Problems using Packer and Ansible with WinRM Connection

First of all I apologise for the length of this post, but I thought it best to be thorough and detail what I’ve tried so far.
I’m also still somewhat new to Ansible so forgive me if I’m doing something stupidly obviously wrong.

So I’m attempting to create a packer build and use Ansible to do my configuration/application installation work, but I’m having some troubles when attempting to use the Ansible WinRM connector, and Googling has given me no real answers, so I’m hoping someone here might be able to help or point me in the right direction.

Prior to making my ansible call I have uploaded and run the ConfigureRemotingForAnsible.ps1 script which completes successfully. On accessing the in-progress VM build I can see that it has created a cert and configured WinRM, with WinRM listening on Ports 5985 and 5986. The built-in Windows Firewall is completely disabled at this stage.

My initial packer Ansible call was,

{
    "type": "ansible",
    "playbook_file" : "./playbooks/{{user `playbook`}}.yml",
    "extra_arguments": [
        "--connection", "packer", "-vvv",
        "--extra-vars", "ansible_connection=winrm ansible_winrm_server_cert_validation=ignore"
    ]
},

However this fails in the Gathering Facts section with the error,

vsphere-iso: fatal: [default]: UNREACHABLE! => {
vsphere-iso:     "changed": false,
vsphere-iso:     "msg": "ssl: auth method ssl requires a password",
vsphere-iso:     "unreachable": true
vsphere-iso: }

My next step was to implement an ansible_username and ansible_password,

{
    "type": "ansible",
    "playbook_file" : "./playbooks/{{user `playbook`}}.yml",
    "extra_arguments": [
        "--connection", "packer", "-vvv",
        "--extra-vars", "ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_user=packer ansible_password=password"
    ]
},

The username ‘packer’ is the one specified in packer itself and I’ve verified that it exists as a local user and is in the local administrators group. The password set is the same one as the one set in packer itself. Unfortunately this fails with a new error,

vsphere-iso: <127.0.0.1> ESTABLISH WINRM CONNECTION FOR USER: packer on PORT 36344 TO 127.0.0.1
==> vsphere-iso: failed to handshake
vsphere-iso: fatal: [default]: UNREACHABLE! => {
vsphere-iso:     "changed": false,
vsphere-iso:     "msg": "ssl: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:618)",
vsphere-iso:     "unreachable": true
vsphere-iso: }

This port is incorrect so I added an ansible_port=5985 to my ansible call,

{
    "type": "ansible",
    "playbook_file" : "./playbooks/{{user `playbook`}}.yml",
    "extra_arguments": [
        "--connection", "packer", "-vvv",
        "--extra-vars", "ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_user=packer ansible_password=password ansible_port=5985"
    ]
},

However this then fails with the error,

vsphere-iso: <127.0.0.1> ESTABLISH WINRM CONNECTION FOR USER: packer on PORT 5985 TO 127.0.0.1
vsphere-iso: fatal: [default]: UNREACHABLE! => {
vsphere-iso:     "changed": false,
vsphere-iso:     "msg": "plaintext: ('Connection aborted.', error(111, 'Connection refused'))",
vsphere-iso:     "unreachable": true
vsphere-iso: }

So I cannot figure out why the connection is being refused. The username and password are correct, the user is a local account and a member of the local administrators group, Windows Firewall is disabled, WinRM appears to be listening. So I’m at a loss as to what else I can check and what else might be wrong.

For reference the playbook I’m running is just this,

---
- hosts: all
  become: false

  roles:
    - myrole1

As all of the failures are in the Gathering Facts section however I don’t think the content of my roles is causing an issue.

I should also point out that if I make this ansible call,

{
    "type": "ansible",
    "playbook_file" : "./playbooks/{{user `playbook`}}.yml",
    "extra_arguments": [
        "--connection", "packer", "-vvv",
        "--extra-vars", "ansible_shell_type=powershell ansible_shell_executable=None"
    ]
},

Then the connection goes via SSH and works absolutely fine, but only while I’m using Ansible 2.7. The moment I update to Ansible 2.9 it fails with this error,

vsphere-iso: <127.0.0.1> (1, '', "Warning: Permanently added '[127.0.0.1]:34657' (RSA) to the list of known hosts.\r\nParameter format not correct - ;\r\n")
    vsphere-iso: <127.0.0.1> Failed to connect to the host via ssh: Warning: Permanently added '[127.0.0.1]:34657' (RSA) to the list of known hosts.
    vsphere-iso: Parameter format not correct - ;
    vsphere-iso: fatal: [default]: FAILED! => {
    vsphere-iso:     "ansible_facts": {},
    vsphere-iso:     "changed": false,
    vsphere-iso:     "failed_modules": {
    vsphere-iso:         "setup": {
    vsphere-iso:             "failed": true,
    vsphere-iso:             "module_stderr": "Warning: Permanently added '[127.0.0.1]:34657' (RSA) to the list of known hosts.\r\nParameter format not correct - ;\r\n",
    vsphere-iso:             "module_stdout": "",
    vsphere-iso:             "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    vsphere-iso:             "rc": 1
    vsphere-iso:         }
    vsphere-iso:     },
    vsphere-iso:     "msg": "The following modules failed to execute: setup\n"
    vsphere-iso: }

But as soon as I revert back to Ansible 2.7, it works fine again.

@dpower1985, I’m having very similar problems and can’t find anything on Google to help! Did you manage to resolve the issue? Did you just end up rolling back to a previous version?