winrm and https

Frantisek_Griga · June 23, 2016, 8:54am

Hello,

I have a problem with using Ansible to manage Windows machines.

I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I would like to send commands from Debian (Ansible) machine to Windows machine using WinRM through HTTPS (I do not want to use Kerberos - I need to connect to Windows local account), but something goes wrong. If I use "ansible_winrm_server_cert_validation: ignore" conf option, everything is fine - I have this:

root@debx-test:~# ansible 192.168.0.1 -m win_ping
192.168.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}

but that is something I do not want to use, because I considere that as a security risk. When I turn the option off, I have this:

root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO 192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext endpoint=https://192.168.0.1:5986/wsman
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Traceback (most recent call last):
   File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 152, in _winrm_connect
     self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
   File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 132, in open_shell
     res = self.send_message(xmltodict.unparse(req))
   File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 207, in send_message
     return self.transport.send_message(message)
   File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 173, in send_message
     response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
   File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
     r = adapter.send(request, **kwargs)
   File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 477, in send
     raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

192.168.0.1 | UNREACHABLE! => {
     "changed": false,
     "msg": "plaintext: (\"bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
     "unreachable": true
}

does not matter, what certificate I am using. I tried to create CA on Ansible machine, sign Windows CSR, import certificate to Windows, reconfigure HTTPS listener and import CA certificate to trusted certificates on Debian - does not help. I am sure I did everything OK, because it is working for example on the test web server on Windows machine.

Is it possible to run Ansible with Windows really securelly? How? What should I try?

Thanks for reply,
Frantisek Griga

j.r.hawkesworth · June 23, 2016, 5:00pm

As well as getting a valid, trusted cert generated for your host (and each of your windows hosts), I believe you should use the hostname rather than ip address.

Matt_Davis · June 23, 2016, 5:18pm

This. Python is unfortunately not very verbose about why cert validation fails, but you absolutely need to be using ansible_host or the inventory hostname that matches the CN or a SAN in the certificate you created. Python 2.x does not support IP CN/SANs yet (3.x does, but IIRC it hasn’t been backported), so you must use a symbolic hostname.

Frantisek_Griga · June 24, 2016, 6:14am

Hello,

thanks for answers. I tried that, but hostnames does not help. Any other ideas? Is anybody who use Ansible on Debian (successfuly)?

FG

Dňa 23. 6. 2016 o 19:18 Matt Davis napísal(a):

Mike_Fennemore · June 24, 2016, 6:55am

Is there a method for using HTTPS with certificate validation with Python 2.79? Have been reading this http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure . Admittedly this is Chef but I would assume the WinRM concepts remain the same.

Frantisek_Griga · June 24, 2016, 7:21am

So I could not be sure, if the Debian version has cert validation ability, but upstream version should have.
https://www.python.org/downloads/release/python-279/

Dňa 24. 6. 2016 o 8:55 Mike Fennemore napísal(a):

Jonathan_Anderson · June 24, 2016, 1:00pm

Here is a list of 9 items to check. You may already have done all of these but skipping any one of them will prevent it from working.

https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/ansible-project/HKgh7jtsFsk

Anjana_Raghavendra_P · August 9, 2016, 9:30pm

Hi,

I am also getting the same error when i tried to run a play with host: local and a task with delegate_to: windows in ubuntu 14.04. But the same task works if I specify the host: windows at play level. Can anyone help me in this?

Topic		Replies	Views
Problems with Ansible and WinRM Ansible Project ubuntu , windows	2	1	April 30, 2019
winrm.py tries SSL handshake on WinRM HTTP port Ansible Project windows	1	0	May 1, 2015
Access to windows host machine on ubuntu local Get Help ubuntu , windows , aws , network	10	203	June 11, 2024
Problems setting up WinRM Ansible Project ubuntu , windows	23	0	April 26, 2015
Connection problem with a windows machine since ansible Ansible Project windows	4	0	August 12, 2015

winrm and https

Related topics