Windows 호스트를 관리하기 위해 Ansible을 설정하려고 합니다. 호스트는 내부 CA에서 발급된 SSL 인증서를 사용합니다. 지침에 따라 Windows 호스트를 구성했습니다.여기. 하지만 win_ping 모듈을 사용하여 연결을 시도하면 다음과 같은 결과가 나타납니다.
HTTPSConnectionPool(host='[email protected]', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)'),))"
포트 5986에서 Windows 호스트에 연결할 때 내 CA에서 발급한 인증서가 사용되는 것을 확인했습니다. 그리고 호스트 파일의 변수로 ansible_winrm_ca_trust_path를 사용하여 CA 인증서를 지정하려고 시도했지만 인증서의 유효성을 검사하지 않습니다. 호스트 파일에 있는 내용은 다음과 같습니다.
local:
control:
win_test:
hosts:
winhost.mydomain.local:
vars:
ansible_connection: winrm
ansible_user: [email protected]
ansible_password: "#######"
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_ca_trust_path: /home/[email protected]/ansible/CA.cert
그렇다면 인증서 유효성 검사에 내가 뭘 잘못하고 있는 걸까요? 참고로 저는 Python 2.7.5와 함께 Ansible v2.9.2를 실행하고 있습니다.
업데이트: Python3으로 전환했는데 동일한 오류가 발생합니다. 다음은 오류의 자세한 출력입니다.
ansible 2.9.2
config file = /home/[email protected]/ansible/ansible.cfg
configured module search path = ['/home/[email protected]/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/[email protected]/.local/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /home/[email protected]/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
script declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /home/[email protected]/ansible/hosts as it did not pass its verify_file() method
[WARNING]: While constructing a mapping from /home/[email protected]/ansible/hosts, line 12, column 5, found a duplicate dict key (ansible_connection). Using last defined
value only.
Skipping empty key (control) in group (local)
Parsed /home/[email protected]/ansible/hosts inventory source with yaml plugin
Loading callback plugin minimal of type stdout, v2.0 from /home/[email protected]/.local/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /home/[email protected]/.local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<winhost.mydomain.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO winhost.mydomain.local
creating Kerberos CC at /tmp/tmpwetofduv
calling kinit with subprocess for principal [email protected]
kinit succeeded for principal [email protected]
<winhost.mydomain.local> WINRM CONNECT: transport=kerberos endpoint=https://winhost.mydomain.local:5986/wsman
<winhost.mydomain.local> WINRM CONNECTION ERROR: HTTPSConnectionPool(host='winhost.mydomain.local', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
Traceback (most recent call last):
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/connection.py", line 394, in connect
ssl_context=context,
File "/home/[email protected]/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 773, in __init__
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
답변1
Python 2.7을 실행할 때에도 같은 문제가 발생했습니다. Python 3을 사용하도록 Ansible을 전환하면 문제가 해결되었습니다. Python 2는 EOL이고 지원이 종료되었으므로 어쨌든 그렇게 해야 합니다.
Python 3을 설치하고(아직 설치되지 않은 경우) ansible_python_interpreter: /usr/bin/python3ansible 구성 파일에 다음과 같은 항목을 추가합니다.