windows
windows copied to clipboard
chef-boneyard
action :create should delete and re-create binding if app_guid or hash do not match
windows_ssl_bind_certificate 'Reuse RDP and WINRM self-signed cert for IIS' do
ip_address '0.0.0.0'
port 443
hash node.chef_provisioning.reference.winrm_ssl_thumbprint
# We should maybe generate a guid
app_guid '00112233-4455-6677-8899-BABEFACEEE12'
end
2015-11-19T15:05:35+00:00] FATAL: RuntimeError:
windows_ssl_bind_certificate[Reuse RDP and WINRM self-signed cert for IIS]
(my_server::iis_site line 45) had an error: RuntimeError: There is already a
certificate bound to port 443. Conflicting certificate info:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : ef0dd4d70fc7df06810afbbecf60a32455afc0a1
Application ID : {00112233-4455-6677-8899-babefaceee12}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
What if the currently bound guid is a valid binding? I could imagine scenarios where a cookbook author binds an app to 443 inadvertantly not realizing another app is already bound (I have personally done this before). I'd think we'd want to raise the error here.
I wanted to just setup a simple binding using the included (on ec2 anyway) rdp self-signed cert. If I specify the hash and port and ip_address, then I am bascially requesting that that specific certificate be bound to that port.
Currently I have to have a removal first that doesn't write up very cleanly.
windows_certificate_binding 'Unbind any non-matching certs' do
action :delete
name node.chef_provisioning.reference.winrm_ssl_thumbprint
name_kind :hash
address '0.0.0.0'
guard_interpreter :powershell_script
not_if <<-EOF
Import-Module WebAdministration
$x = Git-Item IIS:\SslBindings\0.0.0.0!443
$x.Thumbprint.CompareTo("#{node.chef_provisioning.reference.winrm_ssl_thumbprint}")
EOF
end
windows_certificate_binding 'Reuse RDP and WINRM self-signed cert for IIS' do
action :create
name_kind :hash
name node.chef_provisioning.reference.winrm_ssl_thumbprint
address '0.0.0.0'
end
I think having an explicit deletion is the right thing to do for long lived infrastructure. Especially on web servers that host multiple sites, it would be too easy to inadvertently take down a web site.