我正在尝试设置 Ansible 来管理 Windows 主机。主机将使用内部 CA 颁发的 SSL 证书。我已经按照此处的说明配置了 Windows 主机。但是当我尝试使用模块 win_ping 进行连接时,我得到:
HTTPSConnectionPool(host='[email protected]', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))"
我已经确认,当连接到端口 5986 上的 Windows 主机时,我的 CA 颁发的证书就是正在使用的证书。我尝试使用 ansible_winrm_ca_trust_path 作为我的主机文件中的变量来指定 CA 证书,但它没有验证证书。这是我在主机文件中的内容:
local:
control:
win_test:
hosts:
winhost.mydomain.local:
vars:
ansible_connection: winrm
ansible_user: [email protected]
ansible_password: "#######"
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_ca_trust_path: /home/[email protected]/ansible/CA.cert
那么,我在证书验证方面做错了什么?作为一个仅供参考,我正在使用 Python 2.7.5 运行 Ansible v2.9.2。
更新:我切换到 Python3 并且遇到了同样的错误。这是错误的详细输出:
ansible 2.9.2
config file = /home/[email protected]/ansible/ansible.cfg
configured module search path = ['/home/[email protected]/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/[email protected]/.local/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /home/[email protected]/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
script declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
[WARNING]: While constructing a mapping from /home/[email protected]/ansible/hosts, line 12, column 5, found a duplicate dict key (ansible_connection). Using last defined
value only.
Skipping empty key (control) in group (local)
Parsed /home/[email protected]/ansible/hosts inventory source with yaml plugin
Loading callback plugin minimal of type stdout, v2.0 from /home/[email protected]/.local/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /home/[email protected]/.local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<winhost.mydomain.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO winhost.mydomain.local
creating Kerberos CC at /tmp/tmpwetofduv
calling kinit with subprocess for principal [email protected]
kinit succeeded for principal [email protected]
<winhost.mydomain.local> WINRM CONNECT: transport=kerberos endpoint=https://winhost.mydomain.local:5986/wsman
<winhost.mydomain.local> WINRM CONNECTION ERROR: HTTPSConnectionPool(host='winhost.mydomain.local', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
Traceback (most recent call last):
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connection.py", line 394, in connect
ssl_context=context,
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 773, in __init__
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)