webprofusion
Windows Server Essentials 2016 Access Anywhere Certificate renewal script
I see various complaints regarding WSE 2016 and certificate renewals.
I have been using the script below for years without issues. You have to be patient it takes at least two minutes for everything to restart but it does work.
Regards,
Enable certificate for RDP Gateway
param($result)
Import-Module RemoteDesktopServices
Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Restart Network Policy Server, TSGateway, and SSTP Protocol
Restart-Service IAS -Force -ErrorAction Stop Restart-Service TSGateway -Force -ErrorAction Stop Restart-Service SSTPSvc -Force -ErrorAction Stop Write-Host "Done!"
Thanks is there a complaint somewhere we should be addressing?
We also have a built in Deployment Task for this but it currently only does this, are the other service restarts essential?:
param($result, [switch] $restartServices = $false)
Import-Module RemoteDesktopServices
# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
# Optionally restart TSGateway
if ($restartServices -eq $true)
{
Restart-Service TSGateway -Force -ErrorAction Stop
}
As an aside you can also now use our built in Deployment Task to stop/start/restart services, so scripting isn't the only way to do it.
Hello Christopher,
On Windows Server 2016 Essentials, if you don’t restart Network Policy Server, VPNs do connect but here is no traffic allowed on the network.
For people using the SSTP protocol, you must restart the SSTVSvc service AFTER restarting the TSGateway.
Note that there is a significant delay during these restarts: on a lightly loaded server, expect a two minutes delay.
Regards,
Serge Caron
Hello Christopher,
I am not certain how to control the exact restart sequence using separate tasks.
Regards,
Serge Caron
Thanks Serge. Regarding Tasks, they are executed in the order that they appear on the list and you can drag/drop them to re-order.
Hello Christopher,
Yesterday was too hectic to reply.
The task “Deploy to RAS (Direct Access, …” does not document which services are restarted and in what order.
Over the years, I have not seen a recommendation to restart IAS, the now “Network Policy Server”, in he various forums concerned with Windows Server 2016 Essentials.
The same goes for SSTPSvc.
So, does your “Deploy to RAS …” task restart these services, in which order, and does it do anything else ?
Kind regards,
Serge Caron
Hi Serge, no currently it only runs the following, but I'm happy to update it. Ideally the script would work for everyone and could be combined with other actions for users who need to to do more:
Restart-Service TSGateway -Force -ErrorAction Stop
Hello Christopher,
This does not work for WS2016 Essentials.
Working backwards so you have a better understanding:
-
SSTPSvc relies on the certificate in use by TSGateway to accept SSTP VPN connections. If this service is not restarted following a TSGateway update, incoming VPN connections will succeed but will dropout almost immediately because of the lack of SSL/TLS support resulting from a certificate mismatch.
-
TSGateway will honor incoming connections but the remote end will not pass traffic: you can’t even ping the WS2016 server even if you have a valid IP provided by the TSGateway/SSTPSvc pair.
-
Internet Authentication Service (IAS) was renamed Network Policy Server (NPS) with the introduction of Windows Server 2008. This is the service responsible for allowing VPN traffic on the local network.
Please note that restarting IAS is a long process and you will find many lines in your log. On a less powerful machine, you are looking at two minutes overall delay.
I am presently testing a replacement server and I will gladly use your new functionality if it does the above. Again, please note that I had added a <Write-Host “Done!” > at the end of my script in the hope that it would be part of the log ;-) Perhaps your version could add this simple safeguard.
Kind regards,
Serge Caron
Hello Christopher,
Yesterday, I came across a client configuration where the static script did not work. Our friends at Microsoft are somewhat creative…
Below is a script that will recursively walk the dependencies for the “Network Policy Server” and the “Secure Socket Tunneling Protocol (SSTP) service” : note that these two are not directly or indirectly related, one more of Microsoft’s idiosyncrasies.
Kind regards,
Serge Caron
PS: this is a preliminary version with little or no validation.
param($result)
Import-Module RemoteDesktopServices
Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Restart services required for "Access Anywhere"
$global:ServicesToStart = @()
Function CollectDependent($TargetService)
{ $wmidependents = (get-service $TargetService).dependentservices
$wmidependentservices = Get-WmiObject Win32_Service | Select-object name,state,startmode | where {$wmidependents.name -contains $_.name}
# Write-Host $TargetService
foreach ($service in $wmidependentservices){
if($service.startmode -eq "auto" -or $service.status -eq "Running"){
# Write-Host "-> $($service.name)"
# Caution: no effort done to prevent circular definitions
CollectDependent($service.name)
}
else{
Write-Host "Omitting $($service.name) : service is $($service.state) with the startmode: $($service.startmode)"
}
}
stop-service $TargetService -ErrorAction SilentlyContinue
$global:ServicesToStart += $TargetService
}
CollectDependent("IAS")
CollectDependent("SSTPSvc")
#Write-Host "----"
foreach($service in $global:ServicesToStart ) { start-service $service -ErrorAction SilentlyContinue }
Write-Host "Done!"
Thanks Serge, this is quite extensive, I think I'd be tempted to leave the exercise of stopping and starting related services to the user (i.e they would specify tasks to restart the correct services) as clearly it depends on their environment to some extent.
Hello Christopher,
Indeed, it is quite extensive.
The issue is that you don’t know for sure which services are running (i.e. some services start-up are set to “Manual” and have dependencies of their own) AND you don’t know the VPN configuration in use. Some dependent services are not in use in every installation.
So the user must research the exact sequence of services they need to stop and start : a simple restart of TSGateway will not do. And this depends on the “configuration du jour” ;-). As you can see in the code, TSGateway is not explicitly named: it is a dependent service of the Network Policy Server.
I am going to add a little protection against circular dependencies and I will live with this for a while.
Kind regards,
Serge Caron
De : Christopher Cook [email protected] Envoyé : 18 août 2020 23:43 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author [email protected] Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Thanks Serge, this is quite extensive, I think I'd be tempted to leave the exercise of stopping and starting related services to the user (i.e they would specify tasks to restart the correct services) as clearly it depends on their environment to some extent.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-675834004, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4AOXQ6IDZ4FDEIBQBDSBNC5FANCNFSM4PYY2OMQ.
Hello Christopher,
Production script below : enjoy ;-)
Regards,
Serge Caron
PS : I have changed “Write-Host” to “Write-Warning” so these actions can be seen in the Certify The Web log file.
##******************************************************************
Revision date: 2020.08.19
Copyright (c) 2020 PC-Évolution enr.
This code is licensed under the GNU General Public License (GPL).
THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
##******************************************************************
Certify The Web Deployment Script for Windows Server 2016 Essentials (Your Mileage May Vary ;-)
Restart the "Network Policy Server" as well as the SSTP protocol : all dependent services are
stopped and started in the exact reverse order they were stopped.
Note: the Write-Warning is used so that messages will appear in the Certify The Web log file.
param($result)
Import-Module RemoteDesktopServices
Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Restart services required for "Access Anywhere"
$global:ServicesToStart = @()
Function CollectDependent($TargetService)
{ # Caution: minimal effort done to prevent circular definitions if ($global:ServicesToStart -match "$service.name") { Write-Warning "Caution! Service $service.name is involved in a circular definition." } else { $wmidependents = (get-service $TargetService).dependentservices
$wmidependentservices = Get-WmiObject Win32_Service | Select-object name,state,startmode | where {$wmidependents.name -contains $_.name}
# Write-Host $TargetService
foreach ($service in $wmidependentservices){
if($service.startmode -eq "auto" -or $service.status -eq "Running"){
# Write-Host "-> $($service.name)"
CollectDependent($service.name)
}
else{
Write-Warning "Omitting $($service.name) : service is $($service.state) with the startmode: $($service.startmode)"
}
}
stop-service $TargetService -ErrorAction SilentlyContinue
$global:ServicesToStart += $TargetService
}
}
CollectDependent("IAS")
CollectDependent("SSTPSvc")
#Write-Host "----"
foreach($service in $global:ServicesToStart ) { start-service $service -ErrorAction SilentlyContinue }
Write-Warning "Done!"
De : Serge Caron Envoyé : 19 août 2020 05:50 À : 'webprofusion/certify' [email protected] Objet : RE: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Hello Christopher,
Indeed, it is quite extensive.
The issue is that you don’t know for sure which services are running (i.e. some services start-up are set to “Manual” and have dependencies of their own) AND you don’t know the VPN configuration in use. Some dependent services are not in use in every installation.
So the user must research the exact sequence of services they need to stop and start : a simple restart of TSGateway will not do. And this depends on the “configuration du jour” ;-). As you can see in the code, TSGateway is not explicitly named: it is a dependent service of the Network Policy Server.
I am going to add a little protection against circular dependencies and I will live with this for a while.
Kind regards,
Serge Caron
De : Christopher Cook <[email protected]mailto:[email protected]> Envoyé : 18 août 2020 23:43 À : webprofusion/certify <[email protected]mailto:[email protected]> Cc : Serge Caron <[email protected]mailto:[email protected]>; Author <[email protected]mailto:[email protected]> Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Thanks Serge, this is quite extensive, I think I'd be tempted to leave the exercise of stopping and starting related services to the user (i.e they would specify tasks to restart the correct services) as clearly it depends on their environment to some extent.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-675834004, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4AOXQ6IDZ4FDEIBQBDSBNC5FANCNFSM4PYY2OMQ.
Just wanted to drop a short note to say a huge thank you for Serge for writing and sharing this script. I've successfully deployed this on my personal WSE 2016 and my Access Anywhere install is now running the current cert (instead of the original one I deployed manually). I'll keep an eye on this thread in case additional improvements to the script are added.
Hello Christopher at al.,
There are hidden dependencies between the SSTPsvc and IAS services or there is a race condition of some sort between these two on faster servers.
This is a small revision where declared dependencies for these two services are enumerated SSTPSvc first, IAS second.
The renewal log now shows the exact order in which services are restarted. IAS will now start before SSTPSvc, provided there is no other black magic involved.
Regards,
Serge Caron
2020-12-20 12:09:18.836 -05:00 [INF] Executing command via PowerShell 2020-12-20 12:09:29.884 -05:00 [INF] Omitting RasMan : service is Stopped with the startmode: Disabled Omitting rqs : service is Stopped with the startmode: Manual Attente de l’arrêt du service « Routage et accès distant (RemoteAccess) »… Omitting rqs : service is Stopped with the startmode: Manual Waiting for powershell to complete..5s Attente de l’arrêt du service « Network Policy Server (IAS) »… Attente de l’arrêt du service « Network Policy Server (IAS) »… Restarting services in the following order: IAS TSGateway SSTPSvc RemoteAccess Waiting for powershell to complete..10s Done!
2020-12-20 12:09:29.884 -05:00 [INF] Run Powershell Script :: Task Completed OK
De : devast8tor [email protected] Envoyé : 24 septembre 2020 01:11 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author [email protected] Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Just wanted to drop a short note to say a huge thank you for Serge for writing and sharing this script. I've successfully deployed this on my personal WSE 2016 and my Access Anywhere install is now running the current cert (instead of the original one I deployed manually). I'll keep an eye on this thread in case additional improvements to the script are added.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-698115977, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4EO7TUADCZMYPLVVHDSHLIG5ANCNFSM4PYY2OMQ.
Serge,
Did you post your revised code in this thread or as a commit to the project? Looking to test your updated code as the service dependencies have been causing issues for the Remote Desktop Gateway cert application (it keeps holding on to the prior cert instead of applying the latest renewal).
Merry Christmas to All ;-)
The revised code was attached to my previous email : I was not intelligent enough to update the GitHub project … shame on me!
The “revision” is simply changing the order in which the dependencies are enumerated: SSTPSvc is enumerated before IAS and the side effect is that IAS is restarted before any of the other services. Microsoft does not enumerate IAS as a dependency for SSTPSvc, so the point at which it picks up the new certificate is unknown.
As a simple test, here is a scenario where the same certificate is issued at a 15 minutes interval.
-
The ACTIVE certificate (as displayed in a web browser) is valid from “20 décembre 2020 11:09:15 to 20 mars 2021 11:09:15”;
-
The first invocation of the renewal process shows In the Certify The Web log file : “2020-12-20 11:55:47.942 -05:00 [INF] Task [Run Powershell Script] :: Task is enabled and primary request was successful.” In the MMC Certificate console, the “friendly name” of the certificate is “passerelle.[secretdomain].com [Certify] - 2020-12-20 10:55:44 to 2021-03-20 11:55:44”
-
The second invocation of the renewal process shows In the Certify The Web log file : “2020-12-20 12:09:18.836 -05:00 [INF] Task [Run Powershell Script] :: Task is enabled and primary request was successful.” In the MMC Certificate console, the “friendly name” of the second certificate is “passerelle.[secretdomain].com [Certify] - 2020-12-20 11:09:15 to 2021-03-20 12:09:15”
So, there is a small bug in the naming of the “friendly name” of the certificate, the “to” part is one hour later probably as the result of some daily savings time discrepancy.
However, the SSTPSvc service picks up the new certificate on all the servers on which this was tested. On December 30th, I still have 5 different installations to update to CTW 5.2.1 and I will report if all is fine with those as well.
Christopher may have fix the naming bug by then ;-)
Kind regards,
Serge Caron
De : devast8tor [email protected] Envoyé : 24 décembre 2020 01:04 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author [email protected] Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Serge,
Did you post your revised code in this thread or as a commit to the project? Looking to test your updated code as the service dependencies have been causing issues for the Remote Desktop Gateway cert application (it keeps holding on to the prior cert instead of applying the latest renewal).
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-750759431, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4GHAKNCK5FM4OT77JLSWLKULANCNFSM4PYY2OMQ.
Merry Christmas to you too! I must be missing something here, because your email attachment didn't seem to make it into the comment thread. Perhaps Chris is able to see it as the project administrator though...
Can you repost the updated code via an in line script block?
- Ryan
On Thu, Dec 24, 2020, 8:41 AM SergeCaron [email protected] wrote:
Merry Christmas to All ;-)
The revised code was attached to my previous email : I was not intelligent enough to update the GitHub project … shame on me!
The “revision” is simply changing the order in which the dependencies are enumerated: SSTPSvc is enumerated before IAS and the side effect is that IAS is restarted before any of the other services. Microsoft does not enumerate IAS as a dependency for SSTPSvc, so the point at which it picks up the new certificate is unknown.
As a simple test, here is a scenario where the same certificate is issued at a 15 minutes interval.
The ACTIVE certificate (as displayed in a web browser) is valid from “20 décembre 2020 11:09:15 to 20 mars 2021 11:09:15”;
The first invocation of the renewal process shows In the Certify The Web log file : “2020-12-20 11:55:47.942 -05:00 [INF] Task [Run Powershell Script] :: Task is enabled and primary request was successful.” In the MMC Certificate console, the “friendly name” of the certificate is “passerelle.[secretdomain].com [Certify] - 2020-12-20 10:55:44 to 2021-03-20 11:55:44”
The second invocation of the renewal process shows In the Certify The Web log file : “2020-12-20 12:09:18.836 -05:00 [INF] Task [Run Powershell Script] :: Task is enabled and primary request was successful.” In the MMC Certificate console, the “friendly name” of the second certificate is “passerelle.[secretdomain].com [Certify] - 2020-12-20 11:09:15 to 2021-03-20 12:09:15”
So, there is a small bug in the naming of the “friendly name” of the certificate, the “to” part is one hour later probably as the result of some daily savings time discrepancy.
However, the SSTPSvc service picks up the new certificate on all the servers on which this was tested. On December 30th, I still have 5 different installations to update to CTW 5.2.1 and I will report if all is fine with those as well.
Christopher may have fix the naming bug by then ;-)
Kind regards,
Serge Caron
De : devast8tor [email protected] Envoyé : 24 décembre 2020 01:04 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author < [email protected]> Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Serge,
Did you post your revised code in this thread or as a commit to the project? Looking to test your updated code as the service dependencies have been causing issues for the Remote Desktop Gateway cert application (it keeps holding on to the prior cert instead of applying the latest renewal).
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub< https://github.com/webprofusion/certify/issues/519#issuecomment-750759431>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AQROU4GHAKNCK5FM4OT77JLSWLKULANCNFSM4PYY2OMQ>.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/webprofusion/certify/issues/519#issuecomment-750924580, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJWUSHEF6V2F5S4Q7KJQVTSWNVLZANCNFSM4PYY2OMQ .
Here is the production script: ##******************************************************************
Revision date: 2020.12.20
Copyright (c) 2020 PC-Évolution enr.
This code is licensed under the GNU General Public License (GPL).
THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
##******************************************************************
Certify The Web Deployment Script for Windows Server 2016 Essentials (Your Mileage May Vary ;-)
Restart the "Network Policy Server" as well as the SSTP protocol : all dependent services are
stopped and started in the exact reverse order they were stopped.
Note: the Write-Warning is used so that messages will appear in the Certify The Web log file.
2020.08.19 : Initial version
2020.12.20 : Change order of CollectDependant calls to addres some hidden dependencies.
param($result)
Import-Module RemoteDesktopServices
Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Restart services required for "Access Anywhere"
$global:ServicesToStart = @()
Function CollectDependent($TargetService)
{ # Caution: minimal effort done to prevent circular definitions if ($global:ServicesToStart -match "$service.name") { Write-Warning "Caution! Service $service.name is involved in a circular definition." } else { $wmidependents = (get-service $TargetService).dependentservices
$wmidependentservices = Get-WmiObject Win32_Service | Select-object name,state,startmode | where {$wmidependents.name -contains $_.name}
# Write-Host $TargetService
foreach ($service in $wmidependentservices){
if($service.startmode -eq "auto" -or $service.status -eq "Running"){
# Write-Host "-> $($service.name)"
CollectDependent($service.name)
}
else{
Write-Warning "Omitting $($service.name) : service is $($service.state) with the startmode: $($service.startmode)"
}
}
stop-service $TargetService -ErrorAction SilentlyContinue
$global:ServicesToStart += $TargetService
}
}
CollectDependent("SSTPSvc")
CollectDependent("IAS")
Write-Warning "Restarting services in the following order: " foreach($service in $global:ServicesToStart ) { Write-Warning $service }
foreach($service in $global:ServicesToStart ) { start-service $service -ErrorAction SilentlyContinue }
Write-Warning "Done!"
(I have issues with this #!$ browser) Here it is again:
##******************************************************************
Revision date: 2020.12.20
Copyright (c) 2020 PC-Évolution enr.
This code is licensed under the GNU General Public License (GPL).
THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
##******************************************************************
Certify The Web Deployment Script for Windows Server 2016 Essentials (Your Mileage May Vary ;-)
Restart the "Network Policy Server" as well as the SSTP protocol : all dependent services are
stopped and started in the exact reverse order they were stopped.
Note: the Write-Warning is used so that messages will appear in the Certify The Web log file.
2020.08.19 : Initial version
2020.12.20 : Change order of CollectDependant calls to addres some hidden dependencies.
param($result)
Import-Module RemoteDesktopServices
Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
Restart services required for "Access Anywhere"
$global:ServicesToStart = @()
Function CollectDependent($TargetService)
{ # Caution: minimal effort done to prevent circular definitions if ($global:ServicesToStart -match "$service.name") { Write-Warning "Caution! Service $service.name is involved in a circular definition." } else { $wmidependents = (get-service $TargetService).dependentservices
$wmidependentservices = Get-WmiObject Win32_Service | Select-object name,state,startmode | where {$wmidependents.name -contains $_.name}
# Write-Host $TargetService
foreach ($service in $wmidependentservices){
if($service.startmode -eq "auto" -or $service.status -eq "Running"){
# Write-Host "-> $($service.name)"
CollectDependent($service.name)
}
else{
Write-Warning "Omitting $($service.name) : service is $($service.state) with the startmode: $($service.startmode)"
}
}
stop-service $TargetService -ErrorAction SilentlyContinue
$global:ServicesToStart += $TargetService
}
}
CollectDependent("SSTPSvc")
CollectDependent("IAS")
Write-Warning "Restarting services in the following order: " foreach($service in $global:ServicesToStart ) { Write-Warning $service }
foreach($service in $global:ServicesToStart ) { start-service $service -ErrorAction SilentlyContinue }
Write-Warning "Done!"
Dumb question as I'm still learning - do I just copy and paste the script into a ps1 file?
Yep!
Save the script in some directory other the CTW directory.
Regards,
De : latinkreationz [email protected] Envoyé : 3 février 2021 23:24 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author [email protected] Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Dumb question as I'm still learning - do I just copy and paste the script into a ps1 file?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-773018023, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4BBW7S5GJAQ7GJSAITS5IOPTANCNFSM4PYY2OMQ.
It doesn't look like either of Serge's posts formatted correctly in the forum thread... I took the liberty of cleaning up the code and applying the order and dependency logic changes per his revisions. Hope this helps!
##******************************************************************
## Revision date: 2020.12.20
##
## Copyright (c) 2020 PC-Évolution enr.
## This code is licensed under the GNU General Public License (GPL).
##
## THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF
## ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
## IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
## PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
##
##******************************************************************
# Certify The Web Deployment Script for Windows Server 2016 Essentials (Your Mileage May Vary ;-)
# Restart the "Network Policy Server" as well as the SSTP protocol : all dependent services are
# stopped and started in the exact reverse order they were stopped.
# Note: the Write-Warning is used so that messages will appear in the Certify The Web log file.
# 2020.08.19: Initial version
# 2020.12.20: Change order of CollectDependant calls to addres some hidden dependencies.
param($result)
Import-Module RemoteDesktopServices
# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop
# Restart services required for "Access Anywhere"
$global:ServicesToStart = @()
Function CollectDependent($TargetService)
{
# Caution: minimal effort done to prevent circular definitions
if ($global:ServicesToStart -match "$service.name") {
Write-Warning "Caution! Service $service.name is involved in a circular definition."
}
else {
$wmidependents = (get-service $TargetService).dependentservices
$wmidependentservices = Get-WmiObject Win32_Service | Select-object name,state,startmode | where {$wmidependents.name -contains $_.name}
# Write-Host $TargetService
foreach ($service in $wmidependentservices){
if($service.startmode -eq "auto" -or $service.status -eq "Running"){
# Write-Host "-> $($service.name)"
CollectDependent($service.name)
}
else{
Write-Warning "Omitting $($service.name) : service is $($service.state) with the startmode: $($service.startmode)"
}
}
stop-service $TargetService -ErrorAction SilentlyContinue
$global:ServicesToStart += $TargetService
}
}
CollectDependent("SSTPSvc")
CollectDependent("IAS")
Write-Warning "Restarting services in the following order: "
foreach($service in $global:ServicesToStart ) { Write-Warning $service }
foreach($service in $global:ServicesToStart ) { start-service $service -ErrorAction SilentlyContinue }
Write-Warning "Done!"
Hey Serge,
Just wanted to let you know that the updated script still isn't working right for me, even though the log didn't show any errors. After my last cert update on 2/24, the remote access server started throwing cert errors again. I ended up applying the same manual fix I've used before, which was to export the new cert from IIS and then re-rerun WSE remote setup through the wizard.
Hello Ryan,
That’s interesting.
We are running Windows Server 2016 Standard (v1607, OS Version 14393.4169): I have 7 different instances running and serving roughly 200 users.
These instances are using only SSTP to access the VPN. On one of these instances we had a month ago a situation where the Terminal Services Gateway was working perfectly following the certificate renewal but not the SSTP service which uses the same certificate.
We believe that there is some undocumented relationship between all these services: in the case above, everything was back to normal following a reboot. Manually stopping all the KNOWN services are restarting in the correct order was no help: reboot was the only solution that worked in this case.
The issue is on my TODO list.
I can’t report any error on the six other servers.
Regards,
Serge Caron
De : devast8tor [email protected] Envoyé : 28 février 2021 23:14 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author [email protected] Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Hey Serge,
Just wanted to let you know that the updated script still isn't working right for me, even though the log didn't show any errors. After my last cert update on 2/24, the remote access server started throwing cert errors again. I ended up applying the same manual fix I've used before, which was to export the new cert from IIS and then re-rerun WSE remote setup through the wizard.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/webprofusion/certify/issues/519#issuecomment-787622784, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQROU4CCTXBSXLVYO6C6V53TBMH73ANCNFSM4PYY2OMQ.
Serge,
Appreciate your reply and I totally understand. I agree that there seems to be some undocumented shenanigans occurring in steps that are hidden behind the setup/repair wizard. I am happy to enable additional logging or to setup tracing (either of ctw or the wse setup wizard) to see if we can't tease out the voodoo occurring behind that setup progress bar.
If you'd like to collaborate, just let me know. I also have access to Unified Support via my employer, so have been considering opening a support case to capture this detail if it would help?
Regards, Ryan
On Mon, Mar 1, 2021, 4:27 AM SergeCaron [email protected] wrote:
Hello Ryan,
That’s interesting.
We are running Windows Server 2016 Standard (v1607, OS Version 14393.4169): I have 7 different instances running and serving roughly 200 users.
These instances are using only SSTP to access the VPN. On one of these instances we had a month ago a situation where the Terminal Services Gateway was working perfectly following the certificate renewal but not the SSTP service which uses the same certificate.
We believe that there is some undocumented relationship between all these services: in the case above, everything was back to normal following a reboot. Manually stopping all the KNOWN services are restarting in the correct order was no help: reboot was the only solution that worked in this case.
The issue is on my TODO list.
I can’t report any error on the six other servers.
Regards,
Serge Caron
De : devast8tor [email protected] Envoyé : 28 février 2021 23:14 À : webprofusion/certify [email protected] Cc : Serge Caron [email protected]; Author < [email protected]> Objet : Re: [webprofusion/certify] Windows Server Essentials 2016 Access Anywhere Certificate renewal script (#519)
Hey Serge,
Just wanted to let you know that the updated script still isn't working right for me, even though the log didn't show any errors. After my last cert update on 2/24, the remote access server started throwing cert errors again. I ended up applying the same manual fix I've used before, which was to export the new cert from IIS and then re-rerun WSE remote setup through the wizard.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub< https://github.com/webprofusion/certify/issues/519#issuecomment-787622784>, or unsubscribe< https://github.com/notifications/unsubscribe-auth/AQROU4CCTXBSXLVYO6C6V53TBMH73ANCNFSM4PYY2OMQ>.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/webprofusion/certify/issues/519#issuecomment-787911099, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJWUSGMJS3KGAG5COXOV7DTBOB2ZANCNFSM4PYY2OMQ .
While the script works for me, the only issue I have is with SSTP VPN routing not working until a server reboot as Serge pointed out. So until a solution is mentioned, I went ahead and added a task within CTW to run a reboot after the script completes. It makes sense to have 3-5 minutes of down time vs. hours of not knowing it's down.