3

While using Ansible to manage some AWS based Windows machines, when connecting using the IP as destination, on some machines I'm getting an SSL Error

credssp: HTTPSConnectionPool(host='18.217.233.26', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(\"bad handshake: SysCallError(-1, 'Unexpected EOF')\",),))", "unreachable": true}

In wireshark it looks like TCP RST is sent by server

When connecting using hostname or FQDN the connection succeeds.

I don't see any relevant log in the event logs on WSMan side.

Anybody have any experience with setting up winrm for Ansible and can assist?

Saar Grin
  • 71
  • 2
  • 4

2 Answers2

1

I faced the same error .. You probably want to run ConfigureRemotingForAnsible.ps1 script with -ForceNewSSLCert option on your remote machines.

.\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert
storm
  • 1,759
  • 3
  • 15
  • 34
  • Also, when logged in to remote machine Run as Admin Powershell: $ winrm qc To check how your machine is currently setup. – Roadkillon101 Dec 21 '18 at 21:14
0

If that doesnt work, check your TLS1.3 registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server

The actual error for me was TLS 1.3 was set enabled (1), in registry, but was not set DisabledByDefault. setting that to 1 resolved the long looming ansible ssl connection error.

You can also delete the TLS1.3 key, so that its not explicitly set.

ansible_connection: winrm
ansible_winrm_scheme: https
ansible_port: 5986 #didnt break it, leaving this enabled
ansible_winrm_cert_pem: ..
ansible_winrm_cert_key_pem: ...
ansible_winrm_transport: certificate
ansible_winrm_server_cert_validation: ignore # maybe because i WAS USING IP, not hostname, also the cert  CN is "ansible" anyway, not matching any hostname.

https://community.tenable.com/s/article/How-to-view-and-change-the-Windows-Registry-Settings-for-the-SSL-TLS-Protocols-on-a-Windows-Host

blamb
  • 101
  • 2