Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to set private key permissions - private key null #481

Open
taliesins opened this issue Jul 3, 2017 · 10 comments
Open

Unable to set private key permissions - private key null #481

taliesins opened this issue Jul 3, 2017 · 10 comments

Comments

@taliesins
Copy link

taliesins commented Jul 3, 2017

Cookbook version

Latest version

Chef-client version

Latest version

Platform Details

Windows Server 2012 R2 with latest patches applied. I have tried to install the latest WIM 5.1 and it did not help.

Scenario:

Trying to set ACL permissions on certificate

Steps to Reproduce:

windows_certificate 'certname' do
  private_key_acl ["#{node["kernel"]["cs_info"]["user_name"]}", 'Administrator', 'BUILTIN\Administrators']
end

Expected Result:

Private key permissions to be set for certificate.

Actual Result:

When not setting certificate permissions and loading MMC, you can see that certificate does have a private key.

This does not occur with all certificates. Only when CSP is CNG.

I think the error is related to the following (TL;DR; .net has problems getting private key when CSP is CNG):
https://blogs.technet.microsoft.com/vishalagarwal/2010/03/30/verifying-the-private-key-property-for-a-certificate-in-the-store/

And we might be able to fix it using the following:
https://stackoverflow.com/questions/17185429/how-to-grant-permission-to-private-key-from-powershell/22146915#22146915

Exception occurs with the following error message:

[2017-07-03T15:25:53+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: windows
_certificate[wildcard.office.interxion.net] (role-servicebus::default line 75) h
ad an error: Mixlib::ShellOut::ShellCommandFailed: powershell_script[wildcard.of
fice.interxion.net] (C:/chef/cache/cookbooks/windows/resources/certificate.rb li
ne 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to e
xit with [0], but received '1'
---- Begin output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
 -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -F
ile "C:/Users/vagrant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1"
 ----
STDOUT:
STDERR: C:\Users\vagrant\AppData\Local\Temp\1\chef-script20170703-2168-1vd4wys.p
s1 :
no private key exists.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,chef-script20170703-2168-1vd4wys.ps1
---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -
NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -Fil
e "C:/Users/vagrant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1" -
---
Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInte
ractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/vag
rant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1" returned 1
[2017-07-03T15:25:53+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: windows
_certificate[wildcard.office.interxion.net] (role-servicebus::default line 75) h
ad an error: Mixlib::ShellOut::ShellCommandFailed: powershell_script[wildcard.of
fice.interxion.net] (C:/chef/cache/cookbooks/windows/resources/certificate.rb li
ne 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to e
xit with [0], but received '1'
---- Begin output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
 -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -F
ile "C:/Users/vagrant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1"
 ----
STDOUT:
STDERR: C:\Users\vagrant\AppData\Local\Temp\1\chef-script20170703-2168-1vd4wys.p
s1 :
no private key exists.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,chef-script20170703-2168-1vd4wys.ps1
---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -
NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -Fil
e "C:/Users/vagrant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1" -
---
Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInte
ractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/vag
rant/AppData/Local/Temp/1/chef-script20170703-2168-1vd4wys.ps1" returned 1
@taliesins
Copy link
Author

taliesins commented Jul 6, 2017

I think the way around this problem is to make use of the powershell commandlets for certificates. When I used the cmdlet instead of the powershell generated by Chef I was able to access certificate private key.

cmdlet:
Import-PfxCertificate -FilePath C:\chef\cache\test.pfx -CertStoreLocation Cert:\LocalMachine\My

chef powershell:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "C:\chef\cache\test.pfx", "", ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeyset)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "MY", ([System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($cert)
$store.Close()

I can only think it was implemented this way as perhaps Powershell 3 did not have this commandlet. Perhaps Get-Command could be used so that systems that support the commandlet will use it.

@iennae
Copy link
Contributor

iennae commented Jul 11, 2017

@taliesins Thanks for reporting and the extra information. This has been brought up to the team to review.

@adamfortuno
Copy link

I experience the reported issue when using Import-PfxCertificate. The issue being where a user imports a certificate and private key from a PKCS package (*.pfx), and the certificate appears to have a private key c/o the HasPrivateKey data member, but the PrivateKey data member is null.

@sergeydeg
Copy link

sergeydeg commented May 15, 2018

Actual problem as I see, is with guard script (at least with Win 2016)
When guard script runs second time behind LocalSystem (Chef configured as Task) it deletes Private Key from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
When System.Security.Cryptography.X509Certificates.X509Certificate2 class instantiated it creates temporary PrivateKey container (with actual conatiner name), and deletes it when disposed.

@ilovemysillybanana
Copy link

@sergeydeg
Do you know any way around this?

@taliesins
Copy link
Author

@sergeydeg and @ilovemysillybanana have a look at #483 and vote for it. This problem exists in .net 4.61 and below. Powershell leverages .net so the problem bubbles up.

@sergeydeg
Copy link

@ilovemysillybanana
I implemented whole PFX import and ACL with true PowerShell. It is not out-of-box usage, and strictly tied to my task. Can share code block, if someone can make this more usable to implement in this cookbook.
My solution only works with Server 2012/ Windows 8 and UP

@taliesins
a comment to your solution - it not remove the problem with subsequent guard script runs

@ilovemysillybanana
Copy link

@sergeydeg I've actually just started working with powershell, but if I could adapt the solution to my own needs I'd be happy to do so and create a pull request after. I'm using windows 2k16 so that would be great.

@taliesins I am new to developing on Windows, my version of windows is using .NET 4.7 shouldn't I be immune from this problem?

@sergeydeg
Copy link

@ilovemysillybanana
take a look: chef pfx import acl

@ilovemysillybanana
Copy link

@sergeydeg will do! I don't know if it matters but I'm doing this through vagrant when I bake my images. If you guys know of anyone who's done it that way, that'd be great to see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

6 participants