Error when running IIS recipe

cadams84 commented 7 years ago

I am trying to script generating a domain certificate and then use chef's IIS recipe to create the HTTPS binding and tie the certificate to it. It works successfully if I generate the certificate in IIS manually, export out of the certificate store with private key and run the chef script pointing it at the certificate. When I point the chef script at the domain certificate generated programmatically, I get this error:

[2017-02-15T16:05:37+00:00] FATAL: OpenSSL::PKCS12::PKCS12Error: arcgis_server_i is[Configure HTTPS Binding] (arcgis-server::iis line 71) had an error: OpenSSL:: PKCS12::PKCS12Error: PKCS12_parse: mac verify failure

The certificate is created with private key and looks fine if manually set against the HTTPS binding. I have noticed that Chef generates a domain certificate if one is not present in the keystore directory given but this does not seem to include the root certificate so the full certificate chain is not present.

Here is the stack trace:

Generated at 2017-02-15 16:05:37 +0000 OpenSSL::PKCS12::PKCS12Error: arcgis_server_iis[Configure HTTPS Binding] (arcgis-server::iis line 71) had an error: OpenSSL::PKCS12::PKCS12Error: PKCS12_parse: mac verify failure c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:in initialize' c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:innew' c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:in block in class_from_file' (eval):2:inblock in action_configure_https' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:361:in instance_eval' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:361:incompile_and_converge_action' (eval):2:in action_configure_https' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:145:inrun_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource.rb:622:in run_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:69:inrun_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in block (2 levels) in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:ineach' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in block in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:94:inblock in execute_each_resource' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:114:in call_iterator_block' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:instep' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:103:in iterate' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:55:ineach_with_index' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:92:in execute_each_resource' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:96:inconverge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:670:in block in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:incatch' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:704:inconverge_and_save' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:284:in run' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:277:inrun_with_graceful_exit_option' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:253:in block in run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/local_mode.rb:44:inwith_server_connectivity' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:236:in run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:464:insleep_then_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:451:in block in interval_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:450:inloop' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:450:in interval_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:434:inrun_application' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:59:in run' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/solo.rb:226:inrun' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/bin/chef-solo:25:in <top (required)>' C:/opscode/chef/bin/chef-solo:68:inload' C:/opscode/chef/bin/chef-solo:68:in `

'

Caused by OpenSSL::PKCS12::PKCS12Error: PKCS12_parse: mac verify failure c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:in initialize' c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:innew' c:/chef/local-mode-cache/cache/cookbooks/arcgis-server/providers/iis.rb:47:in block in class_from_file' (eval):2:inblock in action_configure_https' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:361:in instance_eval' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:361:incompile_and_converge_action' (eval):2:in action_configure_https' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/provider.rb:145:inrun_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource.rb:622:in run_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:69:inrun_action' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in block (2 levels) in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:ineach' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:97:in block in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:94:inblock in execute_each_resource' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:114:in call_iterator_block' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:instep' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:103:in iterate' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:55:ineach_with_index' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/resource_collection/resource_list.rb:92:in execute_each_resource' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/runner.rb:96:inconverge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:670:in block in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:incatch' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:665:in converge' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:704:inconverge_and_save' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/client.rb:284:in run' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:277:inrun_with_graceful_exit_option' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:253:in block in run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/local_mode.rb:44:inwith_server_connectivity' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:236:in run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:464:insleep_then_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:451:in block in interval_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:450:inloop' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:450:in interval_run_chef_client' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/client.rb:434:inrun_application' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application.rb:59:in run' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/lib/chef/application/solo.rb:226:inrun' C:/opscode/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31-universal-mingw32/bin/chef-solo:25:in <top (required)>' C:/opscode/chef/bin/chef-solo:68:inload' C:/opscode/chef/bin/chef-solo:68:in `
'

pbobov commented 7 years ago

 OpenSSL::PKCS12::PKCS12Error: PKCS12_parse: mac verify failure

This probably means that Chef cannot parse the certificate file.

Internally Chef uses OpenSSL to deal with SSL certificates.

Could you install OpenSSL and try to open that certificate file with the standalone OpenSSL? This might give you some clues.

dgrmit commented 7 years ago

I assume that when you say you are trying to generate a domain certificate in IIS you mean a self-signed certificate (that is, not using a Certificate Authority). If that is the case, you could try and use the Powershell command line tool New-SelfSignedCertificate to create the certificate and export it to a file ready for importing by the Chef script. Another good option may be the Self-signed certificate generator tool, which is a bit easier to use compared to the Powershell command above.

If you are trying to generate a SSL certificate via an Active Directory Certificate Authority, you may be able to script this via Powershell as well (although you would need to validate the certificate request on the CA as well).

cadams84 commented 7 years ago

Running the domain certificate we created through OpenSSL was a useful check. @dgrmit we are generating a domain certificate using powershell and specify a certificate in the script. It was a mistake by me as the certificate in the Chef IIS role differed in the casing from the certificate in the script. When they matched, the certificate was tied to the HTTPS binding fine. Thanks for your help @pbobov and @dgrmit

Esri / arcgis-cookbook

Error when running IIS recipe #61