Ansible still able to connect to windows host even after the certificates has expired
178 views
Skip to first unread message
ishan jain
Apr 22, 2016, 5:20:11 AM4/22/16
to Ansible Project
I configured winrm on my windows server 2012 R2 using the script listed at https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
To test the certificate expiration, i provided 3 days for -CertValidityDays parameter during script execution. I am not very well versed about powershell and winrm but i assume that after 3 days the self signed certificate should expire and after that i should expect Ansible to be unable to connect.
But after 3 days, ansible is working just fine with no other setting changed. Can anyone please explain how this thing works ?
J Hawkesworth
Apr 22, 2016, 6:13:43 AM4/22/16
to Ansible Project
That sounds like a bug to me. I created a bug report here: https://github.com/ansible/ansible/issues/15541
ishan jain
Apr 22, 2016, 7:24:08 AM4/22/16
to Ansible Project
Do we have a way to undo whatever the script changed ? Or some other means where i can make the certificate expire ?
I need that to test it out some more.
J Hawkesworth
Apr 25, 2016, 4:08:40 AM4/25/16
to Ansible Project
Have a read through the bug report above (which I have now closed).
Do you have the following set in your windows inventory/ group vars:
ansible_winrm_server_cert_validation: ignore
as described in; http://docs.ansible.com/ansible/intro_windows.html#inventory
If so the certificate is completely ignored. Traffic between the ansible node and the windows winrm endpoint is still encrypted, but ansible doesn't check anything to do with the certificate. So I think in your case the certificate really has expired but the certificate is not getting checked.
It would be good to have a documented way to retrieve the generated certificate from the windows host and add it to the trusted certs on the ansible controller, but I don't believe we have that right now. It might be tedious and error prone if it requires manual steps on each host of course so would be best automated.
Depending on how you set things up, certificates aren't the only way in which you can lock down access to a time period on windows hosts. If you set up domain authentication then you can configure quite a short period for the kerberos tickets to last (I think that the default is 10 hours without renewal).
Hope this helps
Jon
ishan jain
Apr 25, 2016, 5:03:41 AM4/25/16
to Ansible Project
Hi J,
Thanks for all the help. Actually it turned out that somebody already executed the script on the new machine with 365 days period before i did it for 3 days, that is why it was able to connect. I did not specify anything like ansible_winrm_server_cert_validation. I am very new to windows administration.
Since i need to see what happens when certificate expires, i am still trying to figure out a way to disable winrm again. Any ideas there?
J Hawkesworth
Apr 25, 2016, 9:01:03 AM4/25/16
to Ansible Project
Hi,
You will probably have to do this logged in to the windows machine as an Administrator. I think modifying winrm configuration is not allowed from remote winrm sessions.
You can create / install a new certificate and then use winrm to use the new certificate using a command like this:
winrm set winrm/config/listener?Address=IP:8.8.8.8+Transport=HTTPS @{Hostname="mydomain.com";CertificateThumbprint="CB7434F35E3EA11D49D209F41BB16E96B472D30E";Port="5986"}
You will probably have to do this logged in to the windows machine as an Administrator. I think modifying winrm configuration is not allowed from remote winrm sessions.
You can probably delete the https transport listener altogether if you prefer and then run the ConfigureRemotingForAnsible.ps1 script again too.
Hope this helps,
Jon
Reply all
Reply to author
Forward
0 new messages