AWS EC2 Windows - WinRM over HTTPS with untrausted certificate
538 views
Skip to first unread message
James Denning
Dec 9, 2016, 4:33:02 AM12/9/16
to Terraform
Hi
I am trying to get the file provisioner to connect to a Windows Server 2016 instance in EC2 via WinRM over https (as i want to at least try and interact with the instance in a reasonably secure manner e.g. encrypted). However the compromise has been to use a self-signed certificate generated by the instance attached to the WinRM listener - what this means is that for example a remote Powershell session needs the -SkipCACheck and -SkipCNCheck flags to execute - but execute it does and I can successfully get a remote powershell session (which uses WinRM under the bonnet). However the File Provisioner gets a 401 error. File provisioner connection details:
connection {
type = "winrm"
user = "Administrator"
password = "${var.admin_password}"
timeout = "8m"
https = "true"
insecure = "true"
port=5986
}
The output of TRACE
2016/12/09 09:27:14 [DEBUG] plugin: terraform.exe: file-provisioner (internal) 2016/12/09 09:27:14 connecting to remote shell using WinRM
2016/12/09 09:27:14 [DEBUG] plugin: terraform.exe: file-provisioner (internal) 2016/12/09 09:27:14 connection error: http error: 401 -
2016/12/09 09:27:14 [DEBUG] plugin: terraform.exe: file-provisioner (internal) 2016/12/09 09:27:14 Retryable error: http error: 401 -
The only alternatives I have would be to use SSH/Pageant or try http only - can anyone shed some light on whether the Go WinRM client can use https or how can i troubleshoot this further?
Cheers in advance
James
Andrew Hodgson
Dec 9, 2016, 5:28:20 AM12/9/16
to terrafo...@googlegroups.com
Hi James,
I only got this working over HTTP, my understanding is it is an issue with the Go WinRM implementation. I have dropped copying files using this method and now get the host to download files using S3 with the AWS PowerShell tools in a bootstrap script.
Thanks.
Andrew.
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of James Denning [j_v_d...@hotmail.com]
Sent: 09 December 2016 09:33
To: Terraform
Subject: [terraform] AWS EC2 Windows - WinRM over HTTPS with untrausted certificate
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/e300fa53-ac42-43ae-84c3-b0715d4bc9ad%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/e300fa53-ac42-43ae-84c3-b0715d4bc9ad%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
I only got this working over HTTP, my understanding is it is an issue with the Go WinRM implementation. I have dropped copying files using this method and now get the host to download files using S3 with the AWS PowerShell tools in a bootstrap script.
Thanks.
Andrew.
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of James Denning [j_v_d...@hotmail.com]
Sent: 09 December 2016 09:33
To: Terraform
Subject: [terraform] AWS EC2 Windows - WinRM over HTTPS with untrausted certificate
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/e300fa53-ac42-43ae-84c3-b0715d4bc9ad%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/e300fa53-ac42-43ae-84c3-b0715d4bc9ad%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
James Denning
Dec 12, 2016, 7:03:54 AM12/12/16
to Terraform
Thanks Andrew and for the tip - I feared that might be the case, I'll reevaluate my approach.
James
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-tool+unsubscribe@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages