Hey, I may not be the sharpest knife on the tree but looking back, these are the kind of instructions I wish I had when I set out to use Ansible with SSL encryption to manage my windows machines. I'm glad to see these instructions improve so go ahead and comment or correct as needed. In my case I was using the following versions.
Management Node: CentOs 6, Ansible 2.1, Python 2.7.13 All Remote Nodes: Windows 7, Powershell 3.0 FIRST OF ALL 1. Request an SSL Certificate 1. Pick a username and password for creating a local user account on each and every remote windows machine. You will make your remote connections through this account. 2. Use the username and password to create a certificate request (watch this video <https://www.youtube.com/watch?v=4edeXgGzQho> to see how). The *common name* on the certificate request must be a *fully qualified domain name* (something like* localWindowsUser.aa.bb.acme.com*) Where localWindowsUser is the local Windows user account name you picked in sub-step #1 above and aa.bb.acme.com is the domain of your remote Windows machines (to get the domain click on *Run *then type *cmd*, click OK then type *ipconfig*. Domain name is after *Connection-specific DNS Suffix*). 3. Attach the certificate request file to an email message asking for an SSL certificate and send it to your IT department or another certificate authority. 4. While IT works on that continue with the following. ON THE MANAGEMENT NODE (LINUX MACHINE) 2. Install a version of python prior to 3.0 (for example # Python 2.7.13) with the following or similar commands *$ wget http://python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz* *$ tar xf Python-2.7.13.tar.xz* *$ cd Python-2.7.13* *$ ./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"* *$ make && make altinstall* 3. Use the following or similar commands to install ansible, paramiko, PyYAML Jinja2 httplib2 six and pywinrm. More instructions are here <http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine> but they didn't help me much. *$ git clone git://github.com/ansible/ansible.git --recursive* *$ cd ./ansible* *$ sudo easy_install pip* *$ sudo pip install paramiko PyYAML Jinja2 httplib2 six* *$ pip install "pywinrm>=0.1.1"* *$ pip install http://github.com/diyan/pywinrm/archive/master.zip#egg=pywinrm* 4. Get root access to the folder /etc/ansible/ and create a text file named ansible.cfg with the following text in it. This tells Ansible where to look for your inventory file (the inventory file is the text file named hosts explained in step #5.) *[defaults]* *inventory = /root/home/username/hosts* 5. Create or edit the file */root/home/username/hosts* to be something like this below. When you specify a group name like windows Ansible knows to carry out the task on every machine listed below the group name. See more details and examples here <http://docs.ansible.com/ansible/intro_inventory.html> *[windows]* *123.123.123.123* *234.234.234.234* (where windows is the name of your group and 123.123.123.123 and 234.234.234.234 are the ip addresses (you man also use fully qualified domain names see all options here <http://docs.ansible.com/ansible/intro_inventory.html#hosts-and-groups>) of your remote nodes) 6. The directory* /etc/ansible/group_vars* must have a YAML (text file with a .yml extension) with a file name that matches the group name you used in step #5 above (windows in this example). So the file */etc/ansible/group_vars/windows.yml* should look something like this *ansible_user: ansibleAdmin* *ansible_password: p@$$w0rd* *ansible_port: 5986* *ansible_connection: winrm* (where *ansible_user:* is the username you picked in in step #1 (without the domain) and *ansible_password:* is the password you picked in step #1. *ansible_port: 5986* means you want to use an encrypted https connection and *ansible_connection: winrm* means that you want to connect to Powershell on the windows machine using the winrm module) also (versions before ansible 2.0 used *ansible_ssh_pass:* instead of *ansible_password:*) and (versions before ansible 2.0 used *ansible_ssh_port:* instead of *ansible_port:*) ON EACH REMOTE NODE (WINDOWS MACHINE) 7. Click on *Start *-> *Control Panel* -> *Program and Features* -> *Add or Remove Programs*. Scroll down to the M's and look for *Microsoft .NET Framework*. If you don't have version 4.0 or later, download and install it from here <https://www.microsoft.com/en-us/download/details.aspx?id=30653>. 8. Create a *local Windows account with admin privileges* with the *same username and password* you picked in step #1 (also same as in the file */etc/ansible/group_vars/windows.yml*). Click on *Start *-> *Control Panel* -> *Administrative Tools* -> *Computer Management*. Click on the plus sign or arrow next to *Local Users and Groups*. Right click on *Users *then click on *New User*. Enter the user name for both *User name* and *Full name*. Enter the password. Click on *Create*, *Close *and *Close*. Click on *Start *-> *Control Panel* -> *User Accounts*. Click on *Manage User Accounts*. Select your new account and click on *Properties*. Click on the *Group Membership* tab and change the Group Membership from *Standard User* to *Administrator*. Click *OK*, *OK *and *Close*. Restart computer. Note:The remote computer need not be logged into this account for Ansible to make a remote connection to Powershell, but the account must exist. 9. You will get 2 certificates (2 files) from the certificate request you made in step #1. You only need to import the Intermediate Certificate once (this certificate basically authenticates the origin of the other certificate). Import the Intermediate Certificate to the *Intermediate Certification Authority* folder with Microsoft Management Console (MMC). Then import the other certificate (and all future certificates from that source) to the *Trusted Root Certification Authority* folder with Microsoft Management Console (MMC). Watch this video <https://www.youtube.com/watch?v=njN-k6TdSk4&nohtml5=False> to learn how to use MMC. 10. Windows 7 machines and later have Powershell installed in *C:\Windows\System32\Windows Powershell\v1.0\* 1. Start Powershell and run the command *Set-ExecutionPolicy -ExecutionPolicy Unrestricted* 2. Download Trond Hindenes powershell script (named *ConfigureRemotingForAnsible.ps1*) for enabling WinRM/PSRemoting. You can get the most recent version here <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>. 3. I used this older version <https://github.com/ansible/ansible/commit/76a519fddc841727336eb0a25fbb72e4e721d279#diff-1d1e673d408ad9abf5bb2ad5053f9500> of ConfigureRemotingForAnsible.ps1 and had to hard code my fully qualified domain name by changing line 175 from *175 $valueset.Add('Hostname', $SubjectName)* to *175 $valueset.Add('Hostname", "ansibleAdmin.aa.bb.acme.com")* 4. Run your copy of the *ConfigureRemotingForAnsible.ps1* Powershell script and you should eventually see something like *VERBOSE: HTTP: Enabled | HTTPS: Enabled VERBOSE: PS Remoting has been successfully configured for Ansible*. 5. Run the Powershell command *Set-ExecutionPolicy -ExecutionPolicy Restricted* 6. Close Powershell If all of this is done correctly YOU should get a pong from each of your remote nodes when you type the win_ping request as shown below. *$ansible windows -m win_ping* after a few seconds you should see *123.123.123.123 | success>>{* * "changed": false,* * "ping": "pong"* *}* *234.234.234.234 | success>>{* * "changed": false,* * "ping": "pong"* *}* -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/14e600d2-b242-416a-ba26-f41570c8132f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
