Need help on SSL connection with SSL cert validation
37 views
Skip to first unread message
Paresh Pendharkar
Mar 12, 2017, 11:30:31 AM3/12/17
to Ansible Project
Hi All,
I would like to have SSL connection with my windows machine using SSL cert validation.
Currently I am able to connect to Windows machine using winrm_server_cert_validation variable as ignore.
Below is the configuration -
Ansible node on Ubuntu 64 bit , version: 2.1.1.0
Python version - 2.7.12+
Windows - Windows 10 OS
Please let me know how can we make SSL connection with cert validation as I dont want to ignore it. i.e. winrm_server_cert_validation = validate
Please also note my HTTPS port is 5896 and is currently has the self-signed cert thumbprint as well.
Do i need to set any other variables in inventory ? or Do i need to install any certs in Ansible node ? Do we need trusted certs ?
Please help me.
Dick Visser
Mar 13, 2017, 6:03:57 PM3/13/17
to ansible...@googlegroups.com
WinRM is implemented as an HTTPS service, and if you want to be able to
verify the certificates of that connection, you have to set them up first.
As can be seen from the docs at
http://docs.ansible.com/ansible/intro_windows.html:
ansible_winrm_server_cert_validation: Specify the server certificate
validation mode (ignore or validate). Ansible defaults to validate on
Python 2.7.9 and higher, which will result in certificate validation
errors against the Windows self-signed certificates. Unless verifiable
certificates have been configured on the WinRM listeners, this should
be set to ignore.
Note that this doesn't have anything to do with ansible, but is a
generic systems administration issue.
For completeness: by default a self-signed cert is set-up, but that
will give you said warning.
If you control both ends (i.e. the boxes you want to manage, as well
as the management station), you can deploy your own CA and sign
clients certs using that.
Another option is to get (commercial) certificates from a CA that is
also available on your management station.
Which option you choose depends on your situation and requirements.
BTW I assume that TCP port 5896 is a typ0?
Because according to
https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx the
well known port is 5986...
Dick
On 12 March 2017 at 05:32, Paresh Pendharkar
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/76f7902f-3572-47fe-9f44-4e2d3abe16f0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
verify the certificates of that connection, you have to set them up first.
As can be seen from the docs at
http://docs.ansible.com/ansible/intro_windows.html:
ansible_winrm_server_cert_validation: Specify the server certificate
validation mode (ignore or validate). Ansible defaults to validate on
Python 2.7.9 and higher, which will result in certificate validation
errors against the Windows self-signed certificates. Unless verifiable
certificates have been configured on the WinRM listeners, this should
be set to ignore.
Note that this doesn't have anything to do with ansible, but is a
generic systems administration issue.
For completeness: by default a self-signed cert is set-up, but that
will give you said warning.
If you control both ends (i.e. the boxes you want to manage, as well
as the management station), you can deploy your own CA and sign
clients certs using that.
Another option is to get (commercial) certificates from a CA that is
also available on your management station.
Which option you choose depends on your situation and requirements.
BTW I assume that TCP port 5896 is a typ0?
Because according to
https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx the
well known port is 5986...
Dick
On 12 March 2017 at 05:32, Paresh Pendharkar
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/76f7902f-3572-47fe-9f44-4e2d3abe16f0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
Reply all
Reply to author
Forward
0 new messages