Setup WinRM for Ansible with Certificate Authentication in 8 Easy Steps
A complete guide on how to setup a Production windows machine with WinRM over HTTPS using Certificate Authentication. This will allow communication between the ansible server and the windows host in order to configure it. All the scripts used in this video are in the git repository linked below.
Previous Video: https://youtu.be/FkBX7DXTDc0
Github Repository: https://github.com/devopssolver/ansible-winrm-cert-auth
Table of Contents:
► 00:21 – Step 1: Create Client Certificates
► 01:38 – Step 2: Install Client Certs on Win Server
► 03:01 – Step 3: Enable WinRM Service on Win Server
► 03:55 – Step 4: Create Certificates on Win Server
► 04:34 – Step 5: Setup Ansible User on Win Server
► 05:23 – Step 6: Create WinRM Https Listener
► 06:16 – Step 7: Allow WinRM Https Port on Win Server
► 06:35 – Step 8: Setup and Test Ansible
Resources:
► Adam The Automator Blog Post – https://adamtheautomator.com/winrm-https-ansible/?utm_source=adamtheautomator&utm_medium=website&utm_campaign=search
source
13 Comments
Sunny Bhatia
May 09, 2022 19:54 pmThank You very much for this video.I like it.
But while working I am facing one error while running create_ansible_user.ps1.
it says
New-Item : The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be
verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account
and try again.
Can you help?
_ Oly _
May 09, 2022 19:54 pmProbably the best video I have seen on this topic..thanks
Clinton Ryan Manigsaca
May 09, 2022 19:54 pmIs it possible to use only 1 certificate for all my windows servers?
That way I do not have to generate and signed each one of them.
I have about 100+ servers so it can be a bit difficult to maintain.
Varune Pundit
May 09, 2022 19:54 pmThank you for this! Very useful. One question, can you use a domain ID instead of a local account?
SSP
May 09, 2022 19:54 pmHi @DevOpsLab ,
While using the powershell script create_ansible_user.ps1, I am getting below error:
New-Item : The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a
non-domain account and try again.
At C:TempClient_certcreate_ansible_user.ps1:51 char:1
+ New-Item @params
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-Item], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.NewItemCommand
It would be great if you could help.
Farid Nasiri
May 09, 2022 19:54 pmThanks for excellent article and video . what could be the reason of this error ?the server is pingable .
fatal: [chq-dsctest.abcd..com]: UNREACHABLE! => {"changed": false, "msg": "certificate: HTTPSConnectionPool(host='chq-dsctest.abcd..com', port=5986): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))", "unreachable": true}
duplex work
May 09, 2022 19:54 pmHello, I have getting error when I generating client auth certificate using openssl cmd
I verified requirements all is fine but still getting below openssl error.
Please help me this out..
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out client_cert.pem -outform PEM -keyout client_key.pem -subj "/CN=ansible" -extensions v3_req_client
Error:
140010270967696:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 5
openssl.conf:
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$ansible@localhost
Installed Packages
openssl.x86_64 1:1.0.2k-21.el7_9 @rhel-x86_64-server-7
Red Hat Enterprise Linux Server release 7.9 (Maipo)
stormalf summoners war
May 09, 2022 19:54 pmmany thanks very clear detailed and useful. Now ansible on wsl2 works well with windows using winrm and ssl certificate!
Warley Vinicius
May 09, 2022 19:54 pmHello you can help me with authentication using Kerberos (Using Active Directory on Windows)?
Nimish Chandra
May 09, 2022 19:54 pmHello I have done all the step successfully but somehow i am able to connect getting ""msg": "certificate: the specified credentials were rejected by the server",
"unreachable": true
" please help.
Ari Prince
May 09, 2022 19:54 pmPretty impressive tutorial, but am having an issue with script 6 creating winrm https listener.
Could you please help me to solve this problem?
David McKee
May 09, 2022 19:54 pmI'm not going to lie, this video is brilliant. It's so incredibly helpful, thank you for taking the time to create and share it. Topics like this don't have enough online support to help the tech industry become knowledgeable of these topics. This is very precise, and looks to cover all the steps needed. Great Job!
Tài Phạm Quý
May 09, 2022 19:54 pmHey bro, can you help me ? Why I have an issue at step 6 ?
Error: the winrm client cannot process the request. the certificate structure was incomplete
Thanks a lot