SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
3,198 views
Skip to first unread message
Hugo Enrique Hernández Priego
Jun 27, 2016, 8:37:59 PM6/27/16
to Ansible Project, HERNANDEZ PRIEGO HUGO ENRIQUE
Hi
I'm running ansible against a windows host for testing purposes. but i am getting this error :
Red Hat 7.2
Ansible 1.9.2
[ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<srvspodvlmx01.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: prhtblad on PORT 5986 TO srvspodvlmx01.wt.mx.corp
<srvspodvlmx01.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://srvspodvlmx01.wt.mx.corp:5986/wsman
srvspodvlmx01.wt.mx.corp | FAILED => Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect
self.active = conn.connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect
self.protocol = self._winrm_connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
protocol.send_message('')
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Any idea about this error ?
Thanks
I'm running ansible against a windows host for testing purposes. but i am getting this error :
Red Hat 7.2
Ansible 1.9.2
[ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<srvspodvlmx01.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: prhtblad on PORT 5986 TO srvspodvlmx01.wt.mx.corp
<srvspodvlmx01.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://srvspodvlmx01.wt.mx.corp:5986/wsman
srvspodvlmx01.wt.mx.corp | FAILED => Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect
self.active = conn.connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect
self.protocol = self._winrm_connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
protocol.send_message('')
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Any idea about this error ?
Thanks
J Hawkesworth
Jun 28, 2016, 3:59:13 AM6/28/16
to Ansible Project, hhern...@externos.produban.com.mx
Hi,
Since python 2.7.9 ( I think) python's default behavior has been to validate certificates for any https connections.
The certificate used by the windows hosts is likely self-generated, therefore won't be fully trusted.
So in order to avoid the certificate check, you have to set the following var in your ansible inventory/group_vars that apply to your windows hosts.
Its documented here: http://docs.ansible.com/ansible/intro_windows.html#inventory
If you would rather python did check the certificate then you will either need to trust the cert for each of your windows hosts, or acquire trusted (not self-signed) certificates for each of your windows hosts, add them to the the computer certificate store and ensure that winrm is using your new certificate.
Hope this helps,
Jon
Since python 2.7.9 ( I think) python's default behavior has been to validate certificates for any https connections.
The certificate used by the windows hosts is likely self-generated, therefore won't be fully trusted.
So in order to avoid the certificate check, you have to set the following var in your ansible inventory/group_vars that apply to your windows hosts.
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: ansible_winrm_server_cert_validation: ignore
Its documented here: http://docs.ansible.com/ansible/intro_windows.html#inventory
If you would rather python did check the certificate then you will either need to trust the cert for each of your windows hosts, or acquire trusted (not self-signed) certificates for each of your windows hosts, add them to the the computer certificate store and ensure that winrm is using your new certificate.
Hope this helps,
Jon
Hugo Enrique Hernández Priego
Jun 29, 2016, 2:19:21 PM6/29/16
to Ansible Project, hhern...@externos.produban.com.mx
Hi Jon
My ansible control node have python 2.7.5
[ansible@ansible-server ansible-windows]$ python --version
Python 2.7.5
[ansible@ansible-server ansible-windows]$
So i follow this link http://docs.ansible.com/ansible/intro_windows.html
My windows.yml
[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# # ansible-vault edit group_vars/windows.yml
ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm
My ansible control node have python 2.7.5
[ansible@ansible-server ansible-windows]$ python --version
Python 2.7.5
[ansible@ansible-server ansible-windows]$
So i follow this link http://docs.ansible.com/ansible/intro_windows.html
My windows.yml
[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# # ansible-vault edit group_vars/windows.yml
ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
i try with the recomendation of python 2.7.9+ but fails anyway
[ansible@ansible-server ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO mywindowshost.wt.mx.corp
<mywindowshostwt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
[ansible@ansible-server ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO mywindowshost.wt.mx.corp
<mywindowshostwt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect
self.active = conn.connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect
self.protocol = self._winrm_connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
protocol.send_message('')
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
With both method fails, so i do a testing conection with Curl and its OK
ansible@ansible-server ansible-windows]$ curl -vk -d "" -u "ansible:xxxxxxx" https://mywindowshost.wt.mx.corp:5986/wsman
* About to connect() to mywindowshost.wt.mx.corp port 5986 (#0)
* Trying 22.134.234.100...
* Connected to mywindowshost.wt.mx.corp (22.134.234.100) port 5986 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=mywindowshost
* start date: Jun 27 18:16:45 2016 GMT
* expire date: Jun 27 18:16:45 2017 GMT
* common name: mywindowshost
* issuer: CN=mywindowshost
* Server auth using Basic with user 'ansible'
> POST /wsman HTTP/1.1
> Authorization: Basic cHJodGJsYWQ6QmxhKjg2LmxvZw==
> User-Agent: curl/7.29.0
> Host: mywindowshost.wt.mx.corp:5986
> Accept: */*
> Content-Length: 0
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 411
< Server: Microsoft-HTTPAPI/2.0
< Date: Wed, 29 Jun 2016 18:19:37 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
Any idea ?
Thanks
ansible@ansible-server ansible-windows]$ curl -vk -d "" -u "ansible:xxxxxxx" https://mywindowshost.wt.mx.corp:5986/wsman
* About to connect() to mywindowshost.wt.mx.corp port 5986 (#0)
* Trying 22.134.234.100...
* Connected to mywindowshost.wt.mx.corp (22.134.234.100) port 5986 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=mywindowshost
* start date: Jun 27 18:16:45 2016 GMT
* expire date: Jun 27 18:16:45 2017 GMT
* common name: mywindowshost
* issuer: CN=mywindowshost
* Server auth using Basic with user 'ansible'
> POST /wsman HTTP/1.1
> Authorization: Basic cHJodGJsYWQ6QmxhKjg2LmxvZw==
> User-Agent: curl/7.29.0
> Host: mywindowshost.wt.mx.corp:5986
> Accept: */*
> Content-Length: 0
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 411
< Server: Microsoft-HTTPAPI/2.0
< Date: Wed, 29 Jun 2016 18:19:37 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
Any idea ?
Thanks
Matt Davis
Jun 29, 2016, 4:45:58 PM6/29/16
to Ansible Project, hhern...@externos.produban.com.mx
You need to be using at least Ansible 1.9.4 (preferably 2.1) and pywinrm 0.1.1 (preferably 0.2.0) to pass the certificate validation disable to pywinrm. 1.9.2 will be *very* slow and suboptimal for Windows work in many ways.
Hugo Enrique Hernández Priego
Jun 29, 2016, 7:36:08 PM6/29/16
to Ansible Project, hhern...@externos.produban.com.mx
Hi
I remove that line and try again
I remove that line and try again
[ansible@ansible-server ansible-windows]$ cat group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# # ansible-vault edit group_vars/windows.yml
ansible_ssh_user: ansible
ansible_ssh_pass: xxxxxx
ansible_ssh_port: 5986
ansible_connection: winrm
but i getting the same error,
[ansible@ansible-server ansible-windows]$ ansible windows -i host -m win_ping -vvvvv
<mywindowshost.wt.mx.corp> ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO srvspodvlmx01.wt.mx.corp
<mywindowshost.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
<mywindowshost.wt.mx.corp> WINRM CONNECT: transport=plaintext endpoint=https://mywindowshost.wt.mx.corp:5986/wsman
mywindowshost.wt.mx.corp | FAILED => Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect
self.active = conn.connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect
self.protocol = self._winrm_connect()
File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect
protocol.send_message('')
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
I follow all requeriments
any suggestion??
Regards
any suggestion??
Regards
Matt Davis
Jun 30, 2016, 12:46:53 PM6/30/16
to Ansible Project, hhern...@externos.produban.com.mx
Just out of curiosity, why are you still using Ansible 1.9? The Windows support was barely working there- things are much faster and more supported in the 2.x series. You'll absolutely need the ansible_winrm_server_cert_validation: ignore to get past this, and you need to be on a minimum of 1.9.5 (I think I might've said 1.9.4 before).
Reply all
Reply to author
Forward
0 new messages