Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ansible WinRM HTTPS and Persistent "Unreachable" Error #98

Open
j00c3 opened this issue May 4, 2023 · 2 comments
Open

Ansible WinRM HTTPS and Persistent "Unreachable" Error #98

j00c3 opened this issue May 4, 2023 · 2 comments
Labels
good first issue Good for newcomers

Comments

@j00c3
Copy link

j00c3 commented May 4, 2023

I was consistently getting "Unreachable" error for srv02 and srv03 on my Ansible runs.

fatal: [srv03]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='192.168.56.23', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x111e4c040>, 'Connection to 192.168.56.23 timed out. (connect timeout=500)'))", "unreachable": true}
fatal: [srv02]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='192.168.56.22', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x111e4c040>, 'Connection to 192.168.56.22 timed out. (connect timeout=500)'))", "unreachable": true}

Light troubleshooting led me to discover that on those hosts, WinRM was only enabled in HTTP mode. Thus, only port 5985 was open. I fixed the issue by adding the following lines to the ad/sevenkingdoms.local/inventory file.

; winrm connection (windows)
[...snip...]
ansible_winrm_transport=basic
ansible_port=5985

Please consider either adding those lines to the inventory files or ensuring that WinRM HTTPS is enabled on all the hosts during build.

@an4kein
Copy link
Contributor

an4kein commented Jun 20, 2023

This solution does not work for me!
But this solution does, you need to install a certificate on the server and allow port 5986 for winrmHTTPS.

1 - Configure using the administrator account's IP Address.
2 - Install Certificate.
3 - Allow port 5986 on the firewall.

Before:
image

After:
image

Creating a Self-Signed Certificate
New-SelfSignedCertificate -Subject 'CN=ServerB.domain.com' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Configuring the WinRM Listener
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="ServerB.domain.com"; CertificateThumbprint="<cert thumbprint here>"}'

Opening the WinRM SSL Firewall Port
$FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam

REF: https://adamtheautomator.com/winrm-ssl/
My config: https://pastebin.com/raw/kgm4S5f1

@jinnu92
Copy link

jinnu92 commented Jan 7, 2024

I am facing the same issue while installing in kali linux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

4 participants