Dotaz: ansible, winrm a https

Caute,

pardon za nie cisto open-source otazku, ale uz si neviem rady. V praci sa morim s Ansible a spravou Windows strojov.

Mam virtualny stroj s Debian 8, Ansible 2.1.0.0 (instalovany cez PPA) a Python 2.7.9. Dalej mam druhu virtualku s Windows 10. Cielom je posielat prikazy z Debianu cez Ansible do Windows pouzitim WinRM cez HTTPS (pripajam sa priamo na Windows lokalny ucet), ale daco je naprd. Ak pouzijem konfiguracnu volbu "ansible_winrm_server_cert_validation: ignore", vsetko je fajn a ja dostanem nasledovne:

root@debx-test:~# ansible 192.168.0.1 -m win_ping 
192.168.0.1 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

ale toto nie je celkom to, co by som chcel, lebo to povazujem za bezpecnostne riziko. Ak danu moznost vypnem, dostanem toto:

root@debx-test:~# ansible 192.168.0.1 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO 192.168.0.1
<192.168.0.1> WINRM CONNECT: transport=plaintext endpoint=https://192.168.0.1:5986/wsman
<192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 152, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 132, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 207, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 173, in send_message
    response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

192.168.0.1 | UNREACHABLE! => {
    "changed": false, 
    "msg": "plaintext: (\"bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)", 
    "unreachable": true
}

pricom nezalezi na tom, aky certifikat pouzivam - ci self-signed alebo nie.

Skusal som na Debiane vytvorit kvazy CA, podpisat CSR z Windows, naimportovat podpisany certifikat do Windows, rekonfigurovat HTTP listener a naimportovat CA certifikat do doveryhodnych autorit v Debiane - nepomohlo. Som si celkom isty, ze som urobil vsetko OK, lebo na testovacom web servery na Windows tieto hry z certifikatmi funguju. Pri tomto hrani som sa riadil tymto navodom.

Je vobec mozne rozbehat Ansible na spravu Windowsov skutocne bezpecne? Co by ste este odporucali skusit? Pripadne nejaku alternativu na spravu Windowsov z Linuxu podobnu Ansible? Co pouzivate Vy?

Vdaka za odpoved.

Kedze tam kde pracujem este mame na par virtualoch este W2003 a zatial nie je v plane ich upgrade, tak sme prisli s riesenim ze pouzijeme Salt. Spravil som si aj "portable" miniona, ktoreho nie je potrebne instalovat ale staci nakopirovat a spustit batak, ktory nahodi miniona ako servisu.