Ansible 2.9.4 not considering/ honouring ansible_winrm_server_cert_validation=ignore flag.

[Bhushan Gholave]

Hi All,

Issue closed : https://github.com/ansible/ansible/issues/67114

1. host file 

[windows]

192.152.1.21 ansible_user=administrator ansible_password=Password123 ansible_port=5986 ansible_winrm_transport=basic ansible_winrm_server_cert_validation=ignore ansible_connection=winrm

2. run ansible -i host -m win_ping all - with ansible version 2.8.5

response:-

192.152.1.21 | SUCCESS => {
    "changed": false,
}
    "ping": "pong"

3. run ansible -i host -m win_ping all - with ansible version 2.9.4

response:- 

192.152.1.21 | UNREACHABLE! => {
    "changed": false,
    "msg": "basic: HTTPSConnectionPool(host='192.152.1.21', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:897)'),))",
    "unreachable": true
}

4. I followed https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html documentation to setup windows host. I run Upgrade-PowerShell.ps1, 

Install-WMF3Hotfix.ps1, ConfigureRemotingForAnsible.ps1 and winrm settings mentioned.

5. Work around if i do .\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert then it start working on both version.

6. I think even if we give ansible_winrm_server_cert_validation=ignore flag still it search for self sign certificate on target machine.
My guess might be wrong but we need to find out exact reason behind this.

Thanks,

Bhushan

[Bhushan Gholave]

I see there is possibility of issue with pywinrm
https://github.com/diyan/pywinrm/issues/201

looks similar

[John Roh]

pywirnm==0.4.0 included the fix for ansible_winrm_server_cert_validation=ignore. I'm currently using pywinrm=0.4.0 on my dockerfile.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4a6a63b5-f1bb-4bdb-afb5-e74c3d0a004e%40googlegroups.com.

[Bhushan Gholave]

Yes I thought the same.

But I am using pywinrm=0.4.0 but still it fails to use this flag.

Request please validate.

Thanks,

Bhushan

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAPxBRp4Ow_6g0%3D%2B8LwXARnas5q-LYk259oAT0qmcJDx0JNgAwg%40mail.gmail.com.

[Jordan Borean]

As I have stated in the issue this has nothing to do with certificate validation. If it was you will be getting a completely separate error message saying something like "certificate verify error" or something like that. This is an error that Python/OpenSSL reports when it cannot negotiate a common TLS protocol between the itself and the Windows server.

You can run the following to try and get some more info

ANSIBLE_PYTHON=$(head -1 $(which ansible) | cut -c 3-)
echo $ANSIBLE_PYTHON  # Used to just display what Python Ansible is using
$ANSIBLE_PYTHON --version

# Make sure both match, if they don't then the openssl binary is at a different path and these tests won't indicate anything
$ANSIBLE_PYTHON -c "import ssl; print(ssl.OPENSSL_VERSION)"
openssl version

openssl s_client -connect hostname:5986

# Prints a list of ciphers and the protocols that the openssl supports, once again the binary should be the one Python is compiled against.
openssl ciphers -s -v


In my example here is a snippet of what I receive from the s_client -connect command

---
SSL handshake has read 2105 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DA300000338CE777889199F6BFBB5D2D0922405E01E413959C82ABF8B5433E0D
    Session-ID-ctx:
    Master-Key: 62132D2AB686ABA5CEAB04DD0E92AD51140F658693E8643421207CDE599FF6588B00C2EC84E410F17E077856204735A8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1580898057
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

You can see the protocol negotiated between the client and the server was TLSv1.2 which is good. In your case I would expect the handshake to fail because it cannot negotiate a common protocol. Once again you need to make sure the openssl binary you run is the one that your Python has been compiled against.

Typically when a common protocol is not found it means one of the following;

• Python's OpenSSL does not support TLS 1.2 and the Windows host only offers TLS 1.2
• Typical for older hosts talking to newer Windows versions
• MacOS before High Sierra used an ansible OpenSSL version which did not support TLS but based on your controller OS version I doubt this is the case for you
  
• Python's OpenSSL only supports TLS 1.2 or newer and the Windows host does not offer TLS 1.2
• Some newer distros disable older TLS protocol for security reasons
  
• TLS 1.2 has been enabled by default for Server 2012/Windows 8 or newer
• Server 2008 R2/Windows 7 need a security update to be applied and some registry settings tweaked
• https://www.nartac.com/Products/IISCrypto/Download is a great tool you can use to control the TLS protocol and ciphers offerred by a Windows server if you don't want to edit the registry
  

I've covered this in another question which you can use for more background information https://groups.google.com/forum/#!searchin/ansible-project/UNSUPPORTED_PROTOCOL%7Csort:date/ansible-project/CCjQTWSAt4I/hpy93e7BAAAJ.

A final thing you can do is setup a Wireshark capture between the Ansible controller and Windows host, most of the data is going to be garbage due to the encryption but you can see the negotiation process happen in plain text. For example the controller will send a Client Hello message which advertises the protocols and cipher suites it can use

The Server Hello response tells you what protocol and cipher suite was ultimately chosen

Lastly I believe the Windows application or system event log shows errors when a client tries to access the server but the server does not have a common protocol, that's another good place to look.

Thanks

Jordan

[Bhushan Gholave]

@Jordan Borean Thank you for explaining this, I got this working with TLS1.2 script.

We need restart after applying this.

This issue we are facing just for Windows2008R2 machine with recent ansible upgrade.
Considering this powershell script while preparing windows host.

Thanks,

Bhushan

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/305a11e5-033b-4ea5-8226-37815cfc4a6a%40googlegroups.com.