The TwoTierCAStack is failing with NuGet resources download and PSGallery Respository to trusted

[LucaGasp]

Hello, I'm deploying in an existing VPC with AWS-Managed AD version. From the CloudFormation console I can only see that the script goes in CREATE_FAILED status setting up the SubCA, status reason: "Failed to receive 1 resource signal(s) within the specified duration"

Thankfully, in the CloudWatch Log Group, filtering for the name I gave to the stack, I'm able to see that there are 4 consecutive streams: First:

Creating AWSQuickstart Directory Downloading Pki PowerShell Module 
Installing NuGet Package Provider 
WARNING: MSG:UnableToDownload «https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409» «» 
Setting PSGallery Respository to trusted 
Failed to set PSGallery Respository to trusted No repository with the name 'PSGallery' was found.

Second: failed to run commands: exit status 1 Third:

Creating AWSQuickstart Directory
Downloading Pki PowerShell Module
Installing NuGet Package Provider
Setting PSGallery Respository to trusted
Failed to set PSGallery Respository to trusted No repository with the name 'PSGallery' was found.

Fourth: failed to run commands: exit status 1

I've been only able to troubleshoot the WARNING message regarding the download of the NuGet package, creating the neede dinbound rule in the security group associated with the SubCA server, than RDP-ing to the server. I've been able to reach the URL relat4ed to the warning, which FYI will redirect you to https://go.microsoft.com/fwlink/?LinkID=627338, which host the html page:

<?xml version="1.0" encoding="utf-8"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:discovery="http://packagemanagement.org/discovery" patch="false" media="(OS:windows)" name="OneGet.Providers" tagVersion="1" uniqueId="OneGet.Providers.1" version="1.15.194.0" versionScheme="multipartnumeric">

    <!--
        This swidtag is a Discovery Feed that has pointers to the SWIDTAGs for
        the providers that the bootstrapper can download.
    -->

     <Link href="https://onegetcdn.azureedge.net/providers/nuget-2.8.5.208.package.swidtag" type="application/swid-tag+xml" rel="package" discovery:name="nuget" discovery:latest="true" discovery:version="2.8.5.208" media="(OS:windows)" />

   <Link href="https://onegetcdn.azureedge.net/providers/psl-1.0.0.210.package.swidtag" type="application/swid-tag+xml" rel="package" discovery:name="psl" discovery:latest="true" discovery:version="1.0.0.210" media="(OS:windows)" />

    <Link href="https://onegetcdn.azureedge.net/providers/ChocolateyPrototype-2.8.5.130.package.swidtag" type="application/swid-tag+xml" rel="package" discovery:name="chocolatey" discovery:latest="true" discovery:version="2.8.5.130" media="(OS:windows)" />

    <Link href="https://onegetcdn.azureedge.net/providers/nugetv2.feed.swidtag" type="application/swid-tag+xml" rel="feed" discovery:name="nuget" media="(OS:windows)" />

    <Link href="https://onegetcdn.azureedge.net/providers/psl.feed.swidtag" type="application/swid-tag+xml" rel="feed" discovery:name="nuget" media="(OS:windows)" />

    <Link href="https://onegetcdn.azureedge.net/providers/chocolateyprototype.feed.swidtag" type="application/swid-tag+xml" rel="feed" discovery:name="chocolatey" media="(OS:windows)" />
</SoftwareIdentity>

For my understanding, that should be OK. Indeed, the Third Cloudwatch log stream doesn't mention the warning. For that reason, I suppose the whole thing is failing on setting PSGallery Repo to trusted, because was not found.

Do you have any hint or clue? Thank you

[RamseyW2004]

We are having a similar issue. Did you ever find a solution?

[saugat86]

I am having same issue while deploying Microsoft PKI into our existing VPC: Failed to receive 1 resource signal(s) within the specified duration.

Can anyone help to fix the issue?