ssl: Auth Methode ssl erfordert ein Passwort

Question

Während auf einem Windows-VM durch ansible zu verbinden versucht, bekomme ich dieses Problem:

TASK [setup] ******************************************************************* 
<10.xx.xx.xx> ESTABLISH WINRM CONNECTION FOR USER: winad-admin on PORT 5986 TO 10.xx.xx.xx 
fatal: [10.xx.xx.xx]: UNREACHABLE! => {"changed": false, "msg": "ssl: auth method ssl requires a password", "unreachable": true} 

---

Inventar-Datei:

---hosts--- 

[win_servers] 
10.xx.xx.xx 

[nonprod1_ad_servers:vars] 
ansible_user=administrator 
ansible_pass=Horse@1234 
ansible_port=5986 
ansible_connection=winrm 
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: 
ansible_winrm_server_cert_validation=ignore 

---

Und der Powershell-Skript zu ermöglichen winrm auf dem Windows-Rechner verwendet wird, ist wie folgt:

---

# Configure a Windows host for remote management with Ansible 
# ----------------------------------------------------------- 
# 
# This script checks the current WinRM/PSRemoting configuration and makes the 
# necessary changes to allow Ansible to connect, authenticate and execute 
# PowerShell commands. 
# 
# Set $VerbosePreference = "Continue" before running the script in order to 
# see the output messages. 
# Set $SkipNetworkProfileCheck to skip the network profile check. Without 
# specifying this the script will only run if the device's interfaces are in 
# DOMAIN or PRIVATE zones. Provide this switch if you want to enable winrm on 
# a device with an interface in PUBLIC zone. 
# 
# Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert 
# must be forced on the WinRM Listener when re-running this script. This 
# is necessary when a new SID and CN name is created. 

Param (
    [string]$SubjectName = $env:COMPUTERNAME, 
    [int]$CertValidityDays = 365, 
    [switch]$SkipNetworkProfileCheck = $true, 
    $CreateSelfSignedCert = $true, 
    [switch]$ForceNewSSLCert = $true, 
    $VerbosePreference = "Continue" 
) 

Function New-LegacySelfSignedCert 
{ 
    Param (
     [string]$SubjectName, 
     [int]$ValidDays = 365 
    ) 

    $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" 
    $name.Encode("CN=$SubjectName", 0) 

    $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" 
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
    $key.KeySpec = 1 
    $key.Length = 1024 
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" 
    $key.MachineContext = 1 
    $key.Create() 

    $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" 
    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") 
    $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" 
    $ekuoids.Add($serverauthoid) 
    $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" 
    $ekuext.InitializeEncode($ekuoids) 

    $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" 
    $cert.InitializeFromPrivateKey(2, $key, "") 
    $cert.Subject = $name 
    $cert.Issuer = $cert.Subject 
    $cert.NotBefore = (Get-Date).AddDays(-1) 
    $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) 
    $cert.X509Extensions.Add($ekuext) 
    $cert.Encode() 

    $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" 
    $enrollment.InitializeFromRequest($cert) 
    $certdata = $enrollment.CreateRequest(0) 
    $enrollment.InstallResponse(2, $certdata, 0, "") 

    # Return the thumbprint of the last installed certificate; 
    # This is needed for the new HTTPS WinRM listerner we're 
    # going to create further down. 
    Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint 
} 

# Setup error handling. 
Trap 
{ 
    $_ 
    Exit 1 
} 
$ErrorActionPreference = "Stop" 

# Detect PowerShell version. 
If ($PSVersionTable.PSVersion.Major -lt 3) 
{ 
    Throw "PowerShell version 3 or higher is required." 
} 

# Find and start the WinRM service. 
Write-Verbose "Verifying WinRM service." 
If (!(Get-Service "WinRM")) 
{ 
    Throw "Unable to find the WinRM service." 
} 
ElseIf ((Get-Service "WinRM").Status -ne "Running") 
{ 
    Write-Verbose "Starting WinRM service." 
    Start-Service -Name "WinRM" -ErrorAction Stop 
} 

# WinRM should be running; check that we have a PS session config. 
If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) 
{ 
    if ($SkipNetworkProfileCheck) { 
    Write-Verbose "Enabling PS Remoting without checking Network profile." 
    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop 
    } 
    else { 
    Write-Verbose "Enabling PS Remoting" 
    Enable-PSRemoting -Force -ErrorAction Stop 
    } 
} 
Else 
{ 
    Write-Verbose "PS Remoting is already enabled." 
} 

# Make sure there is a SSL listener. 
$listeners = Get-ChildItem WSMan:\localhost\Listener 
If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"})) 
{ 
    # HTTPS-based endpoint does not exist. 
    If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue) 
    { 
     $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My" 
     $thumbprint = $cert.Thumbprint 
     Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint" 
    } 
    Else 
    { 
     $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName 
     Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint" 
    } 

    # Create the hashtables of settings to be used. 
    $valueset = @{} 
    $valueset.Add('Hostname', $SubjectName) 
    $valueset.Add('CertificateThumbprint', $thumbprint) 

    $selectorset = @{} 
    $selectorset.Add('Transport', 'HTTPS') 
    $selectorset.Add('Address', '*') 

    Write-Verbose "Enabling SSL listener." 
    New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset 
} 
Else 
{ 
    Write-Verbose "SSL listener is already active." 

    # Force a new SSL cert on Listener if the $ForceNewSSLCert 
    if($ForceNewSSLCert){ 

     # Create the new cert. 
     If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue) 
     { 
      $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My" 
      $thumbprint = $cert.Thumbprint 
      Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint" 
     } 
     Else 
     { 
      $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName 
      Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint" 
     } 

     $valueset = @{} 
     $valueset.Add('Hostname', $SubjectName) 
     $valueset.Add('CertificateThumbprint', $thumbprint) 

     # Delete the listener for SSL 
     $selectorset = @{} 
     $selectorset.Add('Transport', 'HTTPS') 
     $selectorset.Add('Address', '*') 
     Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset 

     # Add new Listener with new SSL cert 
     New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset 
    } 
} 

# Check for basic authentication. 
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"} 
If (($basicAuthSetting.Value) -eq $false) 
{ 
    Write-Verbose "Enabling basic auth support." 
    Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true 
} 
Else 
{ 
    Write-Verbose "Basic auth is already enabled." 
} 

# Configure firewall to allow WinRM HTTPS connections. 
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" 
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any 
If ($fwtest1.count -lt 5) 
{ 
    Write-Verbose "Adding firewall rule to allow WinRM HTTPS." 
    netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow 
} 
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) 
{ 
    Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." 
    netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any 
} 
Else 
{ 
    Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." 
} 

# Test a remoting connection to localhost, which should work. 
$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue 
$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck 

$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue 

If ($httpResult -and $httpsResult) 
{ 
    Write-Verbose "HTTP: Enabled | HTTPS: Enabled" 
} 
ElseIf ($httpsResult -and !$httpResult) 
{ 
    Write-Verbose "HTTP: Disabled | HTTPS: Enabled" 
} 
ElseIf ($httpResult -and !$httpsResult) 
{ 
    Write-Verbose "HTTP: Enabled | HTTPS: Disabled" 
} 
Else 
{ 
    Throw "Unable to establish an HTTP or HTTPS remoting session." 
} 
Write-Verbose "PS Remoting has been successfully configured for Ansible." 

Hat jemand dieses Problem konfrontiert und lassen Sie mich wissen, wie dieses Problem gelöst werden kann?

---

ich in der Lage bin zu dem Port, über Telnet zu verbinden ..

# telnet 10.xx.xx.xx 5986 
Trying 10.xx.xx.xx... 
Connected to 10.xx.xx.xx. 
Escape character is '^]'. 

Ich habe versucht, diese auf einem anderen Server ansible gegen einen anderen Web-Server in einem anderen Netzwerk und es funktionierte gut, das war in einer 172.xx .xx.xx Netzwerk (was keinen Sinn macht).

Ich weiß, dass dieser Fehler auf diese Zeile Code verwandt ist: https://github.com/diyan/pywinrm/blob/master/winrm/transport.py

winrm config:

PS C:\Users\winserver> winrm get winrm/config 
Config 
    MaxEnvelopeSizekb = 500 
    MaxTimeoutms = 60000 
    MaxBatchItems = 32000 
    MaxProviderRequests = 4294967295 
    Client 
     NetworkDelayms = 5000 
     URLPrefix = wsman 
     AllowUnencrypted = false 
     Auth 
      Basic = true 
      Digest = true 
      Kerberos = true 
      Negotiate = true 
      Certificate = true 
      CredSSP = false 
     DefaultPorts 
      HTTP = 5985 
      HTTPS = 5986 
     TrustedHosts 
    Service 
     RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) 
     MaxConcurrentOperations = 4294967295 
     MaxConcurrentOperationsPerUser = 1500 
     EnumerationTimeoutms = 240000 
     MaxConnections = 300 
     MaxPacketRetrievalTimeSeconds = 120 
     AllowUnencrypted = false 
     Auth 
      Basic = true 
      Kerberos = true 
      Negotiate = true 
      Certificate = false 
      CredSSP = false 
      CbtHardeningLevel = Relaxed 
     DefaultPorts 
      HTTP = 5985 
      HTTPS = 5986 
     IPv4Filter = * 
     IPv6Filter = * 
     EnableCompatibilityHttpListener = false 
     EnableCompatibilityHttpsListener = false 
     CertificateThumbprint 
     AllowRemoteAccess = true 
    Winrs 
     AllowRemoteShellAccess = true 
     IdleTimeout = 7200000 
     MaxConcurrentUsers = 10 
     MaxShellRunTime = 2147483647 
     MaxProcessesPerShell = 25 
     MaxMemoryPerShellMB = 1024 
     MaxShellsPerUser = 30 

Aber wie funktioniert das in einem Netzwerk und nicht auf der anderen Seite mit der gleichen Konfiguration und die Einstellungen ?

Answer 1

Bitte versuchen Sie Ihr Inventar von zu ändern:

ansible_password=Horse@1234 

Grüße,