Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

action :create should delete and re-create binding if app_guid or hash do not match #306

Open
hh opened this issue Nov 19, 2015 · 3 comments
Open

action :create should delete and re-create binding if app_guid or hash do not match #306

hh opened this issue Nov 19, 2015 · 3 comments
Labels
Type: Bug Doesn't work as expected.

Comments

@hh
Copy link
Contributor

hh commented Nov 19, 2015 

windows_ssl_bind_certificate 'Reuse RDP and WINRM self-signed cert for IIS' do
  ip_address '0.0.0.0'
  port 443
  hash node.chef_provisioning.reference.winrm_ssl_thumbprint
  # We should maybe generate a guid
  app_guid '00112233-4455-6677-8899-BABEFACEEE12'
end
2015-11-19T15:05:35+00:00] FATAL: RuntimeError: 
windows_ssl_bind_certificate[Reuse RDP and WINRM self-signed cert for IIS]
(my_server::iis_site line 45) had an error: RuntimeError: There is already a 
certificate bound to port 443. Conflicting certificate info:

SSL Certificate bindings: 
------------------------- 

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : ef0dd4d70fc7df06810afbbecf60a32455afc0a1
    Application ID               : {00112233-4455-6677-8899-babefaceee12}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
@mwrock
Copy link
Contributor

mwrock commented Nov 19, 2015

What if the currently bound guid is a valid binding? I could imagine scenarios where a cookbook author binds an app to 443 inadvertantly not realizing another app is already bound (I have personally done this before). I'd think we'd want to raise the error here.

@hh
Copy link
Contributor Author

hh commented Nov 26, 2015

I wanted to just setup a simple binding using the included (on ec2 anyway) rdp self-signed cert. If I specify the hash and port and ip_address, then I am bascially requesting that that specific certificate be bound to that port.

Currently I have to have a removal first that doesn't write up very cleanly.

windows_certificate_binding 'Unbind any non-matching certs' do                                                                               
  action :delete                                                                                                                             
  name node.chef_provisioning.reference.winrm_ssl_thumbprint                                                                                 
  name_kind :hash                                                                                                                            
  address '0.0.0.0'                                                                                                                          
  guard_interpreter :powershell_script                                                                                                       
  not_if <<-EOF                                                                                                                              
  Import-Module WebAdministration                                                                                                            
  $x = Git-Item IIS:\SslBindings\0.0.0.0!443                                                                                                 
  $x.Thumbprint.CompareTo("#{node.chef_provisioning.reference.winrm_ssl_thumbprint}")                                                        
  EOF                                                                                                                                        
end                                                                                                                                          

windows_certificate_binding 'Reuse RDP and WINRM self-signed cert for IIS' do                                                                
  action :create                                                                                                                             
  name_kind :hash                                                                                                                            
  name node.chef_provisioning.reference.winrm_ssl_thumbprint                                                                                 
  address '0.0.0.0'                                                                                                                          
end

@mwrock
Copy link
Contributor

mwrock commented Nov 26, 2015

I think having an explicit deletion is the right thing to do for long lived infrastructure. Especially on web servers that host multiple sites, it would be too easy to inadvertently take down a web site.

@tas50 tas50 added the Type: Bug Doesn't work as expected. label Dec 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Doesn't work as expected.
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hh @mwrock @tas50