Two tier PKI deployment fails on initial deployment

[sad1qjaffer]

When deploying a two tier PKI using this module an error is thrown by the sub CA once it has generated its req file. The error message is shown below.

New-AzureRmResourceGroupDeployment : 09:12:44 - VM has reported a failure when processing extension 'ConfigureSubCA'.
Error message: "DSC Configuration 'Main' completed with error(s). Following are the first few: PowerShell DSC resource
MSFT_AdcsCertificationAuthority failed to execute Set-TargetResource functionality with error message:
System.InvalidOperationException: The Active Directory Certificate Services installation is incomplete. To complete
the installation, use the request file "c:\windows\system32\certsrv\certenroll\AzureLab-CS1.req" to obtain a
certificate from the parent CA. Then, use the Certification Authority snap-in to install the certificate. To complete
this procedure, right-click the node with the name of the CA, and then click Install CA Certificate. The operation
completed successfully. 0x0 (WIN32: 0) The SendConfigurationApply function did not succeed.".

In my configuration I'm using Azure Blob storage to transfer req/crt files between the root and sub CA but this error prevents the configuration from completing. When the deployment is re-run after this error has been generated it runs through to completion.

Is there a way to suppress this error during deployment or can a flag be added to the ADCSCertificationAuthority resource so it knows that it must silently wait for the request to be completed

Thanks!

[PlagueHO]

Hi @sad1qjaffer - thanks for raising this question. So it sounds like when the resource tries to install the CA server but is deploying a SubCA it returns an error when the REQ file is generated - even though this really isn't an error. I've done this myself (https://github.com/PlagueHO/LabBuilder/blob/dev/LabBuilder/dsclibrary/MEMBER_SUBCA.DSC.ps1#L188) but I didn't notice the exception - however, I was usually running in the mode that automatically applied the config repeatedly - and I think the last time I did this I was using an older version of the resource that didn't actually 'Throw' an exception that was returned by Install-AdcsCertificationAuthority (see https://github.com/PowerShell/ActiveDirectoryCSDsc/blob/dev/DSCResources/MSFT_AdcsCertificationAuthority/MSFT_AdcsCertificationAuthority.psm1#L475).

It would be possible to make a change to cause this "exception" to be suppressed (shown as a warning or verbose message) when OutputCertRequestFile was set and CAType was set to EnterpriseSubordinateCA. But I'd want to make sure only that specific error was being suppressed.

[PlagueHO]

Does this sound like this suggestion might work for you?

[sad1qjaffer]

Hi @PlagueHO

Thanks for getting back to me on this, and your lab builder library has been a huge help!

I had a look at how the resource is configured and noticed that "erroraction silentlycontinue" has been completely removed as an option when using Install-AdcsCertificationAuthority. I think, as you say - in this particular scenario a verbose log may be a better approach. This would provide the information required for debugging but prevent a configuration from being interrupted.

I'm relatively new to Github so am not 100% sure of the procedure for how a change like this would be implemented. Can you please advise on how we can move this forward?

[stale]

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

[sjnnkm]

The same issue I'm also facing. The deployment returns warning message but the continuous integration tool treats it as error. If by any means in DSC code if this message can be ignored (sample implementation code ) will really help.

[stale]

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

[mortenlerudjordet]

Added simple fix so this scenario does not create an error in PR: #65

[PlagueHO]

Thanks @sad1qjaffer - I missed this comment! I'm glad LabBuilder is useful - I haven't had as much time to put into it lately unfortunately. But you're right - this could definitely be corrected. Thank you @mortenlerudjordet for picking this up. I've started the review.