windows icon indicating copy to clipboard operation
windows copied to clipboard

Published 20 hours ago verified publisher icon chef-boneyard

windows_certificate_binding should allow rebinding to the specified subject or fingerpint

Open hh opened this issue 9 years ago • 4 comments 

As a windows chef user
I want to ensure a specific certificate binding to a port
In order to replace any existing binding with what I have specified

Given a certificate in pfx form
And it's successfully imported
When I write a windows_certificate_binding resource stanza
And specify the desired subject or fingerprint
And there is already another certificate bound to the desired port
Then the desired certificate binding should replace the existing one

What you currently have to do (using an encrypted data bag with password, subject and fingerpint, and a files/default/certificate.pfx):

iis_site 'Default Web Site' do
  action :config
  site_id 1
  bindings 'http/*:80:,net.tcp/808:*,net.pipe/*,net.msmq/localhost,msmq.formatname/localhost,https/*:443:'
end

decrypted = data_bag_item('passwords', "certificate")

pfx = "c:\\chef\\certificate.pfx"

cookbook_file pfx

windows_certificate pfx do
  pfx_password decrypted['password']
  store_name 'MY'
  user_store false
end

subject = decrypted['subject']
fingerprint = decrypted['fingerprint']

#removing the current one IF it doesn't match
windows_certificate_binding 'Unbind any non-matching certs' do
  action :delete
  name subject
  name_kind :subject
  address '0.0.0.0'
  guard_interpreter :powershell_script
  not_if <<-EOF
  Import-Module WebAdministration
  $x = Git-Item IIS:\SslBindings\0.0.0.0!443
  $x.Thumbprint.CompareTo("#{fingerprint}")
  EOF
end

# bind the correct one... this should be all we need to specify...
# if there is already a binding on this port... it does nothing
# it should replace it in my opinion
windows_certificate_binding 'Reuse RDP and WINRM self-signed cert for IIS' do
  action :create
  name_kind :subject
  name subject
  address '0.0.0.0'
end

hh avatar Dec 03 '15 17:12 hh

You would only want this to happen on first run though correct? On the next run you wouldn't want it to replace every time. Perhaps adding the action [:add, :replace]?...

EasyAsABC123 avatar Dec 04 '15 18:12 EasyAsABC123

I don't think there needs to be two actions, it should be part of create (the specified binding of a port to a certificate should be [re]bound).

List of Certificates in Cert:\My A, B, C, D

Previous Windows Bindings: 0.0.0.0:443 A

Then we apply

windows_certificate_binding 'B' do
  address '0.0.0.0'
end

New (and convergent) Windows Bindings: 0.0.0.0:443 B

If you specify B, it should make it bind to B. The second time through it will already be bound to B. No need to specify a new action.

hh avatar Dec 04 '15 19:12 hh

This has no effect on the windows_certificates resources, just the bindings.

hh avatar Dec 04 '15 19:12 hh

That sounds like [:create, :config] there just currently isn't a :config action

EasyAsABC123 avatar Dec 04 '15 19:12 EasyAsABC123