Ansible Automation Architect @ Red Hat

1 minute read

WinRM setup default create a self-signed certificate for the HTTPS transport. We have to set ansible_winrm_server_cert_validation: ignore to avoid getting SSL error. If we have no access to a CA, we can create our own and self-sign our cert. With a valid or a self generated CA, we can avoid skipping the certification validation when connecting to WinRM.

Generate our own CA

echo -n 'secret password' > mypass.enc
openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096
openssl rsa -noout -text -in ca.key -passin file:mypass.enc
openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc -subj "/CN=Eric Chong CA/C=US/ST=New York/L=
New York/O=automate.nyc/OU=lab/emailAddress=echong@redhat.com"
openssl x509 -noout -text -in ca.cert.pem

Generate a CSR for a Windows server and sign it with our CA

export SERVER=mywindows.lab.automate.nyc
openssl genrsa -des3 -passout file:mypass.enc -out $SERVER.key 4096
openssl req -new -key $SERVER.key -out $SERVER.csr -passin file:mypass.enc -subj "/CN=$SERVER" \
-addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" \
-addext "extendedKeyUsage = serverAuth, clientAuth" \
-addext "subjectAltName = DNS:$SERVER"
openssl rsa -noout -text -in ca.key -passin file:mypass.enc 
openssl rsa -noout -text -in $SERVER.key -passin file:mypass.enc 
openssl req -noout -text -in $SERVER.csr 
openssl x509 -req -days 365 -in $SERVER.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out $SERVER.crt -passin file:mypass.enc -extfile my.ext
openssl x509 -noout -text -in $SERVER.crt
openssl pkcs12 -export -inkey $SERVER.key -in $SERVER.crt -out $SERVER.pfx  -passin file:mypass.enc

The my.ext file:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth

Setup WinRM on Windows server

New-NetFirewallRule -DisplayName 'WinRM HTTPS Inbound' -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986
Set-Service -Name "WinRM" -StartupType Automatic
Start-Service -Name "WinRM"
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
# Import pfx cert via GUI (TBD for PowerShell command)
get-childitem cert:\localmachine\my
$newWsmanParams = @{
        ResourceUri = 'winrm/config/Listener'
        SelectorSet = @{ Transport = "HTTPS"; Address = "*" }
        ValueSet    = @{ Hostname = $hostName; CertificateThumbprint = $serverCert.Thumbprint }
        # UseSSL = $true
}
$null = New-WSManInstance @newWsmanParams

Setup Ansible inventory file

Now add ansible_winrm_ca_trust_path parameter in inventory file

[windows:vars]
ansible_connection=winrm
ansible_winrm_transport=basic
ansible_user=ansibleuser
ansible_password=mypassword
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_ca_trust_path=ca.cert.pem

Leave a comment

You may also enjoy

Automation Hub Private Repository

1 minute read

Background We want to allow users to create they own collection under company namespace, but not sharing with the rest of the Hub users

Use Kerberos for AAP PostgreSQL Connection

2 minute read

We have Red Hat Identity Management (IdM) setup in the lab to provide Kerberos authentication. This how-to will demonstrate setting up AAP to connect to its...