Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible_winrm_server_cert_validation no longer works with pywinrm 0.3.0 #34378

Closed
kcd83 opened this issue Jan 3, 2018 · 10 comments
Closed

ansible_winrm_server_cert_validation no longer works with pywinrm 0.3.0 #34378

kcd83 opened this issue Jan 3, 2018 · 10 comments
Labels
affects_2.5 This issue/PR affects Ansible v2.5 docs This issue/PR relates to or includes documentation. support:core This issue/PR relates to code supported by the Ansible Engineering Team. windows Windows community

Comments

@kcd83
Copy link
Contributor

kcd83 commented Jan 3, 2018

The current pywinrm release does not work, should the documentation be updated?

pip install "pywinrm>=0.2.2"

To say:

pip install "pywinrm==0.2.2"

ISSUE TYPE
  • Documentation Report
COMPONENT NAME
/lib/ansible/plugins/connection/winrm.py
ANSIBLE VERSION
ansible 2.5.0
  config file = /workspace/ansible/inventories/lss-perftest-wlg/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
CONFIGURATION
OS / ENVIRONMENT

Windows WinRM with a self-signed certificate

pywinrm 0.3.0

pip show pywinrm
---
Metadata-Version: 2.0
Name: pywinrm
Version: 0.3.0
Summary: Python library for Windows Remote Management
Home-page: http://github.com/diyan/pywinrm/
Author: Alexey Diyan
Author-email: alexey.diyan@gmail.com
Installer: pip
License: MIT license
Location: /usr/lib/python2.7/site-packages
Requires: six, requests-ntlm, requests, xmltodict
Classifiers:
  Development Status :: 4 - Beta
  Environment :: Console
  Intended Audience :: Developers
  Intended Audience :: System Administrators
  Natural Language :: English
  License :: OSI Approved :: MIT License
  Programming Language :: Python
  Programming Language :: Python :: 2
  Programming Language :: Python :: 2.6
  Programming Language :: Python :: 2.7
  Programming Language :: Python :: 3
  Programming Language :: Python :: 3.3
  Programming Language :: Python :: 3.4
  Programming Language :: Python :: 3.5
  Programming Language :: Python :: 3.6
  Programming Language :: Python :: Implementation :: PyPy
  Topic :: Software Development :: Libraries :: Python Modules
  Topic :: System :: Clustering
  Topic :: System :: Distributed Computing
  Topic :: System :: Systems Administration

Metadata-Version: 2.0
Name: pywinrm
Version: 0.2.2
Summary: Python library for Windows Remote Management
Home-page: http://github.com/diyan/pywinrm/
Author: Alexey Diyan
Author-email: alexey.diyan@gmail.com
Installer: pip
License: MIT license
Location: /usr/lib/python2.7/site-packages
Requires: six, requests-ntlm, requests, xmltodict
Classifiers:
  Development Status :: 4 - Beta
  Environment :: Console
  Intended Audience :: Developers
  Intended Audience :: System Administrators
  Natural Language :: English
  License :: OSI Approved :: MIT License
  Programming Language :: Python
  Programming Language :: Python :: 2
  Programming Language :: Python :: 2.6
  Programming Language :: Python :: 2.7
  Programming Language :: Python :: 3
  Programming Language :: Python :: 3.3
  Programming Language :: Python :: 3.4
  Programming Language :: Python :: 3.5
  Programming Language :: Python :: 3.6
  Programming Language :: Python :: Implementation :: PyPy
  Topic :: Software Development :: Libraries :: Python Modules
  Topic :: System :: Clustering
  Topic :: System :: Distributed Computing
  Topic :: System :: Systems Administration
SUMMARY

See server_cert_validation 'ignore' no longer works in 0.3.0
diyan/pywinrm#201

STEPS TO REPRODUCE
# windoz inventory
[windows]
win1   ansible_host=123.45.67.106   ansible_password=ThePassword1

[windows:vars]
ansible_user=Admin
ansible_port=5986
ansible_connection=winrm
# The following is necessary for Python 2.7.9+ (or any older Python that has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation=ignore

ansible windows -i windoz -m win_ping

Resolved with

pip install "winrm==0.2.2"
EXPECTED RESULTS
win1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
ACTUAL RESULTS
"msg": "ssl: HTTPSConnectionPool(host='123.45.67.106', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)\",),))"
@kcd83
Copy link
Contributor Author

kcd83 commented Jan 3, 2018

Feel free to close this, hopefully this will help next person workaround the bug and not blame ansible :)

diyan/pywinrm#201

@ansibot
Copy link
Contributor

ansibot commented Jan 3, 2018

cc @Qalthos @ganeshrn @gundalow @kedarX @privateip @rcarrillocruz @trishnaguha
click here for bot help

@ansibot ansibot added affects_2.5 This issue/PR affects Ansible v2.5 docs_report needs_triage Needs a first human triage before being processed. networking Network category support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jan 3, 2018
@jborean93 jborean93 added windows Windows community and removed needs_triage Needs a first human triage before being processed. networking Network category labels Jan 3, 2018
@nitzmahone
Copy link
Member

bot_status

@ansibot
Copy link
Contributor

ansibot commented Jan 3, 2018

Components

lib/ansible/plugins/connection/init.py
support: core
maintainers:

lib/ansible/plugins/connection/buildah.py
support: core
maintainers:

lib/ansible/plugins/connection/chroot.py
support: core
maintainers:

lib/ansible/plugins/connection/docker.py
support: core
maintainers:

lib/ansible/plugins/connection/funcd.py
support: core
maintainers:

lib/ansible/plugins/connection/iocage.py
support: core
maintainers:

lib/ansible/plugins/connection/jail.py
support: core
maintainers:

lib/ansible/plugins/connection/libvirt_lxc.py
support: core
maintainers:

lib/ansible/plugins/connection/local.py
support: core
maintainers:

lib/ansible/plugins/connection/lxc.py
support: core
maintainers:

lib/ansible/plugins/connection/lxd.py
support: core
maintainers:

lib/ansible/plugins/connection/netconf.py
support: core
maintainers: Qalthos ganeshrn gundalow kedarX privateip rcarrillocruz trishnaguha

lib/ansible/plugins/connection/network_cli.py
support: core
maintainers: Qalthos ganeshrn gundalow kedarX privateip rcarrillocruz trishnaguha

lib/ansible/plugins/connection/paramiko_ssh.py
support: core
maintainers:

lib/ansible/plugins/connection/persistent.py
support: core
maintainers: Qalthos ganeshrn gundalow kedarX privateip rcarrillocruz trishnaguha

lib/ansible/plugins/connection/saltstack.py
support: core
maintainers:

lib/ansible/plugins/connection/ssh.py
support: core
maintainers:

lib/ansible/plugins/connection/winrm.py
support: core
maintainers:

lib/ansible/plugins/connection/zone.py
support: core
maintainers:

Metadata

waiting_on: maintainer
needs_info: False

click here for bot help

@jborean93
Copy link
Contributor

!component =lib/ansible/plugins/connection/winrm.py

@jctanner
Copy link
Contributor

jctanner commented Jan 3, 2018

bot_status

@ansibot
Copy link
Contributor

ansibot commented Jan 3, 2018

Components

lib/ansible/plugins/connection/winrm.py
support: core
maintainers:

Metadata

waiting_on: maintainer
needs_info: False

click here for bot help

@nitzmahone
Copy link
Member

Not an Ansible issue- closing

@ansibot ansibot added docs This issue/PR relates to or includes documentation. and removed docs_report labels Mar 1, 2018
@JoshuaSeidel
Copy link

@nitzmahone can this be re-opened. its still not working, fatal: [web]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='127.0.0.1', port=55986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))", "unreachable": true}

even tho i have it set to ignore

@ghost
Copy link

ghost commented Feb 26, 2019

Same here. Masked IP xxx.xxx.xxx.xxx

  1. Using Python 2.7 in RHEL7
  2. Executed powershell script in windows machine ConfigureRemotingForAnsible.ps1
  3. Configured yml file to the below:
  • name: hit windows test instance
    hosts: "tag_class_windows_{{ env }}_{{ ec2_class }}"
    vars:
    ansible_user: Administrator
    ansible_password: {{ password }}
    ansible_port: 5986
    ansible_connection: winrm
    ansible_winrm_server_cert_validation: ignore
    ansible_winrm_operation_timeout_sec: 60
    ansible_winrm_read_timeout_sec: 70
    tasks:
    • ec2:
      state: 'absent'
      instance_ids: {{ instance_id }}'
      ec2_region: '{{ ec2_region }}'
      delegate_to: localhost

Error encountered:
fatal: [xxx.xxx.xxx.xxx]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='localhost', port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fefb0fdf3d0>: Failed to establish a new connection: [Errno 111] Connection refused',))", "unreachable": true}

@dentarg dentarg mentioned this issue Mar 8, 2019
Closed
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.5 This issue/PR affects Ansible v2.5 docs This issue/PR relates to or includes documentation. support:core This issue/PR relates to code supported by the Ansible Engineering Team. windows Windows community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kcd83 @jctanner @ansibot @nitzmahone @jborean93 @JoshuaSeidel