I recommend reading over https://github.com/ansible/ansible/issues/14710
Per that issue, ansible_winrm_server_cert_validation can *only* be set via inventory. On Thu, Mar 3, 2016 at 11:28 AM, Slim Slam <[email protected]> wrote: > Hi Matt, I'm using dynamically generated inventory in this case. So, I've > used Ansible to generate a Windows instance and then I do this: > > PLAY [Configure the EC2 instance] > ********************************************** > > TASK [setup] > ******************************************************************* > gather_facts: True > vars: > ansible_port: 5986 > ansible_connection: winrm > ansible_winrm_transport: ssl > ansible_winrm_server_cert_validation: ignore > .... > .... > > > And I get this outcome: > > PLAY [Configure the EC2 instance] > ********************************************** > > TASK [setup] > ******************************************************************* > <52.36.20.10> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT > 5986 TO 52.36.20.10 > <52.36.20.10> WINRM CONNECT: transport=ssl endpoint=https:// > 52.36.20.10:5986/wsman > <52.36.20.10> WINRM CONNECTION ERROR: 500 WinRMTransport. [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) > Traceback (most recent call last): > File > "/usr/local/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py" > , line 138, in _winrm_connect > protocol.send_message('') > File > "/home/ec2-user/.local/lib/python2.7/site-packages/winrm/protocol.py", > line 193, in send_message > return self.transport.send_message(message) > File > "/home/ec2-user/.local/lib/python2.7/site-packages/winrm/transport.py", > line 138, in send_message > raise WinRMTransportError('http', ex.reason) > WinRMTransportError: 500 WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed (_ssl.c:590) > fatal: [52.36.20.10]: FAILED! => {"failed": true, "msg": "ssl: 500 > WinRMTransport. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:590)"} > > Am I missing something here?? > > -J > > On Thursday, March 3, 2016 at 10:43:43 AM UTC-6, Matt Martz wrote: >> >> The appropriate solution to verifying SSL or not in v2 is to put the >> following in your inventory: >> >> ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ssl >> >> As for xmltodict, you didn't say why those things didn't work, but a `pip >> install -U xmltodict --user python` should have worked. I notice the thing >> that did work, indicated that you needed to use `--user`, and the things >> that didn't work did not include that flag. >> >> On Thu, Mar 3, 2016 at 10:38 AM, Slim Slam <[email protected]> wrote: >> >>> Ansible 2.0.1 >>> >>> Control machine: Latest version of Amazon Linux - CentOS 6 variant (has >>> stock Python 2.7.10) >>> Target machine: AWS Windows Server 2012R2 (prepared for Ansible) >>> >>> Two errors occur: >>> >>> 1. "ImportError: No module named xmltodict" >>> >>> Solution: >>> >>> Things that DID NOT WORK: >>> pip install xmltodict >>> pip install python-xmltodict >>> yum install xmltodict >>> yum install python-xmltodict >>> >>> Thing that DID WORK: >>> pip install --upgrade pywinrm --user python >>> >>> 2. "WinRMTransportError: 500 WinRMTransport. [SSL: >>> CERTIFICATE_VERIFY_FAILED] certificate verify failed" >>> >>> Solution: >>> There are a few solutions, but I like my solution here: >>> https://groups.google.com/d/msg/ansible-project/PNzzvbeT5hY/BwfgLOBIDAAJ >>> >>> Slightly modified for Amazon Linux: >>> >>> Edit (or create) the file >>> /usr/lib/python2.7/site-packages/sitecustomize.py >>> Add this code to the file: >>> >>> import ssl >>> >>> try: >>> _create_unverified_https_context = ssl._create_unverified_context >>> except AttributeError: >>> # Legacy Python that doesn't verify HTTPS certificates by default >>> pass >>> else: >>> # Handle target environment that doesn't support HTTPS verification >>> ssl._create_default_https_context = _create_unverified_https_context >>> >>> Isn't this supposed to be fixed (or have an option) in Ansible 2 ?? >>> >>> === >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/65be21d8-1281-4fca-8dda-d60ff62f6518%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/65be21d8-1281-4fca-8dda-d60ff62f6518%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Matt Martz >> @sivel >> sivel.net >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/a737dc6e-902a-460d-883a-9b39180d0ce2%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/a737dc6e-902a-460d-883a-9b39180d0ce2%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v_XsPp8Ev0vF86HOodb9-LemAdKTTuQoD_7hgpBXWJCbw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
