search

Esri / arcgis-powershell-dsc

This repository contains scripts, code and samples for automating the install and configuration of ArcGIS (Enterprise and Desktop) using Microsoft Windows PowerShell DSC (Desired State Configuration).
Apache License 2.0
113 stars 61 forks source link

Unable to add SslRootOrIntermediate Certificates #398

Closed pfoppe closed 2 years ago

pfoppe commented 2 years ago

Community Note

Module Version

Affected Resource(s)

Configuration Files

{
    "AllNodes": [
        {
            "NodeName": "<PORTALMACHINE>",
            "Role": [
                "ServerWebAdaptor"
            ],
            "SslCertificates": [
                {
                    "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<PORTALMACHINE>.<DOMAIN>.pfx",
                    "CNameFQDN": "www.example.com",
                    "Password": "<REDACTED>",
                    "Target": [
                        "WebAdaptor"
                    ]
                }
            ]
        },
        {
            "NodeName": "<SERVERMACHINE>",
            "Role": [
                "Server"
            ],
            "SslCertificates": [
                {
                    "SslRootOrIntermediate": [
                        {
                            "Alias": "<ALIAS>",
                            "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<filename>.cer",
                            "Target": [
                                "Server"
                            ]
                        }
                    ]
                }
            ]
        }
    ],
    "ConfigData": {
        "Version": "10.8.1",
        "ServerContext": "context",
        "ServerRole": "GeneralPurposeServer",
        "Credentials": {
            "ServiceAccount": {
                "Password": "<REDACTED>",
                "UserName": "<DOMAIN>\\<SVC_ACCOUNT>",
                "IsDomainAccount": true
            }
        },
        "Server": {
            "LicenseFilePath": "\\\\<fileserver>.<DOMAIN>\\share$\\Licenses\\Esri\\10.8.1\\offline\\file.eslf",
            "Installer": {
                "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\InstallMedia\\Esri\\10.8.1\\ArcGISServer\\setup.exe",
                "InstallDir": "C:\\Program Files\\ArcGIS\\Server",
                "InstallDirPython": "C:\\Python27",
                "PatchesDir": "\\\\<fileserver>.<DOMAIN>\\share$\\InstallMedia\\Esri\\10.8.1\\Patches",
                "PatchInstallOrder": [
                    "ArcGIS-1081-S-ALPI-Patch.msp",
                    "ArcGIS-1081-S-DFPI-PatchB.msp",
                    "ArcGIS-1081-S-FSP-Patch.msp",
                    "ArcGIS-1081-S-GRS-Patch.msp",
                    "ArcGIS-1081-S-GSOP-Patch.msp",
                    "ArcGIS-1081-S-MFSS-Patch.msp",
                    "ArcGIS-1081-S-OP-Patch.msp",
                    "ArcGIS-1081-S-PS-Patch.msp",
                    "ArcGIS-1081-S-PSTE-Patch.msp",
                    "ArcGIS-1081-S-RWAP-Patch.msp",
                    "ArcGIS-1081-S-RWAP-PatchB.msp",
                    "ArcGIS-1081-S-SEC2021U2-Patch.msp",
                    "ArcGIS-1081-S-Log4j-Patch.msp"
                ]
            },
            "ServerDirectoriesRootLocation": "\\\\<fileserver>.<DOMAIN>\\context\\directories",
            "ConfigStoreLocation": "\\\\<fileserver>.<DOMAIN>\\context\\config-store",
            "PrimarySiteAdmin": {
                "UserName": "<REDACTED>",
                "Email": "<REDACTED>",
                "Password": "<REDACTED>"
            }
        },
        "WebAdaptor": {
            "AdminAccessEnabled": true,
            "Installer": {
                "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\InstallMedia\\Esri\\10.8.1\\WebAdaptorIIS\\setup.exe",
                "PatchesDir": "\\\\<fileserver>.<DOMAIN>\\share$\\InstallMedia\\Esri\\10.8.1\\Patches",
                "PatchInstallOrder": [
                    "ArcGIS-1081-WAI-S-Patch.msp"
                ]
            }
        },
        "SQLServerClient": [
            {
                "Name": "Microsoft ODBC Driver 17 for SQL Server",
                "InstallerPath": "\\\\<fileserver>.<DOMAIN>\\share$\\InstallMedia\\Microsoft\\Msodbcsql\\msodbcsql_17.5.2.1.msi",
                "ProductId": "12DC69AF-787B-4D76-B69D-2716DACA79FB",
                "Arguments": " /quiet /qn IACCEPTMSODBCSQLLICENSETERMS=YES ADDLOCAL=ALL"
            }
        ],
        "Federation": {
            "PortalHostName": "www.example.com",
            "PortalPort": "443",
            "PortalContext": "portal",
            "PortalAdministrator": {
                "UserName": "<REDACTED>",
                "Password": "<REDACTED>"
            }
        }
    }
}

Expected Behavior

The .cer should have been added to the https://SERVERMACHINE:6443/arcgis/admin/machines/SERVERMACHINE.DOMAIN/sslcertificates location

Actual Behavior

Certificate was not added

Steps to Reproduce

Nothing further to add

Important Factoids

We have attempted many iterations of this without success. With the above JSON file, we observed the following in the ArcGISServer--Verbose.txt file: 

5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Getting security config for site
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Url:- https://<SERVERMACHINE>.<DOMAIN>:6443/arcgis/admin/security/config/
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Set RootOrIntermediate <ALIAS> is NOT in List of SSL-Certificates Import-RootOrIntermediate
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] [WARNING] Response from https://<SERVERMACHINE>.<DOMAIN>:6443/arcgis/admin/machines//sslCertificates/importRootOrIntermediate was null
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Waiting for Url 'https://<SERVERMACHINE>.<DOMAIN>:6443/arcgis/admin' to respond
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Verifying that security config for site can be retrieved
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] Url:- https://<SERVERMACHINE>.<DOMAIN>:6443/arcgis/admin/security/config/
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]:                            [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>] SSLEnabled:- True
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]: LCM:  [ End    Set      ]  [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>]  in 1.2000 seconds.
5/12/2022 3:47:40 PM: [<SERVERMACHINE>]: LCM:  [ End    Resource ]  [[ArcGIS_Server_TLS]Server_TLS_<SERVERMACHINE>]

With the key thing being that the request to add the cert is missing the machine name in the API call.

Furthermore, We've attempted moving this around to the "global" configData section and it just gets ignored. We also normally have the server node with a SQL Server client and when that happens, it seems the SslRootOrIntermediate is ignored - 

        {
            "NodeName": "<SERVERMACHINE>",
            "Role": [
                "Server",
                "SQLServerClient"
            ],

At this point, no matter what we have tried, we cannot get the SslRootOrIntermediate to take...

Ideally we could set the role of the node to both "Server" and "SQLServerClient" and get the SslRootOrIntermediate to take. Either in the global ConfigData or within the node configuration itself.

Thanks.

References

cameronkroeker commented 2 years ago

Hi @pfoppe,

This is a limitation with the current module. Importing just intermediate/root certificates without importing a webserver certificate is not yet supported. In order to properly trigger the upload of the SslRootOrIntermediate certificates you will need to specify a path to a pfx file, that will be imported into ArcGIS Server. If there isn't a domain/ca signed certificate, you can use a self-signed.

Here is an example json:

"SslCertificates": [
  {
    "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<SERVERMACHINE>.<DOMAIN>.pfx",
    "CNameFQDN": "servermachine.domain.com",
    "Password": "<REDACTED>",
    "Target": [
         "Server"
    ],
    "SslRootOrIntermediate": [
      {
             "Alias": "<ALIAS>",
         "Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<filename>.cer"
      }
    ]
  }
]

I definitely agree though that importing SslRootOrIntermediate certificates without having to import a full webserver certificate is a valid and common use case , and will mark this as an Enhancement request that we can look to add in a future release.

Thanks, Cameron K.

pfoppe commented 2 years ago

Thanks for the pointer. We generally do not touch the ArcGIS Server certificate and leave the self-signed in place. Its been on our list (low priority) to fix that everywhere... this may be the spark for that.

At any rate, we were able to get it uploaded with the following - 

        {
            "NodeName": "servermachine",
            "Role": [
                "Server",
                "SQLServerClient"
            ], 
            "SslCertificates": [
                {
                    "Path": "\\\\fileserver\\share$\\Certificates\\cert_file.pfx",
                    "Password": "REDACTED",
                    "CNameFQDN": "cert_alias",
                    "Target": ["Server"],
                    "SslRootOrIntermediate": [
                        {
                            "Alias": "ROOT_ALIAS",
                            "Path": "\\\\fileserver\\share$\\Certificates\\ca_root_cert_file.cer"
                        }
                    ]
                }
            ]
        }
pfoppe commented 2 years ago

Hi @cameronkroeker,

As a follow-up, we added the JSON block above to add a "machine" certificate to the server (to listen on over port 6443), AND we added the SSL Root or Intermediate block. In this scenario this was an existing server and we were doing an upgrade from 1081 to 1091. Unfortunately this block of JSON was ignored... it did NOT add either certificate to the server.

We believe we have success when adding a new server the first time (doing an install) but it seems that this block of code is ignored on an upgrade.

So at this point, I think there are 2 enhancements to consider -

  1. Allow importing a SslRootOrIntermediate certificate without being required to add a machine cert (already flagged as an enhancement
  2. Allow adding (or updating) SSL certificates on an upgrade, not just on the initial install.

Thanks for the consideration!

cameronkroeker commented 2 years ago

Hi @pfoppe,

We have addressed the first item in v4.0.0. SslRootOrIntermediate certificates can now be imported without specifying a machine certificate. For item #2 please submit that as a separate enhancement request.

https://github.com/Esri/arcgis-powershell-dsc/releases/tag/v4.0.0

Example:

{
   "NodeName": "portalmachine",
   "Role": [
      "Portal"
   ],
   "SslCertificates": [
      {
          "Target": [
             "Portal"
       ],
           "SslRootOrIntermediate": [
              {
                 "Alias": "ROOT_ALIAS",
                 "Path": "\\\\fileserver\\share$\\Certificates\\ca_root_cert_file.cer"
          }
       ]   
      }
   ]
}

Thanks, Cameron K.

pfoppe commented 2 years ago

Thank you @cameronkroeker and Esri PSDSC team!

I have added a new issue for the second problem - https://github.com/Esri/arcgis-powershell-dsc/issues/409