Ansible WinRM HTTPS and Persistent "Unreachable" Error

[j00c3]

I was consistently getting "Unreachable" error for srv02 and srv03 on my Ansible runs.

fatal: [srv03]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='192.168.56.23', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x111e4c040>, 'Connection to 192.168.56.23 timed out. (connect timeout=500)'))", "unreachable": true}
fatal: [srv02]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='192.168.56.22', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x111e4c040>, 'Connection to 192.168.56.22 timed out. (connect timeout=500)'))", "unreachable": true}

Light troubleshooting led me to discover that on those hosts, WinRM was only enabled in HTTP mode. Thus, only port 5985 was open. I fixed the issue by adding the following lines to the ad/sevenkingdoms.local/inventory file.

; winrm connection (windows)
[...snip...]
ansible_winrm_transport=basic
ansible_port=5985

Please consider either adding those lines to the inventory files or ensuring that WinRM HTTPS is enabled on all the hosts during build.

[an4kein]

This solution does not work for me!
But this solution does, you need to install a certificate on the server and allow port 5986 for winrmHTTPS.

1 - Configure using the administrator account's IP Address.
2 - Install Certificate.
3 - Allow port 5986 on the firewall.

Before:

After:

Creating a Self-Signed Certificate
New-SelfSignedCertificate -Subject 'CN=ServerB.domain.com' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Configuring the WinRM Listener
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="ServerB.domain.com"; CertificateThumbprint="<cert thumbprint here>"}'

Opening the WinRM SSL Firewall Port
$FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam

REF: https://adamtheautomator.com/winrm-ssl/
My config: https://pastebin.com/raw/kgm4S5f1

[jinnu92]

I am facing the same issue while installing in kali linux

[tylertank]

This solution does not work for me! But this solution does, you need to install a certificate on the server and allow port 5986 for winrmHTTPS.

1 - Configure using the administrator account's IP Address. 2 - Install Certificate. 3 - Allow port 5986 on the firewall.

Before:

After:

Creating a Self-Signed Certificate New-SelfSignedCertificate -Subject 'CN=ServerB.domain.com' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Configuring the WinRM Listener winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="ServerB.domain.com"; CertificateThumbprint="<cert thumbprint here>"}'

Opening the WinRM SSL Firewall Port $FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam

REF: https://adamtheautomator.com/winrm-ssl/ My config: https://pastebin.com/raw/kgm4S5f1

Thank you this worked!

[VictorGardu]

Thanks a lot for the steps, i had the same problem but this solution works. (But i'm still have the dude for a configuration without a certificate, using a http protocol, maybe it's a problem of security? idk hehe.