DSC (via Puppet or Ansible) over WInRM with HTTPS only?

This topic contains 1 reply, has 2 voices, and was last updated by  DaveM 1 week, 5 days ago.

  • Author
    Posts
  • #81457

    DanT
    Participant

    Hi Guys,

    Is it a known issue that you can't invoke DSC via Puppet or Ansible when you don't have a HTTP listener configured?

    Our clients are configured with HTTPS listeners on port 5986 only, and for example when using the ansible win_dsc module, I see errors such as:

    "The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the documentation for the WS-Management service running on the destination, most commonly IIS or WinRM If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

    Enabling an HTTP listener (with 'New-Item -Path WSMan:\Localhost\Listener -Transport HTTP -Address * ') allows the task to succeed.

    Our estate is configured to only allow traffic on port 5986, and we've done some work certificates etc. It would be a backward step to have to enable winrm over http everywhere, and I can't see any options either in DSC, ansible or Puppet – to workaround this issue.

    Thanks for your help.

    Dan

  • #81493

    DaveM
    Participant

    Hi DanT,

    Puppet and Ansible both use Invoke-DscResource to apply the DSC config. I have tried running commands below locally on a machine, and I seem to have the same challenge as you. It only works with a http listener in place. Sorry not much help, but kike you I'd be fascinated to know if there was a way of getting Invoke-DscResource to

    a) use an alternative port/protocol.
    b) for it to continue to use encrypted HTTP, but for it to be limited to the localhost only (Set-Item WSMan:\localhost\Client\TrustedHosts -Value "localhost" -Force)

    Windows PowerShell
    Copyright (C) 2016 Microsoft Corporation. All rights reserved.

    PS > Get-WSManInstance -Enumerate -ResourceURI winrm/config/listener

    cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi : http://www.w3.org/2001/XMLSchema-instance
    lang : en-US
    Address : *
    Transport : HTTP
    Port : 5985
    Hostname :
    Enabled : true
    URLPrefix : wsman
    CertificateThumbprint :
    ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12...}

    cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi : http://www.w3.org/2001/XMLSchema-instance
    lang : en-US
    Address : *
    Transport : HTTPS
    Port : 5986
    Hostname :
    Enabled : true
    URLPrefix : wsman
    CertificateThumbprint : 6D372015489A4355B2596AE7FC11F607E9FD6C8C
    ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12...}

    PS > winrm delete winrm/config/Listener?Address=*+Transport=HTTP
    PS > Get-WSManInstance -Enumerate -ResourceURI winrm/config/listener

    cfg : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi : http://www.w3.org/2001/XMLSchema-instance
    lang : en-US
    Address : *
    Transport : HTTPS
    Port : 5986
    Hostname :
    Enabled : true
    URLPrefix : wsman
    CertificateThumbprint : 6D372015489A4355B2596AE7FC11F607E9FD6C8C
    ListeningOn : {10.13.241.147, 127.0.0.1, ::1, fe80::5efe:10.13.241.147%12...}

    PS > Invoke-DscResource -Name WindowsProcess -Method Test -Property @{Path = 'C:\Windows\System32\Wind
    owsPowerShell\v1.0\powershell.exe'; Arguments = "} -ModuleName PSDesiredStateConfiguration
    The client cannot connect to the destination specified in the request. Verify that the service on the destination is
    running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
    destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
    destination to analyze and configure the WinRM service: "winrm quickconfig".
    + CategoryInfo : ConnectionError: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : HRESULT 0x80338012
    + PSComputerName : localhost

    PS > winrm quickconfig
    WinRM service is already running on this machine.
    WinRM is not set up to allow remote access to this machine for management.
    The following changes must be made:

    Create a WinRM listener on http://* to accept WS-Man requests to any IP on this machine.

    Make these changes [y/n]? y

    WinRM has been updated for remote management.

    Created a WinRM listener on http://* to accept WS-Man requests to any IP on this machine.

    > Invoke-DscResource -Name WindowsProcess -Method Test -Property @{Path = 'C:\Windows\System32\Wind
    owsPowerShell\v1.0\powershell.exe'; Arguments = "} -ModuleName PSDesiredStateConfiguration

    InDesiredState
    ————–
    True

You must be logged in to reply to this topic.