Issue with running Ansible playbook against windows.

4,672 views
Skip to first unread message

Alexmil Reyes

unread,
Dec 14, 2017, 5:44:18 PM12/14/17
to Ansible Project
Hi, 

Thank you in advance to anyone who helps here. So am unable to run playbooks against our windows AWS instances. I was able to perform a win_ping but when I attempt to run this task on the same instances that I am able to ping I get an SSL Cert error. I have displayed all relevant information down below, let me know if any other information is required. 


PLAYBOOK
---

- hosts: "{{target}}"
  roles:
    - windows
  vars_files:
    - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"


TASK MAIN.YML
---
# Obtain information about a folder
- win_stat:
    path: C:\Users
  register: folder_info
 

WIN_VARS
ansible_user: username
ansible_password: "#####"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore


WIN_PING
10.100.22.111 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}


ERROR
}
fatal: [10.100.22.111]: UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))",
    "unreachable": true
}


Tony Chia

unread,
Dec 15, 2017, 2:31:14 PM12/15/17
to Ansible Project
Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are trying to manage with Ansible.
If that doesn't work try this command on the ansible host

telnet windows-host-name 5985
telnet windows-host-name 5986

If you see "Trying ..." but times out, the maybe the network ACL is not opened.

Tony Chia

unread,
Dec 15, 2017, 3:03:36 PM12/15/17
to Ansible Project
You can also try removing the existing listeners and then run ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl certificate using the following commands

winrm delete winrm/config/Listener?Address=*+Transport=HTTP

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Alexmil Reyes

unread,
Dec 15, 2017, 4:50:41 PM12/15/17
to Ansible Project
Thank you for responding. 

I am able to telnet to the windows machine without a problem. But the playbook still presented the same error when it was run. 

I ran the following commands on the windwos machine: 

winrm delete winrm/config/Listener?Address=*+Transport=HTTP

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS


followed up with with the ConfigureRemotingForAnsible.ps1. I was able to telnet and win_ping but error continues to occur when I run the playbook. 

Heather Luna

unread,
Dec 15, 2017, 5:14:13 PM12/15/17
to Ansible Project
Hey there, 

I was just cutting my teeth on executing playbooks against Windows. To add to Tony's piece about the PowerShell script ConfiguringRemotingforAnsible.ps1 which I had to do I also had to pip install the following on the control machine within side my virtualenv: 

pip install pywinrm 
pip install pywinrm[kerberos]


I'm not sure if this will help you or not but worth a shot if you haven't already done so yet. 

Good luck!

Jordan Borean

unread,
Dec 15, 2017, 7:41:37 PM12/15/17
to Ansible Project
For some reason the ansible_winrm_server_cert_validation: ignore var is not being set for your Windows host hence the error. Can you test out the following before your win_stat task when running on the Windows host.

- debug:
    var: ansible_winrm_server_cert_validation

Alexmil Reyes

unread,
Dec 18, 2017, 9:57:15 AM12/18/17
to Ansible Project
@jordan I completely agree. Although I have clearly stated in the group_vars/windwos.yml file to ignore cert validation it does not appear to acknowledge the setting. 

With the tasks/main.yml file now looking like this:

---
# Obtain information about a folder
- debug:
    var: ansible_winrm_server_cert_validation
- win_stat:
    path: C:\Users
  register: folder_info

I get the same result. 


ubuntu@ip-x-x-x-x:~/infratools/ansible$ play playbooks/windows.yml -e "target=tag_Name_R2_CSE03" -vvv
Using /home/ubuntu/infratools/ansible/ansible.cfg as config file

PLAYBOOK: windows.yml *****************************************************************************************************************
1 plays in playbooks/windows.yml

PLAY [tag_Name_R2_CSE03] **************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
<x.x.x.x> ESTABLISH WINRM CONNECTION FOR USER: administrator on PORT 5986 TO x.x.x.x
fatal: [x.x.x.x]: UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))",
    "unreachable": true
}

Jordan Borean

unread,
Dec 18, 2017, 4:19:05 PM12/18/17
to Ansible Project
I believe I may know what is happening and this was fixed in the latest devel branch so you can try that out if you like. Looks like it is failing to gather facts before it gets to your debug task, can you set gather_facts: no in your playbook as I'm really curious if the cert validation is being set properly.

A few other things that would be helpful to know

* Run pip list and post the output
* What version of Ansible are you on
* What version of Python 2.7 are you on
* If you turn on fact gathering, does it would if you explicitly set the ignore var on the stat task like so

- win_stat:
    path: C:\Users
  vars:
    ansible_winrm_server_cert_validation: ignore

Looks like you are using a dynamic inventory for your AWS hosts, instead of having include_vars to point to the Windows vars file I would create a create an actual windows group in that inventory and add those hosts in there. In the end it would would look something similar to this (untested)

# inventory/hosts
[tag_OSType_Windows]
# keep empty, is populated in the dynamic inventory

[windows:children]
tag_OSType_Windows

# inventory/ec2.py
... keep as normal, just to show how to mix/match dynamic and static inventories

# inventory/ec2.ini
... keep as normal

# group_vars/windows.yml
ansible_user: username
ansible_password: "#####"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore

# playbooks/windows.yml
- name: run test on Windows host
  hosts: '{{target}}'
  tasks:
  - win_stat:
      path: C:\Users
  
From there you would add a tag to the newly created instances OSType: Windows so that when Ansible reads it from the inventory it is automatically put in the Windows group. Even though you are running the playbook on the one host it will inherit the group based on that tag which in turn get's the Windows vars required.

Thanks

Jordan

Alexmil Reyes

unread,
Dec 21, 2017, 11:26:43 AM12/21/17
to Ansible Project
Hi Jordan, Thank you for the suggestion on the inventory management. We can currently target any instance based on their tags. here is the command I am using to issue the playbook. 

ansible-playbook playbooks/windows.yml -e "target=tag_product_cse"

Here is the information you requested. 

$ pip list

DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.

ansible (2.3.2.0)

aws-amicleaner (0.1.2)

awscli (1.11.133)

blessings (1.6)

boto (2.48.0)

boto3 (1.4.6)

botocore (1.6.0)

certifi (2017.7.27.1)

cffi (1.9.1)

chardet (3.0.4)

colorama (0.3.7)

docutils (0.14)

ecdsa (0.13)

enum34 (1.1.6)

futures (3.1.1)

httplib2 (0.9.1)

hvac (0.3.0)

idna (2.5)

ipaddress (1.0.18)

Jinja2 (2.8)

jmespath (0.9.3)

kerberos (1.2.5)

MarkupSafe (0.23)

ntlm-auth (1.0.5)

ordereddict (1.1)

paramiko (1.16.0)

pip (9.0.1)

prettytable (0.7.2)

pyasn1 (0.2.3)

pycparser (2.17)

pycrypto (2.6.1)

python-dateutil (2.6.1)

pywinrm (0.3.0b1)

PyYAML (3.12)

requests (2.18.3)

requests-ntlm (1.0.0)

rsa (3.4.2)

s3transfer (0.1.10)

setuptools (20.7.0)

six (1.10.0)

termcolor (1.1.0)

urllib3 (1.22)

virtualenv (15.1.0)

wheel (0.29.0)

xmltodict (0.11.0)


$ ansible --version

ansible 2.3.2.0

config file = /etc/ansible/ansible.cfg

configured module search path = Default w/o overrides

python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]


$ python --version

Python 2.7.12


Here are the changes I made to the following files: 

playbooks/windows.yml, roles/windows/task/main.yml, inventory/group_vars/windows.yml


Playbook: playbooks/windows.yml


---

- name: run test on Windows host

  hosts: '{{target}}'

  gather_facts: no

  roles:

    - windows

  vars_files:

    - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"


Task: roles/windows/task/main.yml


---

# Obtain information about a folder

- debug:

    var: ansible_winrm_server_cert_validation

- win_stat:

    path: C:\Users

  register: folder_info


Windows Var: /inventory/group_vars/windows.yml


ansible_user: username

ansible_password: "#######"

ansible_port: 5986

ansible_connection: winrm

ansible_winrm_transport: ssl

#ansible_winrm_scheme: ntlm

# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:

ansible_winrm_server_cert_validation: ignore


##############################################################################

##############################################################################


Based on the results it appears that ansible_winrm_server_cert_validation: ignore is being recognized. Unfortunately, the issue persists. Below are the results of running the command. 



$ ansible-playbook playbooks/windows.yml -e "target=tag_product_cse"


PLAY [run test on Windows host] *******************************************************************************************************


TASK [windows : debug] ****************************************************************************************************************

ok: [x.x.x.x] => {

    "ansible_winrm_server_cert_validation": "ignore"


TASK [windows : win_stat] *************************************************************************************************************

fatal: [x.x.x.x]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", "unreachable": true}



Thank you!! All your efforts are greatly appreciated!

Jordan Borean

unread,
Dec 21, 2017, 3:23:22 PM12/21/17
to Ansible Project
I believe your issue is that ansible_winrm_server_cert_validation is being loaded with your include_vars directive in the playbook and the way connection vars with Ansible before the current devel branch had a few issues. I would recommend you add

    [all:vars]
    ansible_winrm_server_cert_validation=ignore

to your inventory and try again. One more thing you can try is to use the latest checkout of Ansible and see if the issue is still there.

Thanks

Jordan
Reply all
Reply to author
Forward
0 new messages