diff --git a/salt/cloud/clouds/ec2.py b/salt/cloud/clouds/ec2.py index 640021360a..c85da4d913 100644 --- a/salt/cloud/clouds/ec2.py +++ b/salt/cloud/clouds/ec2.py @@ -2336,6 +2336,9 @@ def wait_for_instance( use_winrm = config.get_cloud_config_value( 'use_winrm', vm_, __opts__, default=False ) + winrm_verify_ssl = config.get_cloud_config_value( + 'winrm_verify_ssl', vm_, __opts__, default=True + ) if win_passwd and win_passwd == 'auto': log.debug('Waiting for auto-generated Windows EC2 password') @@ -2407,7 +2410,8 @@ def wait_for_instance( winrm_port, username, win_passwd, - timeout=ssh_connect_timeout): + timeout=ssh_connect_timeout, + verify=winrm_verify_ssl): raise SaltCloudSystemExit( 'Failed to authenticate against remote windows host' ) diff --git a/salt/utils/cloud.py b/salt/utils/cloud.py index 4a1d767ea0..7ff79f184b 100644 --- a/salt/utils/cloud.py +++ b/salt/utils/cloud.py @@ -515,7 +515,10 @@ def bootstrap(vm_, opts=None): 'winrm_port', vm_, opts, default=5986 ) deploy_kwargs['winrm_use_ssl'] = salt.config.get_cloud_config_value( - 'winrm_use_ssl', vm_, opts, default=True + 'winrm_use_ssl', vm_, opts, default=True + ) + deploy_kwargs['winrm_verify_ssl'] = salt.config.get_cloud_config_value( + 'winrm_verify_ssl', vm_, opts, default=True ) if saltify_driver: deploy_kwargs['port_timeout'] = 1 # No need to wait/retry with Saltify @@ -843,7 +846,7 @@ def wait_for_winexesvc(host, port, username, password, timeout=900): time.sleep(1) -def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True): +def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True, verify=True): ''' Wait until WinRM connection can be established. ''' @@ -853,14 +856,20 @@ def wait_for_winrm(host, port, username, password, timeout=900, use_ssl=True): host, port ) ) + transport = 'ssl' + if not use_ssl: + transport = 'plaintext' trycount = 0 while True: trycount += 1 try: - transport = 'ssl' - if not use_ssl: - transport = 'plaintext' - s = winrm.Session(host, auth=(username, password), transport=transport) + winrm_kwargs = {'target': host, + 'auth': (username, password), + 'transport': transport} + if not verify: + log.debug("SSL validation for WinRM disabled.") + winrm_kwargs['server_cert_validation'] = 'ignore' + s = winrm.Session(**winrm_kwargs) if hasattr(s.protocol, 'set_timeout'): s.protocol.set_timeout(15) log.trace('WinRM endpoint url: {0}'.format(s.url)) @@ -1008,6 +1017,7 @@ def deploy_windows(host, use_winrm=False, winrm_port=5986, winrm_use_ssl=True, + winrm_verify_ssl=True, **kwargs): ''' Copy the install files to a remote Windows box, and execute them @@ -1034,7 +1044,8 @@ def deploy_windows(host, if HAS_WINRM and use_winrm: winrm_session = wait_for_winrm(host=host, port=winrm_port, username=username, password=password, - timeout=port_timeout * 60, use_ssl=winrm_use_ssl) + timeout=port_timeout * 60, use_ssl=winrm_use_ssl, + verify=winrm_verify_ssl) if winrm_session is not None: service_available = True else: