winrm certificate authentication

Archives Ansible Project
1

Hi,

I have two VMs the first one is centos 7 VM with ansible 2.2.1 installed (ip: 192.168.26.2)
the second one is a windows 10 VM (ip: 192.168.26.3)

I have managed to connect to windows VM from centos VM using basic authentication (username + password)

I need to use certificate authentication between centos and windows and I did the following with no success:

  1. I have generated a self-signed certificate in the windows VM then I have installed it with the following command

$ip=“192.168.26.3”
$c = New-SelfSignedCertificate -DnsName $ip -CertStoreLocation cert:\LocalMachine\My

  1. I have created the following winrm listener on the windows VM:
    winrm create winrm/config/Listener?Address=*+Transport=HTTPS “@{Hostname="$ip”;CertificateThumbprint="$($c.ThumbPrint)“}”

  2. I have generated a private key on centos VM:
    openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

  3. I have generated a csr on centos VM:
    openssl req -key private_key.pem -new -out ansible.csr

  4. I have signed the csr (ansible.csr) using the self-generated certificate in windows VM
    openssl ca -out ansible.crt -infiles ansible.csr

  5. I have edited the inventory file:
    [test]
    192.168.26.2
    [test:vars]
    ansible_user=administrator
    ansible_winrm_port=5986
    ansible_connection=winrm
    ansible_winrm_scheme=https
    ansible_winrm_transport=certificate
    ansible_winrm_server_cert_validation=ignore
    ansible_winrm_cert_key_pem=path/to/private/key/ private_key.pem
    ansible_winrm_cert_pem=path/to/certificate/ansible.crt

  6. I have executed the following command but it failed
    ansible -i pilote.ini test win_ping

I had the following error:
msg:"certificate: the specified credentials were rejected by the server

can you point me what am I doing wrong??
Thank you

2

Doesn’t look like you actually set up the cert->user mapping. Take a look at http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm - it’s a decent end-to-end tutorial on how to set it up. That said, I’d strongly recommend you don’t use it- the mapping is brittle, it doesn’t work for domain users, and underlying urllib3 requirements mean that the cert has to be sitting on disk unencrypted. Most folks are better off just using vaulted passwords.

-Matt

3

Thank you for the response,

I need to use certificate based authentication because I need to automate the whole process without any obvious security risks, My playbook along with other files (inventory, group_vars, roles) will be in a “semi public” repository so I can’t hard code the passwords, even if I used vaulted passwords I would need to type the encryption passphrase in a clear text file and I can’t risk having the same encryption passphrase for all hosts,

4

@Hmdi Did you have any progress on the issue? I am trying to achieve the same result with the same level of success. I came across the blog post that Matt had referenced. Unfortunately, it explains how do it for Windows-to-Windows but omit the part how Windows created certificate is translated to pair private/public keys.