Alex's questions

我正在尝试设置 Ansible 来管理 Windows 主机。主机将使用内部 CA 颁发的 SSL 证书。我已经按照此处的说明配置了 Windows 主机。但是当我尝试使用模块 win_ping 进行连接时，我得到：

HTTPSConnectionPool(host='[email protected]', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))"

我已经确认，当连接到端口 5986 上的 Windows 主机时，我的 CA 颁发的证书就是正在使用的证书。我尝试使用 ansible_winrm_ca_trust_path 作为我的主机文件中的变量来指定 CA 证书，但它没有验证证书。这是我在主机文件中的内容：

local:
  control:

win_test:
  hosts:
    winhost.mydomain.local:
  vars:
    ansible_connection: winrm
    ansible_user: [email protected]
    ansible_password: "#######"
    ansible_connection: winrm
    ansible_winrm_transport: kerberos
    ansible_winrm_ca_trust_path: /home/[email protected]/ansible/CA.cert

那么，我在证书验证方面做错了什么？作为一个仅供参考，我正在使用 Python 2.7.5 运行 Ansible v2.9.2。

更新：我切换到 Python3 并且遇到了同样的错误。这是错误的详细输出：

ansible 2.9.2
  config file = /home/[email protected]/ansible/ansible.cfg
  configured module search path = ['/home/[email protected]/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/[email protected]/.local/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /home/[email protected]/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
script declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
[WARNING]: While constructing a mapping from /home/[email protected]/ansible/hosts, line 12, column 5, found a duplicate dict key (ansible_connection). Using last defined
value only.

Skipping empty key (control) in group (local)
Parsed /home/[email protected]/ansible/hosts inventory source with yaml plugin
Loading callback plugin minimal of type stdout, v2.0 from /home/[email protected]/.local/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /home/[email protected]/.local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<winhost.mydomain.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO winhost.mydomain.local
creating Kerberos CC at /tmp/tmpwetofduv
calling kinit with subprocess for principal [email protected]
kinit succeeded for principal [email protected]
<winhost.mydomain.local> WINRM CONNECT: transport=kerberos endpoint=https://winhost.mydomain.local:5986/wsman
<winhost.mydomain.local> WINRM CONNECTION ERROR: HTTPSConnectionPool(host='winhost.mydomain.local', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
Traceback (most recent call last):
  File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connection.py", line 394, in connect
    ssl_context=context,
  File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 773, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

我有几台 RHEL 6 服务器，我已配置 yum-cron 在其上运行。我已将它们配置为将电子邮件输出发送到我的地址。问题是除了一台服务器之外的所有服务器仍在向 root 发送邮件。我确定我错过了一些简单的东西，但对于我的生活来说，弄清楚是什么。有什么建议么？

在下面的配置和日志中，ServerOne 正在将消息传递到正确的地址，而 ServerTwo 没有。

这是来自 ServerOne 的邮件日志：

May 11 04:51:43 ServerOne postfix/pickup[31719]: 8093C29EBD5: uid=0 from=<root>
May 11 04:51:43 ServerOne postfix/cleanup[53080]: 8093C29EBD5: message-id=<[email protected]>
May 11 04:51:43 ServerOne postfix/qmgr[6134]: 8093C29EBD5: from=<[email protected]>, size=29582, nrcpt=1 (queue active)
May 11 04:51:44 ServerOne postfix/smtp[53089]: 8093C29EBD5: to=<[email protected]>, relay=10.1.0.7[10.1.0.7]:25, delay=1.2, delays=0.29/0.01/0.01/0.9, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=6452520] Queued mail for delivery)
May 11 04:51:44 ServerOne postfix/qmgr[6134]: 8093C29EBD5: removed

记下 [email protected] 的收件人地址。现在，这是来自 ServerTwo 的邮件日志：

May 10 03:55:13 ServerTwo postfix/pickup[27828]: 0A93C29F4AA: uid=0 from=<root>
May 10 03:55:13 ServerTwo postfix/cleanup[36376]: 0A93C29F4AA: message-id=<[email protected]>
May 10 03:55:13 ServerTwo postfix/qmgr[5934]: 0A93C29F4AA: from=<[email protected]>, size=15519, nrcpt=1 (queue active)
May 10 03:55:13 ServerTwo postfix/cleanup[36376]: 2EBA629F07B: message-id=<[email protected]>
May 10 03:55:13 ServerTwo postfix/qmgr[5934]: 2EBA629F07B: from=<[email protected]>, size=15685, nrcpt=1 (queue active)
May 10 03:55:13 ServerTwo postfix/local[36378]: 0A93C29F4AA: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.27, delays=0.19/0.06/0/0.02, dsn=2.0.0, status=sent (forwarded as 2EBA629F07B)
May 10 03:55:13 ServerTwo postfix/qmgr[5934]: 0A93C29F4AA: removed
May 10 03:55:13 ServerTwo postfix/smtp[36379]: 2EBA629F07B: to=<[email protected]>, orig_to=<root>, relay=10.1.0.7[10.1.0.7]:25, delay=0.27, delays=0.02/0.06/0.01/0.18, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=6432387] Queued mail for delivery)

并记下 [email protected] 的收件人地址。

所以这是我的 ServerOne 的 yum-cron 文件：

YUM_PARAMETER="--security"
CHECK_ONLY=no
CHECK_FIRST=no
DOWNLOAD_ONLY=no
ERROR_LEVEL=1
DEBUG_LEVEL=1
RANDOMWAIT="1"
MAILTO="[email protected]" 
SYSTEMNAME="Server One" 
CLEANDAY="0"
SERVICE_WAITS=yes
SERVICE_WAIT_TIME=300

这是 ServerTwo 的 yum-cron：

YUM_PARAMETER="--security"
CHECK_ONLY=no
CHECK_FIRST=no
DOWNLOAD_ONLY=no
ERROR_LEVEL=1
DEBUG_LEVEL=1
RANDOMWAIT="1"
MAILTO="[email protected]"
SYSTEMNAME="Server Two"
CLEANDAY="0"
SERVICE_WAITS=yes
SERVICE_WAIT_TIME=300

这是 ServerOne 的后缀 main.cf 文件：

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = serverone.something.com
mydomain = something.com
inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
relayhost = 10.1.0.7
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sender_canonical_maps = hash:/etc/postfix/canonical

这是 ServerTwo 的 main.cf：

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = servertwo.something.com
mydomain = something.com
inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
relayhost = 10.1.0.7
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_canonical_maps = hash:/etc/postfix/canonical
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

最后，来自 ServerOne 的 postfix 规范文件：

[email protected]       [email protected]
@something.com           [email protected]
[email protected]    [email protected]

和来自 ServerTwo 的后缀/规范：

[email protected]       [email protected]
@something.com           [email protected]
[email protected]    [email protected]