salt: salt-cloud and winrm failing with : [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
Description of Issue/Question
Trying to create a Windows Minion in EC2 results in the following error:
[DEBUG ] Attempting WinRM connection to host 172.30.12.228 on port 5986
[ERROR ] There was a profile error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/salt/cloud/cli.py", line 284, in run
self.config.get('names')
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1451, in run_profile
ret[name] = self.create(vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/__init__.py", line 1281, in create
output = self.clouds[func](vm_)
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 2546, in create
vm_, data, ip_address, display_ssh_output
File "/usr/lib/python2.7/site-packages/salt/cloud/clouds/ec2.py", line 2241, in wait_for_instance
timeout=ssh_connect_timeout):
File "/usr/lib/python2.7/site-packages/salt/utils/cloud.py", line 838, in wait_for_winrm
r = s.run_cmd('sc query winrm')
File "/usr/lib/python2.7/site-packages/winrm/__init__.py", line 37, in run_cmd
shell_id = self.protocol.open_shell()
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message
return self.transport.send_message(message)
File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 173, in send_message
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
Setup
base_teamcityserver:
provider: redacted-ec2
image: ami-fdf77aea
size: t2.micro
use_winrm: True
userdata_file: /etc/salt/windows-firewall.ps1
win_installer: /etc/salt/Salt-Minion-2016.3.1-AMD64-Setup.exe
win_installer_args: -G -H "http://172.30.0.143:3128"
win_username: Administrator
win_password: 'redacted'
win_interface: private_ips
smb_port: 445
script: bootstrap-salt
script_args: -G -H "http://172.30.0.143:3128"
subnetid: subnet-redacted
securitygroupid:
- sg-redacted
Steps to Reproduce Issue
salt-cloud -p base_teamcityserver teamcitytest1 -l debug
This will run until the aforementioned error is produced.
Versions Report
salt --versions-report
Salt Version:
Salt: 2016.3.0-n/a-764f56f
Dependency Versions:
cffi: Not Installed
cherrypy: 6.1.0
dateutil: 2.5.3
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: 0.21.1
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.7
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.5 (default, Oct 11 2015, 17:47:16)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 14.7.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.0.5
System Versions:
dist: redhat 7.2 Maipo
machine: x86_64
release: 3.10.0-327.22.2.el7.x86_64
system: Linux
version: Red Hat Enterprise Linux Server 7.2 Maipo
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 40 (23 by maintainers)
Commits related to this issue
- Ignore certification validation for WinRM https://github.com/saltstack/salt/issues/34783 — committed to trebortech/salt by trebortech 8 years ago
- Ignore certification validation for WinRM https://github.com/saltstack/salt/issues/34783 — committed to trebortech/salt by trebortech 8 years ago
@UtahDave , @twangboy
Gents, I have been able to reproduce this on site. Using of pywinrm and AWS was resulting in a certificate error. I reverted
pywinrmfrom0.2.0to0.1.1to resolve the problem.Perhaps the cert that is created by the PowerShell script example provided in the “Spinning up Windows Minions” guide is source of the problem. If this is the case, could we update the guide so that a cert that is acceptable to
pywinrm 0.2.0would be created? Otherwise, we may want to advise people to usepywinrm 0.1.1until we can update Salt Cloud to pass parameters topywinrm 0.2.0to avoid checking the validity of the certificate.Thanks!