certificate: the specified credentials were rejected by the server

[Gary Mo]

Hi, I'm using ansible on Ubuntu 16.04 LTS and try to mange my win10 server.

But met trouble when I using Certificate authentication: 

gary@gary-HP-Pavilion-Notebook:~$ ansible win_test -m win_ping
192.168.1.207 | UNREACHABLE! => {

    "changed": false, 

    "msg": "certificate: the specified credentials were rejected by the server", 

    "unreachable": true

}

I just follow the Ansible Document to setup environment step by step:

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#certificate

My WinRM setting:

PS C:\Users\Test> winrm get winrm/config/Service

Service

    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

    MaxConcurrentOperations = 4294967295

    MaxConcurrentOperationsPerUser = 1500

    EnumerationTimeoutms = 240000

    MaxConnections = 300

    MaxPacketRetrievalTimeSeconds = 120

    AllowUnencrypted = true

    Auth

        Basic = true

        Kerberos = true

        Negotiate = true

        Certificate = true

        CredSSP = false

        CbtHardeningLevel = Relaxed

    DefaultPorts

        HTTP = 5985

        HTTPS = 5986

    IPv4Filter = *

    IPv6Filter = *

    EnableCompatibilityHttpListener = false

    EnableCompatibilityHttpsListener = false

    CertificateThumbprint

    AllowRemoteAccess = true

Host vars:

[win_test]

192.168.1.207

[win_test:vars]

ansible_connection="winrm"

ansible_port=5985

ansible_winrm_cert_pem="/home/gary/Documents/cert.pem"

ansible_winrm_cert_key_pem="/home/gary/Documents/cert_key.pem"

ansible_winrm_transport="certificate"

Anything wrong with my settings? Please help, thanks~

PS: It works when I use Basic anthentication.

[Jordan Borean]

Certificate auth does not work over http (port 5985). It's part of the TLS protocol so you must use https.

Thanks

Jordan

[Gary Mo]

Hi, Jordan. Thanks for your help~

After changing to HTTPS, I met such error:

192.168.1.207 | UNREACHABLE! => {

    "changed": false, 

    "msg": "certificate: HTTPSConnectionPool(host='192.168.1.207', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", 

    "unreachable": true

}

Here is my config of the listener:

PS C:\Temp> winrm enumerate winrm/config/Listener

Listener

    Address = *

    Transport = HTTPS

    Port = 5986

    Hostname = desktop-9qa0b18

    Enabled = true

    URLPrefix = wsman

    CertificateThumbprint = 4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78

    ListeningOn = <addresses>

I am not sure whether I generate the key in right way or not. In fact, I am not familiar to those things like SSL, HTTPS.

Here I write down the things I did to use HTTPS in WinRM:

1. Use the IIS tool to create a Self-Signed Certificate for my PC: desktop-9qa0b18

2. Run command:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986" ;Hostname="desktop-9qa0b18" ;CertificateThumbprint="4b 80 86 d5 fd 8f 90 20 36 fe a5 cf b1 9f cc 3f 98 ee 05 78"}

to create listener

3. Generate a certificate by openssl: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#generate-a-certificate 

4. Import a certificate: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#import-a-certificate-to-the-certificate-store

5. Mapping the certificate to my account(username=Test) : https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#mapping-a-certificate-to-an-account

6. Run command ansible win_test -m win_ping in linux side.

[Jordan Borean]

If you are using a self signed certificate for the https listener (different from the user mapped certificate) then you need to tell Ansible to not verify the server’s certificate with ‘ansible_winrm_server_cert_validation=ignore’. You can get Ansible to use a custom cert chain for verification once you get this working and you don’t want to use self signed certificate.