Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document use of ssl bindings, possibly include support for specifying them #221

Open
hh opened this issue Nov 4, 2015 · 9 comments
Open

Document use of ssl bindings, possibly include support for specifying them #221

hh opened this issue Nov 4, 2015 · 9 comments

Comments

@hh
Copy link
Contributor

hh commented Nov 4, 2015

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis#SSL
https://msdn.microsoft.com/en-us/library/ms186362.aspx

I couldn't find it in the cookbook or docs, but I was able to get it to work manually.

# First applied binding that SHOULD be listening, but doesn't work
iis_site 'Default Web Site' do
  action :config
  site_id 1
  # bindings - Advanced options to configure the information required
  #                for requests to communicate with a Web site. See
  #                http://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding
  #                for parameter format. When binding is used, port
  #                protocol and host_header should not be used.
  bindings 'http/*:80:,net.tcp/808:*,net.pipe/*,net.msmq/localhost,msmq.formatname/localhost,https/*:443:'
end

We can look at current bindings, and reuse the winrm or rdp cert:

$  knife winrm --winrm-password PASSWORD -m $IP netsh http show sslcert
SSL Certificate bindings: 
------------------------- 

    IP:port                      : 0.0.0.0:5986
    Certificate Hash             : 148f2a24db5b387fb45a8a0204c92a7fee86a404
    Application ID               : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

We'll create a new ssl cert binding to that port:

$ knife winrm --winrm-password PASSWORD -m $IP 'netsh http add sslcert ipport=0.0.0.0:443 certhash=148f2a24db5b387fb45a8a0204c92a7fee86a404 appid={5a599f4f-02dc-4120-8646-74fcbc5b4827}'
SSL Certificate successfully added

Now it shows up, and works.

$ knife winrm --winrm-password PASSWORD -m $IP netsh http show sslcert

SSL Certificate bindings: 
------------------------- 

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 148f2a24db5b387fb45a8a0204c92a7fee86a404
    Application ID               : {5a599f4f-02dc-4120-8646-74fcbc5b4827}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 0.0.0.0:5986
    Certificate Hash             : 148f2a24db5b387fb45a8a0204c92a7fee86a404
    Application ID               : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

I think support for this should be built into the cookbook.
@hh
Copy link
Contributor Author

hh commented Nov 4, 2015

https://github.com/lynx44/windows_ssl#bind_certificate ?

windows_ssl_bind_certificate "bind the ssl cert" do
    hash '991deaa340c14b45214927f58a8b7288d9ce6906'
    port 443
    ip_address '0.0.0.0'
    app_guid '1A25F4DE-A3DE-FEA2-EAF0-023FA1AD324'
    action :bind
end

In https://github.com/lynx44/windows_ssl/blob/master/providers/bind_certificate.rb#L22

    execute "install ssl certificate #{hash}" do
        command "netsh http add sslcert ipport=#{ip_address}:#{port} certhash=#{hash} appid={#{app_guid}}"
    only_if { unbound }
        action :run
    end

@EasyAsABC123
Copy link
Contributor

@hh, this is interesting.

On one hand being able to come into chef iis cookbook and easily build your config is desirable. On the otherhand, SSL certs aren't made by IIS (appcmd) and they aren't just used for IIS and website hosting.

So although I agree there needs to be documentation on making an SSL certificate and then binding it to a site. Really the only thing I would consider IIS is binding it to the site.

Although on the other hand in the iisconfig manager you can create an SSL certificate. I'll think about the certificates more when I have time to research chef cookbooks on supermarket

@EasyAsABC123 EasyAsABC123 mentioned this issue Dec 1, 2015
Closed
@EasyAsABC123
Copy link
Contributor

From #226 certutil is used to generate the ssl certificates...however this isn't in older versions of windows just 2008 and newer

@spuder
Copy link
Contributor

spuder commented Dec 1, 2015

+1 Would like to see an easy way to add the ssl cert with the cookbook.

Currently all of our webservers offload the SSL cert to the F5 loadbalancer, however for testing VMs, we want them to have the cert locally so it doesn't require the LB.

@hh
Copy link
Contributor Author

hh commented Dec 3, 2015

I've actually started using windows_certificate_binding though you have to currently write two resource (one with action :delete with a guard to not delete the desired one, and another with :create) : See chef-boneyard/windows#313

@spuder
Copy link
Contributor

spuder commented Dec 3, 2015

Thanks, I'm studying this before I try and implement it.

When you say you need 2 resources, what is that for?

@hh
Copy link
Contributor Author

hh commented Jan 19, 2016 

iis_site 'Default Web Site' do
  action :config
  # site_id - if not given IIS generates a unique ID for the site
  site_id 1
  # bindings - Advanced options to configure the information required
  #                for requests to communicate with a Web site. See
  #                http://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding
  #                for parameter format. When binding is used, port
  #                protocol and host_header should not be used.
  bindings 'http/*:80:,net.tcp/808:*,net.pipe/*,net.msmq/localhost,msmq.formatname/localhost,https/*:443:'
end

certificate = data_bag_item('passwords', node['pfx']['cert_databag_name'])
pfx = "c:\\chef\\#{node['pfx']['cert_databag_name']}.pfx"

windows_certificate pfx do
  pfx_password certificate['password']
  store_name 'MY'
  user_store false
end

# IIS comes up bound to the wrong cert, I want the one provided
# so we delete the current one if it doesn't match the certificate
windows_certificate_binding 'Unbind any non-matching certs' do
  action :delete
  name certificate['subject']
  name_kind :subject
  address '0.0.0.0'
  guard_interpreter :powershell_script
  not_if <<-EOF
  Import-Module WebAdministration
  $x = Git-Item IIS:\SslBindings\0.0.0.0!443
  $x.Thumbprint.CompareTo("#{certificate['fingerprint']}")
  EOF
end

# Now we create it with the correct certificate binding
windows_certificate_binding 'Reuse RDP and WINRM self-signed cert for IIS' do
  action :create
  name certificate['subject']
  name_kind :subject
  address '0.0.0.0'
end

@EasyAsABC123
Copy link
Contributor

@hh feel free to add this to the readme.md under advanced in a PR and i'll move it to master

@dgreeninger
Copy link

dgreeninger commented Oct 4, 2018
edited
Loading

Here's a snippet I used to create a self signed certificate via powershell, that I could then bind, using the recipe provided by @hh
This will not produce a 'valid' ssl certificate, but it will allow your site to communicate over https. Perfect for putting behind a load balancer in AWS.

powershell_script 'create-pfx-cert' do
  code <<~EOH
  $cert = New-SelfSignedCertificate -certstorelocation cert:\localMachine\\MY -dnsname "example.com"
  $pwd = ConvertTo-SecureString -String "SUPERsecretPASSWORD" -Force -AsPlainText
  $thumbprint = $cert.Thumbprint
  Export-PfxCertificate -cert cert:\localMachine\\MY\\$thumbprint -FilePath c:\\chef\\root-authority.pfx -Password $pwd
  Export-Certificate -Cert cert:\localMachine\\MY\\$thumbprint -FilePath c:\\chef\\root-authority.crt
  $cert2 = New-SelfSignedCertificate -certstorelocation cert:\localMachine\\MY -dnsname "Gateway Certificate" -Signer $cert
  $pwd2 = ConvertTo-SecureString -String "SUPERsecretPASSWORD" -Force -AsPlainText
  $thumbprint2 = $cert2.Thumbprint
  Export-PfxCertificate -cert cert:\localMachine\\MY\\$thumbprint2 -FilePath c:\\chef\\gateway-certificate.pfx -Password $pwd2
  EOH
  action :run
  not_if { ::File.exists?('C:\\chef\\gateway-certificate.pfx')}
end

pfx = "c:\\chef\\gateway-certificate.pfx"
windows_certificate pfx do
  pfx_password 'GMa2rgmsEJAo2'
  store_name 'MY'
  user_store false
  only_if { ::File.exist?('C:\\chef\\gateway-certificate.pfx')}
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@hh @spuder @tas50 @EasyAsABC123 @dgreeninger @xorimabot