winrm and https
718 views
Skip to first unread message
František Griga
Jun 23, 2016, 10:32:51 AM6/23/16
to ansible...@googlegroups.com
Hello,
I have a problem with using Ansible to manage Windows machines.
I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
would like to send commands from Debian (Ansible) machine to Windows
machine using WinRM through HTTPS (I do not want to use Kerberos - I
need to connect to Windows local account), but something goes wrong. If
I use "ansible_winrm_server_cert_validation: ignore" conf option,
everything is fine - I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping
192.168.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
but that is something I do not want to use, because I considere that as
a security risk. When I turn the option off, I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext
endpoint=https://192.168.0.1:5986/wsman
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Traceback (most recent call last):
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
line 152, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
207, in send_message
return self.transport.send_message(message)
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
line 173, in send_message
response = self.session.send(prepared_request,
timeout=self.read_timeout_sec)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
line 477, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
192.168.0.1 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: (\"bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
"unreachable": true
}
does not matter, what certificate I am using. I tried to create CA on
Ansible machine, sign Windows CSR, import certificate to Windows,
reconfigure HTTPS listener and import CA certificate to trusted
certificates on Debian - does not help. I am sure I did everything OK,
because it is working for example on the test web server on Windows machine.
Is it possible to run Ansible with Windows really securelly? How? What
should I try?
Thanks for reply,
Frantisek Griga
I have a problem with using Ansible to manage Windows machines.
I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
would like to send commands from Debian (Ansible) machine to Windows
machine using WinRM through HTTPS (I do not want to use Kerberos - I
need to connect to Windows local account), but something goes wrong. If
I use "ansible_winrm_server_cert_validation: ignore" conf option,
everything is fine - I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping
192.168.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
but that is something I do not want to use, because I considere that as
a security risk. When I turn the option off, I have this:
root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext
endpoint=https://192.168.0.1:5986/wsman
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Traceback (most recent call last):
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
line 152, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
207, in send_message
return self.transport.send_message(message)
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
line 173, in send_message
response = self.session.send(prepared_request,
timeout=self.read_timeout_sec)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
line 477, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
192.168.0.1 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: (\"bad handshake: Error([('SSL routines',
'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
"unreachable": true
}
does not matter, what certificate I am using. I tried to create CA on
Ansible machine, sign Windows CSR, import certificate to Windows,
reconfigure HTTPS listener and import CA certificate to trusted
certificates on Debian - does not help. I am sure I did everything OK,
because it is working for example on the test web server on Windows machine.
Is it possible to run Ansible with Windows really securelly? How? What
should I try?
Thanks for reply,
Frantisek Griga
J Hawkesworth
Jun 23, 2016, 1:00:00 PM6/23/16
to Ansible Project
As well as getting a valid, trusted cert generated for your host (and each of your windows hosts), I believe you should use the hostname rather than ip address.
Matt Davis
Jun 23, 2016, 1:18:44 PM6/23/16
to Ansible Project
This. Python is unfortunately not very verbose about *why* cert validation fails, but you absolutely need to be using ansible_host or the inventory hostname that matches the CN or a SAN in the certificate you created. Python 2.x does *not* support IP CN/SANs yet (3.x does, but IIRC it hasn't been backported), so you *must* use a symbolic hostname.
František Griga
Jun 24, 2016, 2:14:31 AM6/24/16
to ansible...@googlegroups.com
Hello,
thanks for answers. I tried that, but hostnames does not help. Any other
ideas? Is anybody who use Ansible on Debian (successfuly)?
FG
Dňa 23. 6. 2016 o 19:18 Matt Davis napísal(a):
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To post to this group, send email to ansible...@googlegroups.com
> <mailto:ansible...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
thanks for answers. I tried that, but hostnames does not help. Any other
ideas? Is anybody who use Ansible on Debian (successfuly)?
FG
Dňa 23. 6. 2016 o 19:18 Matt Davis napísal(a):
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To post to this group, send email to ansible...@googlegroups.com
> <mailto:ansible...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/0673b73a-c963-4fc6-8bb9-af0bf69f9c0f%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Mike Fennemore
Jun 24, 2016, 2:55:38 AM6/24/16
to Ansible Project
Is there a method for using HTTPS with certificate validation with Python 2.79? Have been reading this http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure . Admittedly this is Chef but I would assume the WinRM concepts remain the same.
František Griga
Jun 24, 2016, 3:21:24 AM6/24/16
to ansible...@googlegroups.com
So I could not be sure, if the Debian version has cert validation
ability, but upstream version should have.
https://www.python.org/downloads/release/python-279/
Dňa 24. 6. 2016 o 8:55 Mike Fennemore napísal(a):
> <https://groups.google.com/d/msgid/ansible-project/21a76037-8a36-409a-8153-340f50354130%40googlegroups.com?utm_medium=email&utm_source=footer>.
ability, but upstream version should have.
https://www.python.org/downloads/release/python-279/
Dňa 24. 6. 2016 o 8:55 Mike Fennemore napísal(a):
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To post to this group, send email to ansible...@googlegroups.com
> <mailto:ansible...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/21a76037-8a36-409a-8153-340f50354130%40googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com
> <mailto:ansible-proje...@googlegroups.com>.
> To post to this group, send email to ansible...@googlegroups.com
> <mailto:ansible...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/ansible-project/21a76037-8a36-409a-8153-340f50354130%40googlegroups.com?utm_medium=email&utm_source=footer>.
skinnedknuckles
Jun 24, 2016, 9:00:31 AM6/24/16
to Ansible Project
Here is a list of 9 items to check. You may already have done all of these but skipping any one of them will prevent it from working.
Anjana Raghavendra P
Aug 9, 2016, 5:30:56 PM8/9/16
to Ansible Project
Hi,
I am also getting the same error when i tried to run a play with host: local and a task with delegate_to: windows in ubuntu 14.04. But the same task works if I specify the host: windows at play level. Can anyone help me in this?
Reply all
Reply to author
Forward
0 new messages