Ansible - WinRM 侦听器设置问题

Ansible - Issues with WinRM Listener Setup

为了将 Windows 服务器配置为 Ansible 主机,我尝试按照 https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html 中提供的官方文档设置 WinRM。

我卡在“设置 WinRM 侦听器”步骤,执行以下命令导致如下所述的错误:

PS C:\Users\Administrator> New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set
New-WSManInstance : The WS-Management service cannot find the certificate that was requested.
At line:1 char:1
+ New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand

以下是我的“selector_set”和“value_set”的值,也是按照文档设置的。

PS C:\Users\Administrator> $selector_set

Name                           Value
----                           -----
Transport                      HTTPS
Address                        *


PS C:\Users\Administrator> $value_set

Name                           Value
----                           -----
CertificateThumbprint          E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE

OS: Windows 服务器 2012 R2

它可能不是很明显,但是如果您 re-read 紧接“设置 WinRM 侦听器”步骤之前的部分的最后一部分(强调已添加):

If running over an HTTPS listener, this is the thumbprint of the certificate in the Windows Certificate Store that is used in the connection. To get the details of the certificate itself, run this command with the relevant certificate thumbprint in PowerShell:

$thumbprint = "E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE"
Get-ChildItem -Path cert:\LocalMachine\My -Recurse | Where-Object { $_.Thumbprint -eq $thumbprint } | Select-Object *

这告诉我们 E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE 只是 一个例子 - 您需要提供颁发给机器的实际证书的指纹。

要使用 PowerShell 列出机器证书存储中安装的所有现有证书,只需从示例命令中删除 Where-Object 子句:

Get-ChildItem -Path cert:\LocalMachine\My -Recurse 

如果没有安装合适的证书,您必须安装一个。您可以生成 self-signed 证书,从 CA 供应商处获取证书,或者如果在环境中配置了 Active Directory 证书服务或类似的 PKI,则可以从内部 CA 注册一个证书。