Windows Server target using Amazon Linux

[Slim Slam]

Ansible 2.0.1

Control machine: Latest version of Amazon Linux - CentOS 6 variant  (has stock Python 2.7.10)

Target machine:  AWS Windows Server 2012R2 (prepared for Ansible)

Two errors occur:

1. "ImportError: No module named xmltodict"

 

Solution: 

Things that DID NOT WORK:

pip install xmltodict

pip install python-xmltodict

yum install xmltodict

yum install python-xmltodict

Thing that DID WORK:

pip install --upgrade pywinrm --user python

2.  "WinRMTransportError: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed"

Solution:

There are a few solutions, but I like my solution here:

https://groups.google.com/d/msg/ansible-project/PNzzvbeT5hY/BwfgLOBIDAAJ

Slightly modified for Amazon Linux:

Edit (or create) the file /usr/lib/python2.7/site-packages/sitecustomize.py

Add this code to the file:

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    # Legacy Python that doesn't verify HTTPS certificates by default
    pass
else:
    # Handle target environment that doesn't support HTTPS verification
    ssl._create_default_https_context = _create_unverified_https_context

Isn't this supposed to be fixed (or have an option) in Ansible 2 ??

===

[Matt Martz]

The appropriate solution to verifying SSL or not in v2 is to put the following in your inventory:

ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ssl

As for xmltodict, you didn't say why those things didn't work, but a `pip install -U xmltodict --user python` should have worked.  I notice the thing that did work, indicated that you needed to use `--user`, and the things that didn't work did not include that flag.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/65be21d8-1281-4fca-8dda-d60ff62f6518%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net

[Slim Slam]

Thanks Matt!

J

[Slim Slam]

Hi Matt, I'm using dynamically generated inventory in this case. So, I've used Ansible to generate a Windows instance and then I do this:

PLAY [Configure the EC2 instance] **********************************************

TASK [setup] *******************************************************************
  gather_facts: True
  vars:
    ansible_port: 5986
    ansible_connection: winrm
    ansible_winrm_transport: ssl
    ansible_winrm_server_cert_validation: ignore
   ....  
   ....

And I get this outcome:

PLAY [Configure the EC2 instance] **********************************************

TASK [setup] *******************************************************************
<52.36.20.10> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5986 TO 52.36.20.10
<52.36.20.10> WINRM CONNECT: transport=ssl endpoint=https://52.36.20.10:5986/wsman
<52.36.20.10> WINRM CONNECTION ERROR: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 138, in _winrm_connect
    protocol.send_message('')
  File "/home/ec2-user/.local/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message
    return self.transport.send_message(message)
  File "/home/ec2-user/.local/lib/python2.7/site-packages/winrm/transport.py", line 138, in send_message
    raise WinRMTransportError('http', ex.reason)
WinRMTransportError: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
fatal: [52.36.20.10]: FAILED! => {"failed": true, "msg": "ssl: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)"}

Am I missing something here??

-J

On Thursday, March 3, 2016 at 10:43:43 AM UTC-6, Matt Martz wrote:

[Matt Martz]

I recommend reading over https://github.com/ansible/ansible/issues/14710

Per that issue, ansible_winrm_server_cert_validation can *only* be set via inventory.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a737dc6e-902a-460d-883a-9b39180d0ce2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Slim Slam]

I don't see any reasonable way to do that using my dynamic inventory in this case. I'm going

to stick to my patch (above) for now. I hope this is fixed in 2.1 or sooner.

J