 16 18:28 init.pyo

Looks like I don’t have the Ansible.ModuleUtils.FileUtil psm1. I pulled down the latest version of this file from GitHub and put it in the above powershell directory and then the win_uri code returned the 404 error as expected and no SSL/TLS error:

ok: [nm-win-worker01] => {
“changed”: false,
“failed_when_result”: false,
“msg”: “WebException occurred when sending web request: The remote server returned an error: (404) Not Found.”,
“url”: “https://nm-ucp01/_thereisnosuchpage”
}

Looks like the changes for 2.5 will fix this problem.

Regards,

Dave

Hey Dave

Sorry I should have realised it used a newer module_util not available in previous versions. Glad to hear it was fixed and if you wanted to use it with the existing version you can change the ‘Test-AnsiblePath’ to ‘Test-Path’ on these lines https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_uri.ps1#L45-L50 as well as remove this line https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_uri.ps1#L9.

You can also do what you did and copy the new module_util into Ansible or even add that to the library path by following https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_general_windows.html#windows-module-utilities. The files would go into another folder called ‘module_utils’ alongside the library one and Ansible should pick that up.

Thanks

Jordan

Hey Jordan,

Thanks again for the help. One other related question - I notice that the win_uri call returns vastly different output than the Linux equivalent uri call. The same code run against a Linux host calling uri returns:

ok: [nm-win-worker01 → localhost] => {
“changed”: false,
“connection”: “close”,
“content”: “404 page not found\n”,
“content_length”: “19”,
“content_type”: “text/plain; charset=utf-8”,
“date”: “Sun, 25 Feb 2018 17:27:39 GMT”,
“failed_when_result”: false,
“invocation”: {
“module_args”: {
“attributes”: null,
“backup”: null,
“body”: null,
“body_format”: “raw”,
“client_cert”: null,
“client_key”: null,
“content”: null,
“creates”: null,
“delimiter”: null,
“dest”: null,
“directory_mode”: null,
“follow”: false,
“follow_redirects”: “safe”,
“force”: false,
“force_basic_auth”: false,
“group”: null,
“headers”: {
“Content-Type”: “application/json”
},
“http_agent”: “ansible-httpget”,
“method”: “POST”,
“mode”: null,
“owner”: null,
“regexp”: null,
“remote_src”: null,
“removes”: null,
“return_content”: false,
“selevel”: null,
“serole”: null,
“setype”: null,
“seuser”: null,
“src”: null,
“status_code”: [
“200”,
“500”
],
“timeout”: 30,
“unsafe_writes”: null,
“url”: “https://nm-ucp01.cloudra.local/_thereisnosuchpage”,
“url_password”: null,
“url_username”: null,
“use_proxy”: true,
“validate_certs”: false
}
},
“msg”: “Status code was not [200, 500]: HTTP Error 404: Not Found”,
“redirected”: false,
“status”: 404,
“url”: “https://nm-ucp01.cloudra.local/_thereisnosuchpage”,
“x_content_type_options”: “nosniff”
}

We get back the remote Web server’s status of 404 in the status field. It looks like win_uri only returns the status in a successful call, whereas the uri call always returns status. Our code was using the returned status to verify the uri/web_uri call but that doesn’t work when we’re intentionally searching for a page we know doesn’t exist. Do you know if this behavior will eventually sync up between Linux and Windows modules or is there a reason why win_uri only returns status on successful calls?

Thanks again,

Dave

There would be no real reason as far as I’m aware just a mismatch of features and implementation. The big difference would be the values we can observe on the .NET function that is used to make the calls compared to what the Python impl would use.

While saying that, I would raise an issue on GH saying the return results are different and show the comparison there as the values might be different but we would want the structure to at least be similar. You can always override the erroneous codes with “status_code” argument and then handle it from there.

Thanks

Jordan

I opened https://github.com/ansible/ansible/issues/36760 for this issue.

Dave