search

Icinga / icinga-powershell-framework

This PowerShell module will allow to fetch data from Windows hosts and use them for inventory and monitoring solutions. Together with the Icinga Web 2 module, a detailed overview of your Windows infrastructure will be drawn.
MIT License
78 stars 33 forks source link

Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". #724

Closed drapiti closed 7 months ago

drapiti commented 7 months ago

@LordHepipud using the latest framework 1.12.3 on some windows servers we are seeing the following error message when installing IcingaForWindows using the automated self service script. Error: image

Any idea what the problem may be?

LordHepipud commented 7 months ago

It looks like you have a different certutil installed on your system which seems to work different then the default Windows version.

Can you please check with this command, which binaries are found?

Get-Command certutil;

On my machines it will return

CommandType     Name                                               Version    Source                                                                                                
-----------     ----                                               -------    ------                                                                                                
Application     certutil.exe                                       10.0.20... C:\Windows\system32\certutil.exe

Maybe I should always enforce the binary at system32 and not expect the PowerShell to locate the correct one.

Can you please try on this quick patch on one of those machines:

  1. Navigate to

    lib/webserver/ConvertTo-IcingaX509Certificate.psm1

  2. Open it with an administrative text editor and replace

    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
    Write-Output "$Password
    $Password" | certutil -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
}

  3. With this:

    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
    Write-Output "$Password
    $Password" | & 'C:\Windows\system32\certutil.exe' -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
}

  4. Afterwards save the file and rebuild the Icinga for Windows cache

    icinga -Shell -RebuildCache;

  5. Try to install the certificate now

    Install-IcingaForWindowsCertificate;

Does this resolve the issue? In case it does, I will provide a patch for 1.12.3. Please try this as well on Windows machines where it is currently working, to ensure we don't break anything.

drapiti commented 7 months ago

It looks like you have a different certutil installed on your system which seems to work different then the default Windows version.

Can you please check with this command, which binaries are found?

Get-Command certutil;

On my machines it will return

CommandType     Name                                               Version    Source                                                                                                
-----------     ----                                               -------    ------                                                                                                
Application     certutil.exe                                       10.0.20... C:\Windows\system32\certutil.exe

Maybe I should always enforce the binary at system32 and not expect the PowerShell to locate the correct one.

Can you please try on this quick patch on one of those machines:

  1. Navigate to
lib/webserver/ConvertTo-IcingaX509Certificate.psm1
  1. Open it with an administrative text editor and replace
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | certutil -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. With this:
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | & 'C:\Windows\system32\certutil.exe' -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. Afterwards save the file and rebuild the Icinga for Windows cache
icinga -Shell -RebuildCache;
  1. Try to install the certificate now
Install-IcingaForWindowsCertificate;

Does this resolve the issue? In case it does, I will provide a patch for 1.12.3. Please try this as well on Windows machines where it is currently working, to ensure we don't break anything.

Yes so you are spot on there is a third party certutil: image

Tested your solution and it does resolve the issue. I will post back if I have issues on other servers will update the local repo.

drapiti commented 7 months ago

All ok so far with this change.