Ansible - Issues with WinRM Listener Setup

Question

In order to configure a Windows server as an Ansible host, I'm trying to setup WinRM by following the official documentation provided in https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html.

I'm stuck at the "Setup WinRM Listener" step with the execution of the following comannd resulting in the error as described below:

PS C:\Users\Administrator> New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set
New-WSManInstance : The WS-Management service cannot find the certificate that was requested.
At line:1 char:1
+ New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand

Following are the values of my "selector_set" and "value_set" which are also set in accordance with the document.

PS C:\Users\Administrator> $selector_set

Name                           Value
----                           -----
Transport                      HTTPS
Address                        *


PS C:\Users\Administrator> $value_set

Name                           Value
----                           -----
CertificateThumbprint          E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE

OS: Windows Server 2012 R2

Answer 1

It might not be immediately obvious, but if you re-read the last part of the section immediately preceding the "Setup WinRM Listener" step (emphasis added):

If running over an HTTPS listener, this is the thumbprint of the certificate in the Windows Certificate Store that is used in the connection. To get the details of the certificate itself, run this command with the relevant certificate thumbprint in PowerShell:

$thumbprint = "E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE"
Get-ChildItem -Path cert:\LocalMachine\My -Recurse | Where-Object { $_.Thumbprint -eq $thumbprint } | Select-Object *

What this is telling us is that E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE is just an example - you need to provide the thumbprint of an actual certificate issued to the machine.

To list all the existing certificates installed in the machines certificate store with PowerShell, just remove the Where-Object clause from the example command:

Get-ChildItem -Path cert:\LocalMachine\My -Recurse 

If there's no appropriate certificate installed you'll have to install one. You can either generate a self-signed certificate, acquire a certificate from a CA vendor, or enroll for one from your internal CA if Active Directory Certificate Services or similar PKI is configured in the environment.