Ansible 1.9.4 CERTIFICATE_VERIFY_FAILED when connecting to Windows Server

[Slim Slam]

Using Ansible 1.9.4 and Python 2.7.10 on MacOSX 10.10.5

When attempting:

env ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ansible winserv -i ../windows_servers -m win_ping

I get:

54.68.166.123 | FAILED => 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

As suggested in previous postings, I have a file named fix-ssl.py in my callback_plugins folder:

import ssl
if hasattr(ssl, '_create_default_https_context') and hasattr(ssl, '_create_unverified_context'):
    ssl._create_default_https_context = ssl._create_unverified_context

class CallbackModule(object):
    pass

And in my ansible.cfg file, I have:

bin_ansible_callbacks=True
callback_plugins = /callback_plugins/fix-ssl.py

How can I get this to work?

[Slim Slam]

Has anyone gotten Ansible 1.9.4 to work with Windows Server using the "ansible" (not ansible-playbook) command?

J

[J Hawkesworth]

Just wondering if the callback plugin is actually getting loaded.

You have

callback_plugins = /callback_plugins/fix-ssl.py


configured but that would be an unusual location if you intended an absolute path.  I think you need to configure a full path to the folder, not the name of a file for callback_plugins if I recall.

So something like

callback_plugins = /usr/share/local/callback_plugins/


(and obviously you'd need to put fix-ssl.py into /usr/share/local/callback_plugins).  I'm not familiar with OSX paths so /usr/share/local/callback_plugins is just intended to be an example folder.

Hope this helps,

Jon

[Jason Levitt]

I shortened the path to make the posting easier to read. The actual
path is something
much longer. :)

Thanks for taking the time to look though.

> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/PNzzvbeT5hY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/8f3c5530-2a88-400f-9e47-701fb1c20934%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Trond Hindenes]

As far as I can see this works differently when using OSX as a control node as opposed to Ubuntu, Centos or other Linux distros. I'm seeing a lot of these errors when Ansible is running from OSX. Not sure if pywinrm behaves differently on osx than on Linux?

[J Hawkesworth]

My impression is this is because of the python version that you get with recent OSX.

If I recall it was python 2.7.9 that introduced the cert checking in python. 

[Slim Slam]

There is quite a bit of noise about this issue under Ansible 1.94 and 2.00 here:  

https://github.com/ansible/ansible/issues/10294

But no resolution.

J

[Slim Slam]

Ok. Here's something that works though it shouldn't be done as it's a security risk.

So, if you're using the "ansible" command under MacOSX Yosemite, here's how to get things to work:

1. Edit (or create) the file /Library/Python/2.7/site-packages/sitecustomize.py

2. Add this code to the file:

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    # Legacy Python that doesn't verify HTTPS certificates by default
    pass
else:
    # Handle target environment that doesn't support HTTPS verification
    ssl._create_default_https_context = _create_unverified_https_context

That's it. Works great now. Security risk, obviously, but I consider this a 

temporary fix.

J

[Eduardo Cerqueira]

So just sharing the solution presented below by Slim Slam, also works on Fedora 23. Again, I understand it is not an ideal solution but if you are tied on any Ansible version < 2 and can't upgrade, it works as a temporally solution or workaround.