Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xWebSite: How to enable Central Certificate store and not to get an error that Certificate thumbprint is invalid #199

Open
TomasKT opened this issue Jul 20, 2016 · 10 comments · May be fixed by #600
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.

Comments

@TomasKT
Copy link

TomasKT commented Jul 20, 2016

Hi Support,

I am getting this error:
Unable to validate BindingInfo: "The CertificateThumbprint property is required for bindings of type "https
".".

Using latest xWebAdministration package.

Values that I am passing:
@{
Protocol = "https"
IPAddress = "*"
Port = "443"
HostName = "superweb.com"
CertificateThumbprint = $null
SslFlags = "3"
}

@nzspambot
Copy link

So forgive me for the simple question but do you not need a thumbprint since it is HTTPS

The code will require a thumbprint which is why you're getting this error

@TomasKT
Copy link
Author

TomasKT commented Jul 28, 2016

Hi James,

The code is written in a way, that it does requires to have Thumbprint value for HTTPS and it can’t be a NULL.

If I put $NULL as a value, it gives me an error, that Thumbprint value is null.

So, code is not written to use a Central Certificate store.

I put a fix in place, by adding extra check in the if statement.

Starting with a line 1427 in the MSFT_xWebsite.psm1:

SSL-related properties

            if ($Binding.Protocol -eq 'https')
            {
                if ([String]::IsNullOrEmpty($Binding.CertificateThumbprint) -and ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3" ))
                {
                    $ErrorMessage = $LocalizedData.ErrorWebBindingMissingCertificateThumbprint `
                                    -f $Binding.Protocol, $Binding.HostName
                    New-TerminatingError -ErrorId 'WebBindingMissingCertificateThumbprint' `
                                         -ErrorMessage $ErrorMessage `
                                         -ErrorCategory 'InvalidArgument'
                }

                if ([String]::IsNullOrEmpty($Binding.CertificateStoreName) -and ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3"))
                {
                    $CertificateStoreName = 'MY'
                    Write-Verbose -Message `
                        ($LocalizedData.VerboseConvertToWebBindingDefaultCertificateStoreName `
                        -f $CertificateStoreName, $Binding.HostName)
                }
                else
                {
                                     if ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3")
                                     {
                                            $CertificateStoreName = $Binding.CertificateStoreName
                                     }
                }

                              if ($Binding.SslFlags -ne "2" -and $Binding.SslFlags -ne "3")
                              {
                # Remove the Left-to-Right Mark character
                $CertificateHash = $Binding.CertificateThumbprint -replace '^\u200E'

                $OutputObject.Add('certificateHash',      [String]$CertificateHash)
                $OutputObject.Add('certificateStoreName', [String]$CertificateStoreName)
                              }

Please feel free to correct me if I am wrong…

@nzspambot
Copy link

nope that looks fine-ish to me

@PlagueHO
Copy link
Member

I'd agree here. You need to specify a Thumbprint to use SSL. IIS will then look in the central store (defaults to using Certs:\LocalMachine\My if not otherwise specified) for a certificate with that thumbprint. So agree with @nzspambot - it all looks to be working correctly. You do need to create an SSL Certificate, add it to your LocalMachine\MY certificate store and then specify the Thumbprint of the cert as a parameter.

@TomasKT
Copy link
Author

TomasKT commented Jul 29, 2016

PlagueHO. you missing a point of Central Certificate store... The idea is to avoid putting Thumbprint in the config and identify correct one using by the name of actual certificate.

Check this website, section "File Naming Convention":
https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/

T.

@PlagueHO
Copy link
Member

@TomasKT - you are quite right! Sorry about that. I wasn't even aware this feature existed - that is actually really useful to know. 😄

I didn't read your title correctly. So this is a new feature/resource request. I think this would require more than just changes to xWebSite. I expect it would also require changes to other resources to configure the location of the CCS.

@nzspambot
Copy link

@PlagueHO yeah @TomasKT is correct and you are also correct as this might need some additional stuff... /thinking hat is on

@kwirkykat kwirkykat added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Aug 19, 2016
@johlju johlju added enhancement The issue is an enhancement request. and removed bug The issue is a bug. labels Apr 26, 2018
@johlju johlju changed the title How to enable Central Certificate store and not to get an error that Certificate thumbprint is invalid xWebSite: How to enable Central Certificate store and not to get an error that Certificate thumbprint is invalid Apr 26, 2018
@johlju
Copy link
Member

johlju commented Apr 26, 2018

Relabelled this as enhancement instead of a bug. As for @PlagueHO's comment about changing the location of the CCS, if that can nt be a property in this resource, then that should be submitted as a anther issue if that requires an entire new resource.

@changbowen
Copy link

This is clearly a bug that renders the CCS unusable using xWebSite.. bottom line is it should not check for a thumbprint when SslFlags is 2 or 3. In IIS console when CCS is enabled the SSL certificate field would be disabled:

image

@johlju johlju added bug The issue is a bug. and removed enhancement The issue is an enhancement request. labels Nov 15, 2021
@changbowen
Copy link

Looks like wrapping the if ([String]::IsNullOrEmpty($binding.CertificateThumbprint)) section is working.
I put in a PR but feel free to test and update it.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
6 participants