Windows provisioning -AWS

[sumeetisp]

Description of Issue/Question

My profile file has the following content,

aws-win-2012:
  provider: aws-dev
  image: ******
  size: t2.micro
  win_installer: /tmp/Salt-Minion-2014.7.0-AMD64-Setup.exe
  win_username: ********
  win_password: *******
  keyname: naga_salt
  private_key: /root/naga_salt.pem
  userdata_file: /etc/salt/cloud.profiles.d/windows-firewall.ps1
  deploy: true
  use_winrm: true

My providers file has the following,

aws-dev:
  minion:
    master: *******
  id: sdb://myvault/aws?id
  key: sdb://myvault/aws?key
  private_key: /root/naga_salt.pem
  keyname: naga_salt
  ssh_username: cloudadmin
  driver: ec2
  ssh_interface: private_ips
  availability_zone: us-east-1b
  win_deploy_auth_retries: 20
  win_deploy_auth_retry_delay: 5
  salt_interface: private_ips
  make_master: False
  script: bootstrap-salt
  script_args: stable 2016.11.2
  network_interfaces:
    - AssociatePublicIpAddress: True
      DeviceIndex: 0
      SubnetId: subnet-bd2bebd7
      SecurityGroupId:
        - *****

I am trying to provision windows machine on AWS. The provisioning goes smoothly.
But when the master tries to communicate to the VM first on 445 and then 5986, both these ports timeout.

Then i used the userdata_file contents mentioned on the following link,
https://docs.saltstack.com/en/latest/topics/cloud/windows.html

When the master is trying to connect to port 5986 i simultaneously rdp to the windows machine and manually run the script. After finishing the execution i get the following error at the master,

[DEBUG   ] Trying to authenticate via Winrm using pywinrm
[DEBUG   ] Attempting WinRM connection to host 10.******** on port 5986
[ERROR   ] There was a profile error: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/salt/cloud/cli.py", line 284, in run
    self.config.get('names')
  File "/usr/lib/python2.7/dist-packages/salt/cloud/__init__.py", line 1458, in run_profile
    ret[name] = self.create(vm_)
  File "/usr/lib/python2.7/dist-packages/salt/cloud/__init__.py", line 1288, in create
    output = self.clouds[func](vm_)
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/ec2.py", line 2610, in create
    vm_, data, ip_address, display_ssh_output
  File "/usr/lib/python2.7/dist-packages/salt/cloud/clouds/ec2.py", line 2297, in wait_for_instance
    timeout=ssh_connect_timeout):
  File "/usr/lib/python2.7/dist-packages/salt/utils/cloud.py", line 842, in wait_for_winrm
    r = s.run_cmd('sc query winrm')
  File "/usr/local/lib/python2.7/dist-packages/winrm/__init__.py", line 37, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 184, in send_message
    response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is there way to say verify_ssl: false or any other config parameter that i am missing?

Now if the userdata has to be passed to the provisioned machine how does it happen because the master is not at all able to communicate with the minion.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
Salt: 2016.11.2

Dependency Versions:
cffi: 1.9.1
cherrypy: 3.2.2
dateutil: 2.6.0
gitdb: 0.5.4
gitpython: 0.3.2 RC1
ioflo: Not Installed
Jinja2: 2.8
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.21.1
Mako: 0.9.1
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: 1.2.3
pycparser: 2.10
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.6 (default, Oct 26 2016, 20:30:19)
python-gnupg: Not Installed
PyYAML: 3.10
PyZMQ: 14.0.1
RAET: Not Installed
smmap: 0.8.2
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.0.4

System Versions:
dist: Ubuntu 14.04 trusty
machine: x86_64
release: 3.16.0-30-generic
system: Linux
version: Ubuntu 14.04 trusty

[gtmanfred]

This is a known issue in winrm

They do not provide a way to supply an internal CA, and also do not allow for turning off ssl verification of the winrm connection.

diyan/pywinrm#138

Which looks like it is going to move over to diyan/pywinrm#160

If you downgrade to pywinrm==0.1.1, this should work

Thanks,
Daniel

[sumeetisp]

Alternative to this winexe can also be used according to the documentation. But I did not find and particular winexe module for Ubuntu.

I will be using VMware and Azure also, what will be a better fit for all these 3 providers, winexe or winrm?

[gtmanfred]

I think you can use either of them on any of the providers.

[jborean93]

I know this bug is closed but you can't get pywinrm to turn of SSL verification, when calling protocol if you set server_cert_validation to ignore it will ignore any certs. This is what is currently used with Ansible and has worked for a while.

[gtmanfred]

@jborean93 This is the issue you are looking for #34783

We do not support pywinrm >=2 yet, they made a change in 0.2.0 that required a certificate, it looks like they now allow for the certificate to be ignored, but we have not made changes to allow for that. I would love a PR to enable it for the cloud pywinrm support, but right now, you will need to use pywinrm 0.1.1.

pip install pywinrm==0.1.1

[TTimo]

FWIW downgrading to pywinrm 0.1.1 doesn't resolve this problem on my setup.

[gtmanfred]

newer versions of pywinrm will be usable in develop after this is merged #42214