search

PKISolutions / PSPKI

PowerShell PKI Module
Microsoft Public License
389 stars 59 forks source link

Malformed filter: 'CommonName -eq ' #191

Closed gcsmithbmc closed 1 year ago

gcsmithbmc commented 1 year ago

Hello,

I saw something similar that had been closed. I read through it but it seems that my code is different. I apologize if this is, in fact, an issue that has already been reported.

I'm using PSPKI and I'm getting the error below.

Malformed filter: 'CommonName -eq ' At C:\Program Files\WindowsPowerShell\Modules\PSPKI\server\Get-RequestRow.ps1:17 char:17

My code was working until the number of certificates expiring in 30 days grew, it's around 5950 now. I think I may have overloaded it.

Can you tell me what might be going wrong and how I might get past this? I would welcome ideas if there's something I can do in my script to correct the issue.

I think it's failing fails somewhere around the PRODGoal function.
This is the last output in my logfile:

Count of PROD certs expiring in 30 days: 5950 Count of PROD certs expriring in 30 days for which CN has been renewed in the last 8 months

Here's the complete script:

$logFile = "C:\program files\tsom\Patrol3\log\check_certs30Day.ps1"+(get-date).ToString("yyyy_MM_dd")+".log" $date = get-date echo ">>> Started capture_cert_info.ps1 at ${date}" >> $logFile

#

Remove Expiring_Certs_Reported files older than 3 days

# foreach ($File in Get-ChildItem -Path F:\Expiring_Certs_Reported_30Day*.txt) { if ($File.CreationTime -lt ($(Get-Date).AddDays(-3))) { echo "Removing $File.FullName older than 3 days" echo "Removing $File.FullName older than 3 days" >> $logFile Remove-Item $File.FullName -force } }

#

Only runs on the active node of the CA cluster.

Verify that F: exists. If F: does not exist, exit.

# if (Test-Path F:) { $dateStrWithTime = (get-date).ToString("yyyy_MM_dd HH:mm:ss") echo "$dateStrWithTime check_certs.ps1: This is the active cluster node: F:\ drive exists... continue processing." >> $logFile } else { echo "$dateStrWithTime check_certs.ps1: This is NOT the active cluster node: F:\ drive does not exist, exiting check_certs_30day.ps1." >> $logFile exit }

$expiringCertsReported = "F:\Expiring_CERTS_Reported30Day"+(get-date).ToString("yyyy_MM_dd")+".txt"

#

Get Exclusion Lists:

F:\IOU_Exclude_TEST.txt is for TEST.

F:\IOU_Exclude_PROD.txt is for PROD.

#

#

Get contents of IOU_Exclude_TEST.txt

# if (Test-Path F:\IOU_Exclude_TEST.txt) { $IOU_Exclude_TEST = Get-Content F:\IOU_Exclude_TEST.txt } else { $IOU_Exclude_TEST = $null } echo "TEST Exclusions:" >> $logFile echo $IOU_Exclude_TEST >> $logFile echo $IOU_Exclude_TEST.Count >> $logFile

#

Get contents of IOU_Exclude_PROD.txt

# if (Test-Path F:\IOU_Exclude_PROD.txt) { $IOU_Exclude_PROD = Get-Content F:\IOU_Exclude_PROD.txt } else { $IOU_Exclude_PROD = $null } echo "PROD Exclusions:" >> $logFile echo $IOU_Exclude_PROD >> $logFile echo $IOU_Exclude_PROD.Count >> $logFile

$IOU_ExcludeList = $IOU_Exclude_TEST

#

Get contents of Expiring_CERTS_Reported.txt files

# if (Test-Path F:\Expiring_CERTS_Reported_30Day) { $Expiring_CERTS_Reported = Get-Content F:\Expiring_CERTS_Reported_30Day } else { $Expiring_CERTS_Reported = $null } echo "Expiring CERTS Reported:" >> $logFile echo $Expiring_CERTS_Reported.Count >> $logFile

#

TEST

# $CATEST = "WVSFZCHY.Support.Statefarm.Org" Import-Module PSPKI #

Get list of TEST certs expiring in 30 days.

# $TESTcerts = Get-CertificationAuthority $CATEST | Get-IssuedRequest -Filter "CertificateTemplate -eq Web_Server_Internal_SSL_TEST_SHA256_v2" , "NotAfter -le $((Get-Date).AddDays(30))"

echo "Count of TEST certs expiring in 30 days:" >> $logFile echo $TESTcerts.count >> $logFile $count = $TESTcerts.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\TEST_Certificates_Expiring_In_30_days.prom" $CoreText=@"

HELP test_certificates_expiring_in_30_day

TYPE test_certificates_expiring_in_30_days gauge

test_certificates_expiring_in_30_days "@ $Combo = $CoreText, $count $Combo + "rn" | Set-Content $PromFile -NoNewline

#

Make sure there are $TESTcerts to process

# if ($TESTcerts.count -eq 0) { $OK_To_Continue = $false echo "No TEST certs expiring in 30 days, bypassing TEST" >> $logFile } else { $OK_To_Continue = $true }

if ($OK_To_Continue) { #

Get list of TEST certs expiring in 30 days for which CN has been renewed in the last 8 months

# Function TESTGoal { foreach ($TESTserver in $TESTcerts) { get-CertificationAuthority "$CATEST" | Get-IssuedRequest -Filter "CommonName -eq $($TESTserver.CommonName)", "NotBefore -ge $((Get-Date).AddMonths(-8))" } }

echo "Count of TEST certs expriring in 30 days for which CN has been renewed in the last 8 months:" >> $logFile
echo (TESTGoal).count >> $logFile
$count = (TESTGoal).count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\TESTGoal.prom"

$CoreText=@"

HELP TESTGoal

TESTGoal gauge

TESTGoal "@ $Combo = $CoreText, $count $Combo + "rn" | Set-Content $PromFile -NoNewline

#

Make sure there are $TESTcerts to process

# if ((TESTGoal).count -eq 0) { $OK_To_Continue = $false echo "No TEST certs expiring in 30 days for which CN has been renewed in the last 8 months, bypassing TEST" >> $logFile } else { $OK_To_Continue = $true } }

#

Compare the list of TEST certs renewed in 8 months to the list of certs expiring in 30 days.

# if ($OK_To_Continue) { $xxx = Compare-Object -ReferenceObject ((TESTGoal).CommonName) -DifferenceObject $TESTcerts.CommonName echo "Count of comparison of certs renewed in 8 months to certs expiring in 30 days:" >> $logFile echo $xxx.count >> $logFile #

Make sure there are $xxx to process

# if ($xxx.count -eq 0) { $OK_To_Continue = $false echo "There are no TEST certs renewed in 8 months to certs expiring in 30 days... bypassing TEST" >> $logFile } else { $OK_To_Continue = $true } }

if ($OK_To_Continue) { #

Get list of TEST certs expiring in 30 days that that have NOT been renewed.

# $yyy = echo $xxx | findstr ">"

echo "TEST certs expiring in 30 days that have NOT been renewed:" >> $logFile
echo $yyy >> $logFile
echo "Count of TEST certs expiring in 30 days that have NOT been renewed:"  >> $logFile
echo $yyy.count >> $logFile
$count = $yyy.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\TEST_Certificates_Not_Renewed.prom.prom"
$CoreText=@"

HELP test_certificates_not_renewed

TYPE test_certificates_not_renewed gauge

test_certificates_not_renewed "@

$Combo = $CoreText, $count
$Combo + "`r`n" | Set-Content $PromFile -NoNewline

if ($yyy.count -eq 0)
{
    $OK_To_Continue = $false
    echo "No TEST certs expiring in 30 days that have NOT been renewed... bypassing TEST"  >> $logFile
}
else
{
    $OK_To_Continue = $true
}

}

if ($OK_To_Continue) { #

Get unique list of TEST certs expiring in 30 days that that have NOT been renewed.

# $zzz = echo $xxx | findstr ">" | select-string -pattern ">" | Sort-Object | Get-Unique

$zzz = $zzz -replace '=>',""
echo "Unique TEST certs expiring in 30 days that have NOT been renewed:" >> $logFile
echo $zzz >> $logFile
echo "Count of unique TEST certs expiring in 30 days that have NOT been renewed:"  >> $logFile
echo $zzz.count >> $logFile
$count = $zzz.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\Unique_TEST_Certificates_Not_Renewed.prom"
$CoreText=@"

HELP unique_test_certificates_not_renewed

TYPE unique_test_certificates_not_renewed gauge

unique_test_certificates_not_renewed "@

$Combo = $CoreText, $count
$Combo + "`r`n" | Set-Content $PromFile -NoNewline

if ($zzz.count -eq 0)
{
    $OK_To_Continue = $false
    echo "No unique TEST certs expiring in 30 days that have NOT been renewed... bypassing TEST"  >> $logFile
}
else
{
    $OK_To_Continue = $true
}

}

if ($OK_To_Continue) { #

Loop through the unique list of certs that have not been renewed and build complete list of non-renewed certs for each and execute msend to generate an incident

#

foreach ($cn in $zzz)
{
    $cn = $cn.Trim()
    echo "Getting nonrenewed certs for ${cn}:" >> $logFile
    $cns = certutil -view -config WVSFZCHY.SUPPORT.STATEFARM.ORG\PKTESTCLSTR256NextGen -restrict "Issued Common Name=$cn,disposition==20" -out "Certificate Expiration Date, Issued Organization Unit, Issued Organization, Issued Common Name, Serial Number" csv | Select -Skip 1

#

Get details from first in the set (one or more certificates in the set).

# $FirstLine = $cns -split [Environment]::NewLine | Select-Object -first 1 $CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber = $FirstLine.Split(',')

    if ($IssuedOrganizationalUnit -like "*+*")
    {
        echo "IssuedOrganizationalUnit contains +, stripping everything after +: $IssuedOrganizationalUnit" >> $logFile
        $WG = $IssuedOrganizationalUnit.Split('+')[0]
        $WG = $WG.ToUpper()
        $WG = $WG -replace('"','')
        echo "Resulting Issued Organizational Unit: $IssuedOrganizationalUnit" >> $logFile
    }
    else
    {
        $WG = $IssuedOrganizationalUnit
        $WG = $WG.ToUpper()
        $WG = $WG -replace('"','')
    }

    $ICN = $IssuedCommonName
    $IO = $IssuedCommonName

    if ($Expiring_CERTS_Reported -notcontains "${IssuedCommonName}|${CertificateExpirationDate}")
    {
        if ($IOU_ExcludeList -notcontains $WG)
        {
            if ($WG -NotMatch '^WG\d{4,5}$')
            {
                $wg_found = $WG -imatch "(WG\d{4,5}$)"
                if ($wg_found)
                {
                    $xxx = $WG
                    $WG = $matches[0]
                    echo "Bad Issued Organizational Unit: Replace $xxx with $WG" >> $logFile
                }
                else
                {
                    echo "Bad Issued Organizational Unit: Replace $WG with WG1505" >> $logFile
                    $WG = "WG1505"
                }
            }

            $msg = "CERT-30DAY: The certificate(s) on <$IssuedCommonName> is expiring on Certificate Expiration Date, <$CertificateExpirationDate>.  Please request a new certificate and replace it within 30 days.  Use procedures located here to request a new certificate: https://techguide.opr.statefarm.org/index.php/Requesting_Digital_Certificates.  Please also check your certificate repository for <$IssuedCommonName> for any other unbound certificates. Please send a Request for Service to WG1505 with the serial numbers below along with any others found to have them revoked when they are no longer in use. Certificate Owner Responsibilities and Expectations are documented here:  Server Type/Product Owner SSL Certificate Responsibilities <https://collab.sfcollab.org/sites/WSS005492/Pages/Certificate%20Owner%20Responsibilities.aspx?mode=none>.&#10;"

            foreach ($line in $cns -split [Environment]::NewLine)
            {
                $CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber = $line.Split(',')
                $WG1 = $IssuedOrganizationalUnit
                $WG1 = $WG1.ToUpper()
                $WG1 = $WG1 -replace('"','')

                if ($IOU_ExcludeList -notcontains $WG1)
                {
                    $msg = $msg + "&#10;The Configuration Item entered for this certificate was <$IssuedOrganization>.  The serial number of the certificate is <$IssuedSerialNumber>. The Issued Organizational Unit is <$IssuedOrganizationalUnit>.  The certificate is expiring on <$CertificateExpirationDate>."

                    $msg = $msg.Replace('"','')

echo "Certificate Expiration Date: $CertificateExpirationDate" >> $logFile

echo "Issued Organizatinal Unit: $IssuedOrganizationalUnit" >> $logFile

echo "Issued Organization: $IssuedOrganization" >> $logFile

echo "Issued Common Name: $IssuedCommonName" >> $logFile

echo "Issued Serial Number: $IssuedSerialNumber" >> $logFile

                    echo "$CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber" >> $logFile
                    echo "${IssuedCommonName}|${CertificateExpirationDate}" >> $logFile
                    echo "${IssuedCommonName}|${CertificateExpirationDate}" >> $expiringCertsReported
                }
                else
                {
                    echo "Issued Organizational Unit, $WG1, is on the Exclude list A" >> $logFile
                }
            }

#

Build msend arguments.

# $CMD = 'C:\Program Files\tsom\Agent\server\bin\msend.exe' $arg1 = '-v' $arg2 = '-n' $arg3 = 'local' $arg4 = '-a' $arg5 = 'MSEND_EVENT' $arg6 = '-r' $arg7 = 'WARNING' $arg8 = '-b' $arg9 = "mc_tool='check_certs.ps1';severity=WARNING;mc_tool_rule='check_certs.ps1';mc_origin_class='check_certs.ps1';application='CERT-30DAY';mc_host_class='CERT';mc_object='$WG';msg_group='CERT-30DAY';mc_host='$ICN';ci_name='$IO';send_incident='YES';wg_lookup='YES'" $arg10 = '-m' $arg11 = '"'+$msg+'"' #

Execute msend for the current set (one or more certificates in the set).

# & $CMD $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9 $arg10 $arg11 echo "$CMD $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9 $arg10 $arg11" >> $logFile } else { echo "Issued Organizational Unit, $WG, is on the Exclude list B" >> $logFile } } else { echo "${IssuedCommonName}|${CertificateExpirationDate} is on the Expiring_Certs_Reported list." >> $logFile } } }

$IOU_ExcludeList = $IOU_Exclude_PROD

#

PROD

# $CAPROD = "WVSFZCH0.Support.Statefarm.Org" Import-Module PSPKI #

Get list of PROD certs expiring in 30 days.

# $PRODcerts = Get-CertificationAuthority $CAPROD | Get-IssuedRequest -Filter "CertificateTemplate -eq Web_Server_Internal_SSL_PROD_SHA256_v2" , "NotAfter -le $((Get-Date).AddDays(30))"

echo "Count of PROD certs expiring in 30 days:" >> $logFile echo $PRODcerts.count >> $logFile $count = $PRODcerts.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\PROD_Certificates_Expiring_In_30_days.prom" $CoreText=@"

HELP prod_certificates_expiring_in_30_days

TYPE prod_certificates_expiring_in_30_days gauge

prod_certificates_expiring_in_30_days "@

$Combo = $CoreText, $count $Combo + "rn" | Set-Content $PromFile -NoNewline

#

Make sure there are $PRODcerts to process

# if ($PRODcerts.count -le 0) { $OK_To_Continue = $false echo "No PROD certs expiring in 30 days, bypassing PROD" >> $logFile } else { $OK_To_Continue = $true }

if ($OK_To_Continue) { #

Get list of PROD certs for which CN has been renewed in the last 8 months

# Function PRODGoal { foreach ($PRODserver in $PRODcerts) { get-CertificationAuthority "$CAPROD" | Get-IssuedRequest -Filter "CommonName -eq $($PRODserver.CommonName)", "NotBefore -ge $((Get-Date).AddMonths(-8))" } }

echo "Count of PROD certs expriring in 30 days for which CN has been renewed in the last 8 months" >> $logFile
echo (PRODGoal).count >> $logFile
$count = (PRODGoal).count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\PRODGoal.prom"

$CoreText=@"

HELP PRODGoal

PRODGoal gauge

PRODGoal "@ $Combo = $CoreText, $count $Combo + "rn" | Set-Content $PromFile -NoNewline #

Make sure there are $PRODcerts to process

# if ((PRODGoal).count -le 0) { $OK_To_Continue = $false echo "No PROD certs expiring in 30 days for which CN has been renewed in the last 8 months, bypassing PROD" >> $logFile } else { $OK_To_Continue = $true } } #

Compare the list of PROD certs renewed in 8 months to the list of certs expiring in 30 days.

# if ($OK_To_Continue) { $xxx = Compare-Object -ReferenceObject ((PRODGoal).CommonName) -DifferenceObject $PRODcerts.CommonName

echo "Count of comparison of certs renewed in 8 months to certs expiring in 30 days:" >> $logFile
echo $xxx.count >> $logFile

#

Make sure there are $xxx to process

# if ($xxx.count -le 0) { $OK_To_Continue = $false echo "There are no PROD certs renewed in 8 months to certs expiring in 30 days... bypassing PROD" >> $logFile } else { $OK_To_Continue = $true } } if ($OK_To_Continue) { #

Get list of PROD certs expiring in 30 days that that have NOT been renewed.

# $yyy = echo $xxx | findstr ">"

echo "PROD certs expiring in 30 days that have NOT been renewed:" >> $logFile
echo $yyy >> $logFile
echo "Count of PROD certs expiring in 30 days that have NOT been renewed:"  >> $logFile
echo $yyy.count >> $logFile
$count = $yyy.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\PROD_Certificates_Not_Renewed.prom"
$CoreText=@"

HELP prod_certificates_not_renewed

TYPE prod_certificates_not_renewed gauge prod_certificates_not_renewed "@

$Combo = $CoreText, $count
$Combo + "`r`n" | Set-Content $PromFile -NoNewline

if ($yyy.count -le 0)
{
    $OK_To_Continue = $false
    echo "No PROD certs expiring in 30 days that have NOT been renewed... bypassing PROD"  >> $logFile
}
else
{
    $OK_To_Continue = $true
}

}

if ($OK_To_Continue) { #

Get unique list of PROD certs expiring in 30 days that that have NOT been renewed.

# $zzz = echo $xxx | findstr ">" | select-string -pattern ">" | Sort-Object | Get-Unique

$zzz = $zzz -replace '=>',""
echo "Unique PROD certs expiring in 30 days that have NOT been renewed:" >> $logFile
echo $zzz >> $logFile
echo "Count of unique PROD certs expiring in 30 days that have NOT been renewed:"  >> $logFile
echo $zzz.count >> $logFile
$count = $zzz.count

$PromFile = "C:\Program Files\windows_exporter\textfile_inputs\Unique_PROD_Certificates_Not_Renewed.prom"
$CoreText=@"

HELP unique_prod_certificates_not_renewed

TYPE unique_prod_certificates_not_renewed gauge

unique_prod_certificates_not_renewed "@

$Combo = $CoreText, $count
$Combo + "`r`n" | Set-Content $PromFile -NoNewline

if ($zzz.count -le 0)
{
    $OK_To_Continue = $false
    echo "No unique PROD certs expiring in 30 days that have NOT been renewed... bypassing PROD"  >> $logFile
}
else
{
    $OK_To_Continue = $true
}

}

if ($OK_To_Continue) { #

Loop through the unique list of certs that have not been renewed and build complete list of non-renewed certs for each and execute msend to generate an incident

# foreach ($cn in $zzz) { $cn = $cn.Trim() echo "Getting nonrenewed certs for ${cn}:" >> $logFile $cns = certutil -view -config WVSFZCH0.SUPPORT.STATEFARM.ORG\PKMANCLSTR256NEXTGEN -restrict "Issued Common Name=$cn,disposition==20" -out "Certificate Expiration Date, Issued Organization Unit, Issued Organization, Issued Common Name, Serial Number" csv | Select -Skip 1

#

Get details from first in the set (one or more certificates in the set).

# $FirstLine = $cns -split [Environment]::NewLine | Select-Object -first 1 $CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber = $FirstLine.Split(',')

    if ($IssuedOrganizationalUnit -like "*+*")
    {
        echo "IssuedOrganizationalUnit contains +, stripping everything after +: $IssuedOrganizationalUnit" >> $logFile
        $WG = $IssuedOrganizationalUnit.Split('+')[0]
        $WG = $WG.ToUpper()
        $WG = $WG -replace('"','')
        echo "Resulting Issued Organizational Unit: $IssuedOrganizationalUnit" >> $logFile
    }
    else
    {
        $WG = $IssuedOrganizationalUnit
        $WG = $WG.ToUpper()
        $WG = $WG -replace('"','')
    }
    $ICN = $IssuedCommonName
    $IO = $IssuedCommonName

    if ($Expiring_CERTS_Reported -notcontains "${IssuedCommonName}|${CertificateExpirationDate}")
    {
        if ($IOU_ExcludeList -notcontains $WG)
        {
            if ($WG -NotMatch '^WG\d{4,5}$')
            {
                $wg_found = $WG -imatch "(WG\d{4,5}$)"
                if ($wg_found)
                {
                    $xxx = $WG
                    $WG = $matches[0]
                    echo "Bad Issued Organizational Unit: Replace $xxx with $WG" >> $logFile
                }
                else
                {
                    echo "Bad Issued Organizational Unit: Replace $WG with WG1505" >> $logFile
                    $WG = "WG1505"
                }
            }

            $msg = "CERT-30DAY: The certificate(s) on <$IssuedCommonName> is expiring on Certificate Expiration Date, <$CertificateExpirationDate>.  Please request a new certificate and replace it within 30 days.  Use procedures located here to request a new certificate: https://techguide.opr.statefarm.org/index.php/Requesting_Digital_Certificates.  Please also check your certificate repository for <$IssuedCommonName> for any other unbound certificates. Please send a Request for Service to WG1505 with the serial numbers below along with any others found to have them revoked when they are no longer in use. Certificate Owner Responsibilities and Expectations are documented here:  Server Type/Product Owner SSL Certificate Responsibilities <https://collab.sfcollab.org/sites/WSS005492/Pages/Certificate%20Owner%20Responsibilities.aspx?mode=none>.&#10;"

            foreach ($line in $cns -split [Environment]::NewLine)
            {
                $CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber = $line.Split(',')
                $WG1 = $IssuedOrganizationalUnit
                $WG1 = $WG1.ToUpper()
                $WG1 = $WG1 -replace('"','')

                if ($IOU_ExcludeList -notcontains $WG1)
                {
                    $msg = $msg + "&#10;The Configuration Item entered for this certificate was <$IssuedOrganization>.  The serial number of the certificate is <$IssuedSerialNumber>. The Issued Organizational Unit is <$IssuedOrganizationalUnit>.  The certificate is expiring on <$CertificateExpirationDate>."

                    $msg = $msg.Replace('"','')

echo "Certificate Expiration Date: $CertificateExpirationDate" >> $logFile

echo "Issued Organizatinal Unit: $IssuedOrganizationalUnit" >> $logFile

echo "Issued Organization: $IssuedOrganization" >> $logFile

echo "Issued Common Name: $IssuedCommonName" >> $logFile

echo "Issued Serial Number: $IssuedSerialNumber" >> $logFile

                    echo "$CertificateExpirationDate,$IssuedOrganizationalUnit,$IssuedOrganization,$IssuedCommonName,$IssuedSerialNumber" >> $logFile
                    echo "${IssuedCommonName}|${CertificateExpirationDate}" >> $logFile
                    echo "${IssuedCommonName}|${CertificateExpirationDate}" >> $expiringCertsReported
                }
                else
                {
                    echo "Issued Organizational Unit, $WG1, is on the Exclude list C" >> $logFile
                }
            }

#

Build msend arguments.

# $CMD = 'C:\Program Files\tsom\Agent\server\bin\msend.exe' $arg1 = '-v' $arg2 = '-n' $arg3 = 'local' $arg4 = '-a' $arg5 = 'MSEND_EVENT' $arg6 = '-r' $arg7 = 'WARNING' $arg8 = '-b' $arg9 = "mc_tool='check_certs.ps1';severity=WARNING;mc_tool_rule='check_certs.ps1';mc_origin_class='check_certs.ps1';application='CERT-30DAY';mc_host_class='CERT';mc_object='$WG';msg_group='CERT-30DAY';mc_host='$ICN';ci_name='$IO';send_incident='YES';wg_lookup='YES'" $arg10 = '-m' $arg11 = '"'+$msg+'"' #

Execute msend for the current set (one or more certificates in the set).

# & $CMD $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9 $arg10 $arg11 echo "$CMD $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9 $arg10 $arg11" >> $logFile } else { echo "Issued Organizational Unit, $WG, is on the Exclude list D" >> $logFile } } else { echo "${IssuedCommonName}|${CertificateExpirationDate} is on the Expiring_Certs_Reported list." >> $logFile } } } echo " " >> $logFile $date = get-date echo ">>> Finished check_certs_30day.ps1 at ${date}" >> $logFile

Crypt32 commented 1 year ago

Unfortunately, I can't debug your own scripts. However, the problem looks like in the missing filer qualifier. I see you are calling Get-IssuedRequest here:

foreach ($TESTserver in $TESTcerts)
    {
        get-CertificationAuthority "$CATEST" | Get-IssuedRequest -Filter "CommonName -eq $($TESTserver.CommonName)", "NotBefore -ge $((Get-Date).AddMonths(-8))"
    }

some of elements in TESTcerts collection have missing, null or empty CommonName property. You need to ensure that this property exist and is non-null.

gcsmithbmc commented 1 year ago

Hello Vadims,

Thank you for your analysis. I’m working to implement your suggestion. It didn’t occur to me that some of the fields would be NULL or mal-formed. I’m winding my way through the code putting in conditional logic that you suggested.

Thank you again for your help with this. Garland Smith

From: Vadims Podans @.> Sent: Monday, June 26, 2023 4:31 AM To: PKISolutions/PSPKI @.> Cc: Garland Smith @.>; Author @.> Subject: [EXTERNAL] Re: [PKISolutions/PSPKI] Malformed filter: 'CommonName -eq ' (Issue #191)

Unfortunately, I can't debug your own scripts. However, the problem looks like in the missing filer qualifier. I see you are calling Get-IssuedRequest here:

foreach ($TESTserver in $TESTcerts)

{

    get-CertificationAuthority "$CATEST" | Get-IssuedRequest -Filter "CommonName -eq $($TESTserver.CommonName)", "NotBefore -ge $((Get-Date).AddMonths(-8))"

}

some of elements in TESTcerts collection have missing, null or empty CommonName property. You need to ensure that this property exist and is non-null.

— Reply to this email directly, view it on GitHubhttps://github.com/PKISolutions/PSPKI/issues/191#issuecomment-1607276317, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BAZVKT22CANVWP66FR6P3NDXNFXIZANCNFSM6AAAAAAZSWTFBU. You are receiving this because you authored the thread.Message ID: @.**@.>>

Crypt32 commented 1 year ago

Closing as a non-code-issue.