Windows Server target using Amazon Linux

Archives Ansible Project
,
1

Ansible 2.0.1

Control machine: Latest version of Amazon Linux - CentOS 6 variant (has stock Python 2.7.10)
Target machine: AWS Windows Server 2012R2 (prepared for Ansible)

Two errors occur:

  1. “ImportError: No module named xmltodict”

Solution:

Things that DID NOT WORK:
pip install xmltodict
pip install python-xmltodict
yum install xmltodict
yum install python-xmltodict

Thing that DID WORK:
pip install --upgrade pywinrm --user python

  1. “WinRMTransportError: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed”

Solution:
There are a few solutions, but I like my solution here:
https://groups.google.com/d/msg/ansible-project/PNzzvbeT5hY/BwfgLOBIDAAJ

Slightly modified for Amazon Linux:

Edit (or create) the file /usr/lib/python2.7/site-packages/sitecustomize.py
Add this code to the file:

import ssl

try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
# Legacy Python that doesn't verify HTTPS certificates by default
pass
else:
# Handle target environment that doesn't support HTTPS verification
ssl._create_default_https_context = _create_unverified_https_context

Isn’t this supposed to be fixed (or have an option) in Ansible 2 ??

2

The appropriate solution to verifying SSL or not in v2 is to put the following in your inventory:

ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ssl

As for xmltodict, you didn’t say why those things didn’t work, but a pip install -U xmltodict --user python should have worked. I notice the thing that did work, indicated that you needed to use --user, and the things that didn’t work did not include that flag.

3

Thanks Matt!

J

4

Hi Matt, I’m using dynamically generated inventory in this case. So, I’ve used Ansible to generate a Windows instance and then I do this:

`
PLAY [Configure the EC2 instance] **********************************************

TASK [setup] *******************************************************************
gather_facts: True
vars:
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: ssl
ansible_winrm_server_cert_validation: ignore


`

And I get this outcome:

`
PLAY [Configure the EC2 instance] **********************************************

TASK [setup] *******************************************************************
<52.36.20.10> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5986 TO 52.36.20.10
<52.36.20.10> WINRM CONNECT: transport=ssl endpoint=https://52.36.20.10:5986/wsman
<52.36.20.10> WINRM CONNECTION ERROR: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 138, in _winrm_connect
protocol.send_message(‘’)
File “/home/ec2-user/.local/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message
return self.transport.send_message(message)
File “/home/ec2-user/.local/lib/python2.7/site-packages/winrm/transport.py”, line 138, in send_message
raise WinRMTransportError(‘http’, ex.reason)
WinRMTransportError: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
fatal: [52.36.20.10]: FAILED! => {“failed”: true, “msg”: “ssl: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)”}
`

Am I missing something here??

-J

5

I recommend reading over https://github.com/ansible/ansible/issues/14710

Per that issue, ansible_winrm_server_cert_validation can only be set via inventory.

6

I don’t see any reasonable way to do that using my dynamic inventory in this case. I’m going
to stick to my patch (above) for now. I hope this is fixed in 2.1 or sooner.

J