WebAdministrationDsc icon indicating copy to clipboard operation
WebAdministrationDsc copied to clipboard
verified publisher icon dsccommunity

xWebSite: How to enable Central Certificate store and not to get an error that Certificate thumbprint is invalid

Open TomasKT opened this issue 9 years ago • 11 comments

Hi Support,

I am getting this error: Unable to validate BindingInfo: "The CertificateThumbprint property is required for bindings of type "https ".".

Using latest xWebAdministration package.

Values that I am passing: @{ Protocol = "https" IPAddress = "*" Port = "443" HostName = "superweb.com" CertificateThumbprint = $null SslFlags = "3" }

TomasKT avatar Jul 20 '16 18:07 TomasKT

So forgive me for the simple question but do you not need a thumbprint since it is HTTPS

The code will require a thumbprint which is why you're getting this error

nzspambot avatar Jul 28 '16 06:07 nzspambot

Hi James,

The code is written in a way, that it does requires to have Thumbprint value for HTTPS and it can’t be a NULL.

If I put $NULL as a value, it gives me an error, that Thumbprint value is null.

So, code is not written to use a Central Certificate store.

I put a fix in place, by adding extra check in the if statement.

Starting with a line 1427 in the MSFT_xWebsite.psm1:

SSL-related properties

            if ($Binding.Protocol -eq 'https')
            {
                if ([String]::IsNullOrEmpty($Binding.CertificateThumbprint) -and ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3" ))
                {
                    $ErrorMessage = $LocalizedData.ErrorWebBindingMissingCertificateThumbprint `
                                    -f $Binding.Protocol, $Binding.HostName
                    New-TerminatingError -ErrorId 'WebBindingMissingCertificateThumbprint' `
                                         -ErrorMessage $ErrorMessage `
                                         -ErrorCategory 'InvalidArgument'
                }

                if ([String]::IsNullOrEmpty($Binding.CertificateStoreName) -and ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3"))
                {
                    $CertificateStoreName = 'MY'
                    Write-Verbose -Message `
                        ($LocalizedData.VerboseConvertToWebBindingDefaultCertificateStoreName `
                        -f $CertificateStoreName, $Binding.HostName)
                }
                else
                {
                                     if ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3")
                                     {
                                            $CertificateStoreName = $Binding.CertificateStoreName
                                     }
                }

                              if ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3")
                              {
                # Remove the Left-to-Right Mark character
                $CertificateHash = $Binding.CertificateThumbprint -replace '^\u200E'

                $OutputObject.Add('certificateHash',      [String]$CertificateHash)
                $OutputObject.Add('certificateStoreName', [String]$CertificateStoreName)
                              }

Please feel free to correct me if I am wrong…

TomasKT avatar Jul 28 '16 09:07 TomasKT

nope that looks fine-ish to me

nzspambot avatar Jul 28 '16 23:07 nzspambot

I'd agree here. You need to specify a Thumbprint to use SSL. IIS will then look in the central store (defaults to using Certs:\LocalMachine\My if not otherwise specified) for a certificate with that thumbprint. So agree with @nzspambot - it all looks to be working correctly. You do need to create an SSL Certificate, add it to your LocalMachine\MY certificate store and then specify the Thumbprint of the cert as a parameter.

PlagueHO avatar Jul 29 '16 05:07 PlagueHO

PlagueHO. you missing a point of Central Certificate store... The idea is to avoid putting Thumbprint in the config and identify correct one using by the name of actual certificate.

Check this website, section "File Naming Convention": https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/

T.

TomasKT avatar Jul 29 '16 08:07 TomasKT

@TomasKT - you are quite right! Sorry about that. I wasn't even aware this feature existed - that is actually really useful to know. :smile:

I didn't read your title correctly. So this is a new feature/resource request. I think this would require more than just changes to xWebSite. I expect it would also require changes to other resources to configure the location of the CCS.

PlagueHO avatar Jul 29 '16 08:07 PlagueHO

@PlagueHO yeah @TomasKT is correct and you are also correct as this might need some additional stuff... /thinking hat is on

nzspambot avatar Jul 29 '16 10:07 nzspambot

Relabelled this as enhancement instead of a bug. As for @PlagueHO's comment about changing the location of the CCS, if that can nt be a property in this resource, then that should be submitted as a anther issue if that requires an entire new resource.

johlju avatar Apr 26 '18 09:04 johlju

This is clearly a bug that renders the CCS unusable using xWebSite.. bottom line is it should not check for a thumbprint when SslFlags is 2 or 3. In IIS console when CCS is enabled the SSL certificate field would be disabled:

image

changbowen avatar Nov 15 '21 06:11 changbowen

Looks like wrapping the if ([String]::IsNullOrEmpty($binding.CertificateThumbprint)) section is working. I put in a PR but feel free to test and update it. Thanks!

changbowen avatar Nov 15 '21 07:11 changbowen