powershell user_data should support winrm over ssl by default

hh commented 9 years ago

Currently we open 5986 (winrm ssl) but do not enable it.

    def user_data
      # TODO: Make this use HTTPS at some point.
      <<EOD
<powershell>
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'

netsh advfirewall firewall add rule name="WinRM 5985" protocol=TCP dir=in localport=5985 action=allow
netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow

net stop winrm
sc config winrm start=auto
net start winrm
</powershell>
EOD
    end

We should support verifying the SSL Certificate before connecting. The easiest way to do that would be to retrieve the RDP ssl certificate signature in via GetConsoleOutput as it's available in the console output on lines with RDPCERTIFICATE:

2015/09/09 13:54:11Z: EC2ConfigMonitorState: 0
2015/09/09 13:54:12Z: Windows sysprep configuration complete.
2015/09/09 13:54:14Z: AMI Origin Version: 2015.08.12
2015/09/09 13:54:14Z: AMI Origin Name: Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/09/09 13:54:14Z: OS: Microsoft Windows NT 6.3.9600
2015/09/09 13:54:14Z: OsVersion: 6.3
2015/09/09 13:54:14Z: OsProductName: Windows Server 2012 R2 Standard
2015/09/09 13:54:14Z: OsBuildLabEx: 9600.17936.amd64fre.winblue_ltsb.150715-0840
2015/09/09 13:54:14Z: Language: en-US
2015/09/09 13:54:14Z: EC2 Agent: Ec2Config service v3.8.294
2015/09/09 13:54:16Z: Message: Waiting for meta-data accessibility...
2015/09/09 13:54:16Z: Message: Meta-data is now available.
2015/09/09 13:54:17Z: AMI-ID: ami-4dbcb67d
2015/09/09 13:54:17Z: Instance-ID: i-e6dcba20
2015/09/09 13:54:20Z: Driver: AWS PV Network Device v7.3.2.0
2015/09/09 13:54:20Z: Driver: AWS PV Storage Host Adapter v7.3.2.0
2015/09/09 13:54:20Z: Ec2SetPassword: Enabled
2015/09/09 13:54:22Z: RDPCERTIFICATE-SUBJECTNAME: WIN-LJ3K78KQPMC
2015/09/09 13:54:22Z: RDPCERTIFICATE-THUMBPRINT: E0456331C42F2ECFA8DCC31CD48654B070FB4F33
2015/09/09 13:54:24Z: Username: Administrator
2015/09/09 13:54:24Z: Password: <Password>
nVbP+bIgs4rnw9PmNVoZI0rX06Sv24saJJt5AhDcv/u3lvDd9V8t7SEkxROO5LnIycEmk3Md0MC9GESC3iiDo7Pc9dBGpOal/ynJ1xz9BqQAoNkxvhq80tuhTl1azm6oCiibRHk6lDgR7POR8HeRuC1fOiiXXaUEcV/CkQC7E6jObR0mkXzosIhOxWZtFnnd2VwWF4okZ5e2+Yp5QGsD8VMTDIHj5+LMaEai/Ua9YjzZurcnj8LcHX1L4X//xXbHfDeqhbRkZPBz6z6t3+ObS2264RoGc3DYn7mSoCGS9gFYb3+wV4sCEkndGrOMhDG21IPfZD/60PPiM6xknha2qA==
</Password>
2015/09/09 13:54:27Z: Message: Windows is Ready to use

It is available via the the certificate store:

PS C:\Users\Administrator> dir "cert:\localmachine\Remote Desktop"

    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\Remote Desktop

Thumbprint                                Subject
----------                                -------
E0456331C42F2ECFA8DCC31CD48654B070FB4F33  CN=WIN-LJ3K78KQPMC

But is created without the ability to export:

PS C:\Users\Administrator> certutil.exe -exportpfx -p secret 'Remote Desktop' E0456331C42F2ECFA8DCC31CD48654B070FB4F33 r
dp.pfx
Remote Desktop "Remote Desktop"
================ Certificate 0 ================
Serial Number: 7a406e91fdc84f954ddc660dfa5dee39
Issuer: CN=WIN-LJ3K78KQPMC
 NotBefore: 9/7/2015 10:06 PM
 NotAfter: 3/8/2016 10:06 PM
Subject: CN=WIN-LJ3K78KQPMC
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): e0 45 63 31 c4 2f 2e cf a8 dc c3 1c d4 86 54 b0 70 fb 4f 33
  Key Container = TSSecKeySet1
  Unique container name: f686aace6942fb7f7ceb231212eef4a4_143583cc-a900-4744-b846-f311889f418e
  Provider = Microsoft Strong Cryptographic Provider
Private key is NOT exportable
Encryption test passed
CertUtil: -exportPFX command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
CertUtil: Key not valid for use in specified state.

I couldn't find a way to export or copy via the command line, but using the gui to copy and paste via mmc, I was able to copy from Remote Desktop/Certificates/HOSTNAME to Personal(My?)/Certiifcates/Hostname

Maybe someone with windows foo can provide that magic.

Once the certificate is available in cert:\localmachine\my (it doesn't seem to work if you leave it in cert:\localmachine\Remote Desktop you can use the following powershell to create

function Find-Certificate($hostname) {
    foreach ($cert in Get-ChildItem 'Cert:\localmachine\my') { 
        if ($cert.Subject -eq ("CN=" + $hostname)) {
            return $cert
        }
    }
}
$certId = $env:computername
$cert = Find-Certificate $certId
echo $cert
winrm create winrm/config/listener?Address=*+Transport=HTTPS  `@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}

Running that powershell results in:

PS C:\Users\Administrator> function Find-Certificate($hostname) {
>> foreach ($cert in Get-ChildItem 'Cert:\localmachine\my') {
>> if ($cert.Subject -eq ("CN=" + $hostname)) {
>> return $cert
>> }
>> }
>> }
>> $certId = $env:computername
>> $cert = Find-Certificate $certId
>> echo $cert
>>

    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint                                Subject
----------                                -------
E0456331C42F2ECFA8DCC31CD48654B070FB4F33  CN=WIN-LJ3K78KQPMC

PS C:\Users\Administrator> winrm create winrm/config/listener?Address=*+Transport=HTTPS  `@`{Hostname=`"($certId)`"`;Cer
tificateThumbprint=`"($cert.Thumbprint)`"`}
ResourceCreated
    Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters
        ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
        SelectorSet
            Selector: Address = *, Transport = HTTPS

That's looking pretty good.

Now let's try with openssl client and make sure we can actually communicate and see the original cert.

$ openssl s_client -connect 52.25.104.61:5986
CONNECTED(00000003)
depth=0 CN = WIN-LJ3K78KQPMC
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = WIN-LJ3K78KQPMC
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
 0 s:/CN=WIN-LJ3K78KQPMC
   i:/CN=WIN-LJ3K78KQPMC

---
Server certificate
-----BEGIN CERTIFICATE-----

knife ssl fetch/verify seems to have an issue chef/knife-windows#284 and I'm tracking that sepately, and we'll have to find a way to integrate that into chef-provisioning since we won't be shelling out to knife etc.

[chef-repo]$ rm .chef/trusted_certs/*  ; knife ssl fetch https://52.25.104.61:5986 ; knife ssl check https://52.25.104.61:5986 
WARNING: Certificates from 52.25.104.61 will be fetched and placed in your trusted_cert
directory (/home/hh/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for WIN-LJ3K78KQPMC in /home/hh/chef-repo/.chef/trusted_certs/WIN-LJ3K78KQPMC.crt

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2a 19 Mar 2015
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/hh/chef-repo/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

/home/hh/chef-repo/.chef/trusted_certs/WIN-LJ3K78KQPMC.crt: self signed certificate

TO FIX THESE WARNINGS:

We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: /home/hh/chef-repo/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host 52.25.104.61:5986
ERROR: The SSL certificate of 52.25.104.61 could not be verified
Certificate issuer data: /CN=WIN-LJ3K78KQPMC

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2a 19 Mar 2015
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/hh/chef-repo/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: /home/hh/chef-repo/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

hh commented 9 years ago

I looked at winrm quickconfig and this may be one path, but we'll need to get that rdp certificate into the right place:

PS C:\> hostname
ip-0A71462E
PS C:\> dir "cert:\localmachine\Remote Desktop"

    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\Remote Desktop

Thumbprint                                Subject
----------                                -------
18315D1A11CA40F46A5EC777012986055095BB75  CN=ip-0A71462E

PS C:\> winrm quickconfig -transport:https
WinRM service is already running on this machine.
WSManFault
    Message
        ProviderFault
            WSManFault
                Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate cert
ificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authenticatio
n, and not be expired, revoked, or self-signed.

Error number:  -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SS
L, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, rev
oked, or self-signed.

hh commented 9 years ago

copy-item didn't work 8(

PS C:\> dir "cert:\localmachine\My"
PS C:\> dir "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75"

    Directory: Microsoft.PowerShell.Security\Certificate::localmachine\Remote Desktop

Thumbprint                                Subject
----------                                -------
18315D1A11CA40F46A5EC777012986055095BB75  CN=ip-0A71462E

PS C:\> copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75" "cert:\localmachine\My\"
copy-item : Provider operation stopped because the provider does not support this operation.
At line:1 char:1
+ copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC77701298605509 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotImplemented: (:) [Copy-Item], PSNotSupportedException
    + FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.CopyItemCommand

PS C:\> copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75" "cert:\localmachine\My\18
315D1A11CA40F46A5EC777012986055095BB75"
copy-item : Cannot find the X509 certificate at path localmachine\My\18315D1A11CA40F46A5EC777012986055095BB75.
At line:1 char:1
+ copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC77701298605509 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], CertificateNotFoundException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.CertificateNotFoundException,Microsoft.PowerShell.Commands
   .CopyItemCommand

hh commented 9 years ago

Looks like we may have a winner! Thanks to http://social.technet.microsoft.com/wiki/contents/articles/28753.powershell-trick-copy-certificates-from-one-store-to-another.aspx

<powershell>
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'

netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow

$SourceStoreScope = 'LocalMachine'
$SourceStorename = 'Remote Desktop'

$SourceStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)

$cert = $SourceStore.Certificates | Where-Object  -FilterScript {
    $_.subject -like '*'
}

$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'

$DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)

$SourceStore.Close()
$DestStore.Close()

winrm create winrm/config/listener?Address=*+Transport=HTTPS  `@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}

net stop winrm
sc config winrm start=auto
net start winrm
</powershell>

PS C:\>
PS C:\> winrm create winrm/config/listener?Address=*+Transport=HTTPS  `@`{Hostname=`"($certId)`"`;CertificateThumbprint=
`"($cert.Thumbprint)`"`}
ResourceCreated
    Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters
        ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
        SelectorSet
            Selector: Address = *, Transport = HTTPS

PS C:\>
PS C:\> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 10.113.70.46, 127.0.0.1, ::1, 2001:0:5ef5:79fd:e5:39d5:f58e:b9d1, fe80::5efe:10.113.70.46%14, fe80::e5
:39d5:f58e:b9d1%13, fe80::cdb1:4e6e:148e:bb3a%15

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 18315D1A11CA40F46A5EC777012986055095BB75
    ListeningOn = 10.113.70.46, 127.0.0.1, ::1, 2001:0:5ef5:79fd:e5:39d5:f58e:b9d1, fe80::5efe:10.113.70.46%14, fe80::e5
:39d5:f58e:b9d1%13, fe80::cdb1:4e6e:148e:bb3a%15

Now to try and dynamically get that ssl cert into place in .chef/trusted_certs

hh commented 9 years ago

I also put together some info for getting windows to offer up winrm over ssl using the self-signed rdp certificate (cross post http://lists.opscode.com/sympa/arc/chef/2015-09/msg00290.html)

On boot ec2 windows instances print a lot of useful stuff to the aws console, including the rdp self signed ssl certificate fingerprint. It's useful to verify that you are connecting to the host you provisioned (similar to checking an ssh hosts fingerprint). However in chef we use winrm, so I needed to update the user_data to copy over the rdp certificate and enable it's use for winrm.

# ec2 console log snippit
2015/09/29 09:41:22Z: RDPCERTIFICATE-SUBJECTNAME: IP-0A7146CD
2015/09/29 09:41:22Z: RDPCERTIFICATE-THUMBPRINT:
112941B4213F118B4E3373520F0DC91F7169E1E8

$ openssl s_client -connect 10.113.70.205:5986 < /dev/null 2>/dev/null
| openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=11:29:41:B4:21:3F:11:8B:4E:33:73:52:0F:0D:C9:1F:71:69:E1:E8

The instance comes up with knife winrm complaining about certs (See https://github.com/chef/knife-windows/issues/284#issuecomment-144087203) , and it seems no combination of knife ssl fetch/check works.

I'm not sure where I would look in chef-provisioning-aws to automatically import the certificate (similar to knife ssl fetch) and check it against the ec2 console fingerprint or how to configure it to utilize those certs and connect over ssl. Pointers to code or docs welcome

I include some user_data, chef-provisioning recipe, and console output for your perusal:

<powershell>
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'

netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP
dir=in localport=5986 action=allow

$SourceStoreScope = 'LocalMachine'
$SourceStorename = 'Remote Desktop'

$SourceStore = New-Object  -TypeName
System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList
$SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)

$cert = $SourceStore.Certificates | Where-Object  -FilterScript {
    $_.subject -like '*'
}

$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'

$DestStore = New-Object  -TypeName
System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList
$DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)

$SourceStore.Close()
$DestStore.Close()

winrm create winrm/config/listener?Address=*+Transport=HTTPS
`@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}

net stop winrm
sc config winrm start=auto
net start winrm
</powershell>

with_machine_options bootstrap_options: {
 winrm_transport: {
    https: {
      # This is what I'd prefer not to do, still doesn't connect
      no_ssl_peer_verification: true
    }
  },
  user_data: setup_winrm_ssl_user_data_from_above,
  image_id: 'ami-7bc3e04b'
  # aws-marketplace/CIS Microsoft Windows Server 2012 R2
  # Benchmark v1.1.0-26bb465c-ce26-4da9-afb8-040b2f8c9a7f-ami-7a88f312.2
}

machine_name = 'win-2012-hardened-X'

m = machine "#{machine_name}" do
  action :allocate
end

ruby_block "Security Info on #{machine_name}" do
  block do

    # wait for the machine to be in a ready state
    mr=resources(machine: machine_name).provider_for_action(:ready)
    mr.load_current_resource
    machine=mr.action_ready

    # grab a pointer to the chef-provisioning driver
    # so we can call driver.config and driver.ec2.*
    driver = node.run_state[:chef_provisioning].drivers.values.first

    i=driver.ec2.instances[machine.machine_spec.reference['instance_id']]
    # check for rdp certificate fingerprint
    i.console_output.lines.each do |l|
      Chef::Log.warn l.chomp
    end

    # just to look ot the machine_spec
    machine.machine_spec.reference.pretty_inspect.lines.each do |l|
      Chef::Log.warn l.chomp
    end

    # decrypt the password
    pem = Cheffish.get_private_key(machine.machine_spec.reference['key_name'],
                                   driver.config)
    private_key = OpenSSL::PKey::RSA.new(pem)

    encrypted_admin_password =
driver.wait_for_admin_password(machine.machine_spec)
    decoded = Base64.decode64(encrypted_admin_password)
    decrypted_password = private_key.private_decrypt decoded

   Chef::Log.warn "knife ssl fetch https://#{i.private_ip_address}:5985";
   Chef::Log.warn "rdesktop -u Administrator -p
'#{decrypted_password}' -g 1280x800 #{i.private_ip_address}"
   Chef::Log.warn "knife winrm --winrm-port 5986 --winrm-transport ssl
--winrm-password '#{decrypted_password}' -m #{i.private_ip_address}
hostname"
    # a nice place to rest until we get figure out how to get winrm +
ssl working
    # TRY RUNNING 'knife winrm' HERE **************************************************
    byebug
    # as execution won't work until we configure winrm to actually
communicate to the node

    machine.execute_always('dir "cert:\localmachine\Remote
Desktop"').stdout.lines.each do |l|
      Chef::Log.warn l.chomp
    end
  end
end

# someday!
machine "#{machine_name}" do
  action :converge
end

full ec2-get-console, there is an ec2config issued reboot to get a unique hostname

2015/09/29 09:39:16Z: Windows sysprep configuration complete.
2015/09/29 09:39:19Z: AMI Origin Version: 2014.12.10
2015/09/29 09:39:19Z: AMI Origin Name:
Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/09/29 09:39:19Z: OsVersion: 6.3
2015/09/29 09:39:19Z: OsServicePack: NotFound
2015/09/29 09:39:19Z: OsProductName: Windows Server 2012 R2 Standard
2015/09/29 09:39:19Z: OsBuildLabEx: 9600.17476.amd64fre.winblue_r5.141029-1500
2015/09/29 09:39:19Z: Language: en-US
2015/09/29 09:39:19Z: EC2 Agent: Ec2Config service v2.2.12.301
2015/09/29 09:39:19Z: EC2 Agent: Ec2Config service fileversion v2.2.12.301
2015/09/29 09:39:48Z: Driver: AWS PV Storage Host Adapter v7.2.4.1
2015/09/29 09:39:48Z: Driver: Intel(R) 82599 Virtual Function v1.0.15.3
2015/09/29 09:39:50Z: Message: Waiting for meta-data accessibility...
2015/09/29 09:39:51Z: Message: Meta-data is now available.
2015/09/29 09:39:53Z: AMI-ID: ami-7bc3e04b
2015/09/29 09:39:53Z: Instance-ID: i-d0b3ec16
2015/09/29 09:39:54Z: Ec2SetPassword: Enabled
2015/09/29 09:39:56Z: Username: Administrator
2015/09/29 09:39:56Z: Password: <Password>
mMpNuqSphbwA+Ry/ZPDPKQ+v4s5fhTwh7O42Toaw18aWNUzkVh4+++MQ0hLrT6BR2YKsODMElJOshqE+yMxEUM/xr8pgP1ihOAHn/QT1o5qDzeBBByXQxx90/FtxM6OmcxdtxbGfJE4FK54uGB52ao9IlMBSY1LFq/+ipoDY+rpw+owHtEaFE666I8+wSD6Ys4MNZ+It18DigsnjTH+hYU22HeXHKt6cMkgGV7YkhAmb99H0teFzHxtjvtWRIxKliZisbfFH6Cay29q/S1LQvSjE8r3RKQXVLHUste89Di32Qwzjpj7GKl4/8mOevoEmtOgT2s0hWjvyFBng6zHRAw==
</Password>
2015/09/29 09:39:58Z: RDPCERTIFICATE-SUBJECTNAME: WIN-PQBS6I717AU
2015/09/29 09:39:58Z: RDPCERTIFICATE-THUMBPRINT:
30DFDDE350CC06379340488EF8FE9F2A34AEA398
2015/09/29 09:40:01Z: Message: Product activation was successful
2015/09/29 09:40:02Z: Message: Ec2Config Service is rebooting the
instance. Please be patient.
2015/09/29 09:41:06Z: Windows sysprep configuration complete.
2015/09/29 09:41:06Z: AMI Origin Version: 2014.12.10
2015/09/29 09:41:06Z: AMI Origin Name:
Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/09/29 09:41:06Z: OsVersion: 6.3
2015/09/29 09:41:06Z: OsServicePack: NotFound
2015/09/29 09:41:06Z: OsProductName: Windows Server 2012 R2 Standard
2015/09/29 09:41:06Z: OsBuildLabEx: 9600.17476.amd64fre.winblue_r5.141029-1500
2015/09/29 09:41:06Z: Language: en-US
2015/09/29 09:41:06Z: EC2 Agent: Ec2Config service v2.2.12.301
2015/09/29 09:41:06Z: EC2 Agent: Ec2Config service fileversion v2.2.12.301
2015/09/29 09:41:22Z: Driver: AWS PV Storage Host Adapter v7.2.4.1
2015/09/29 09:41:22Z: Driver: Intel(R) 82599 Virtual Function v1.0.15.3
2015/09/29 09:41:22Z: Message: Waiting for meta-data accessibility...
2015/09/29 09:41:22Z: Message: Meta-data is now available.
2015/09/29 09:41:22Z: AMI-ID: ami-7bc3e04b
2015/09/29 09:41:22Z: Instance-ID: i-d0b3ec16
2015/09/29 09:41:22Z: Ec2SetPassword: Disabled
2015/09/29 09:41:22Z: RDPCERTIFICATE-SUBJECTNAME: IP-0A7146CD
2015/09/29 09:41:22Z: RDPCERTIFICATE-THUMBPRINT:
112941B4213F118B4E3373520F0DC91F7169E1E8
2015/09/29 09:41:23Z: Message: Windows is Ready to use
2015/09/29 09:41:41Z: Message: Executing User Data with PID: 2652

hh commented 8 years ago

This should now be ready to resolve.

directhex commented 8 years ago

Your final UserData effort references certId, but doesn't define it. You're missing a $certId = $env:COMPUTERNAME

chef-boneyard / chef-provisioning-aws

powershell user_data should support winrm over ssl by default #317