Vagrant, Ansible: SSLError bad handshake: Error SSL routines, ssl3_get_record, wrong version number

Question

I'm setting up a Windows Server 2019 VM with Vagrant+Ansible.

• Host OS: Ubuntu 20.10
• Ansible: 2.9.9
• Vagrant: 2.2.9

My Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "StefanScherer/windows_2019"
  config.vm.provision :ansible do |ansible|
    ansible.playbook = "provisioners/ansible/ansible_playbook.yml"
    ansible.config_file = "provisioners/ansible/ansible.cfg"
    ansible.become_user = "Administrator"
    ansible.raw_arguments = ["-e", "ansible_winrm_server_cert_validation=ignore"]
  end
end

I get this error on vagrant up --provision:

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Checking if box 'StefanScherer/windows_2019' version '2020.09.22' is up to date...
==> default: Running provisioner: ansible...
    default: Running ansible-playbook...

PLAY [Jenkins node playbook]
***************************************************

TASK [Gathering Facts]
*********************************************************
Friday 29 January 2021  09:23:35 +0100 (0:00:00.023)       0:00:00.023 ********
fatal: [default]: UNREACHABLE! => {"changed": false, "msg": "ssl:
HTTPSConnectionPool(host='127.0.0.1', port=55985): Max retries exceeded with
url: /wsman (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines',
'ssl3_get_record', 'wrong version number')])\")))", "unreachable": true}

PLAY RECAP
*********************************************************************
default                    : ok=0    changed=0    unreachable=1    failed=0
    skipped=0    rescued=0    ignored=0   

Friday 29 January 2021  09:23:35 +0100 (0:00:00.135)       0:00:00.158 ******** 
===============================================================================
Gathering Facts --------------------------------------------------------- 0.14s
Playbook run took 0 days, 0 hours, 0 minutes, 0 seconds
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

How do I fix this error? I don't particularly need SSL, this is a just test VM on a local machine.

Answer 1

This was driving me nuts. Turning off ssl verification with host_key_checking did nothing and the error message doesn't exactly steer you in the correct direction. Openssl was reporting tls up to 1.3 supported on both machines.

I learned that the official documentation recommends using ssh as the communication protocol, and setting up winrm on the Windows machine.

Details

1. It's very likely you are using

   ansible_connection: winrm
   

   This is possibly outdated. Instead I was able to connect with

   ansible_connection: ssh
   

2. You may have already done this, but if not, you will need to set up WinRM on your Windows host. Instructions for this are here, https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#tls-1-2-support

   1. winrm create will want a certificate. For setting up a self-signed cert, since makecert is no longer bundled with Windows10, I had luck with these instructions : https://woshub.com/how-to-create-self-signed-certificate-with-powershell .

   2. You are ready to run winrm create. In a cmd shell (not powershell)

      winrm create winrm/config/listener?Address=IP:**your ipv6**+Transport=HTTPS @{HostName="**your host**";CertificateThumbprint="**your thumbprint**";Port="5986"}
      

      • You will need the local IPv6 for the Windows machine to avoid a collision (obtain with ipconfig /all)
      • Pull the host name as the CN from the certificate (you should have certmgr.msc open already when following the above instructions)
      • Thumbprint is also in the certificate

To ensure everything is up and running correctly, you can use (from your ansible machine)

openssl s_client -connect **Windows box IP**:5986

You should not receive a "no peer certificate available" response.

Note : I have not experimented with trusting the self signed certificate from my Linux host and using the winrm protocol. The above worked to get me what I needed.

For completeness my inventory :

 all:
   hosts:
     win_tower:
       ansible_host: **my IP**
       ansible_port: **my ssh port**
       ansible_user: **my ssh user**
       ansible_connection: ssh
       ansible_shell_type: cmd
       ansible_python_interpreter: C:\Git\usr\share\python\python-3.9.2x64\python