Open hh opened 9 years ago
I looked at winrm quickconfig and this may be one path, but we'll need to get that rdp certificate into the right place:
PS C:\> hostname
ip-0A71462E
PS C:\> dir "cert:\localmachine\Remote Desktop"
Directory: Microsoft.PowerShell.Security\Certificate::localmachine\Remote Desktop
Thumbprint Subject
---------- -------
18315D1A11CA40F46A5EC777012986055095BB75 CN=ip-0A71462E
PS C:\> winrm quickconfig -transport:https
WinRM service is already running on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate cert
ificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authenticatio
n, and not be expired, revoked, or self-signed.
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SS
L, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, rev
oked, or self-signed.
copy-item didn't work 8(
PS C:\> dir "cert:\localmachine\My"
PS C:\> dir "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75"
Directory: Microsoft.PowerShell.Security\Certificate::localmachine\Remote Desktop
Thumbprint Subject
---------- -------
18315D1A11CA40F46A5EC777012986055095BB75 CN=ip-0A71462E
PS C:\> copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75" "cert:\localmachine\My\"
copy-item : Provider operation stopped because the provider does not support this operation.
At line:1 char:1
+ copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC77701298605509 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Copy-Item], PSNotSupportedException
+ FullyQualifiedErrorId : NotSupported,Microsoft.PowerShell.Commands.CopyItemCommand
PS C:\> copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC777012986055095BB75" "cert:\localmachine\My\18
315D1A11CA40F46A5EC777012986055095BB75"
copy-item : Cannot find the X509 certificate at path localmachine\My\18315D1A11CA40F46A5EC777012986055095BB75.
At line:1 char:1
+ copy-item "cert:\localmachine\Remote Desktop\18315D1A11CA40F46A5EC77701298605509 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-Item], CertificateNotFoundException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.CertificateNotFoundException,Microsoft.PowerShell.Commands
.CopyItemCommand
Looks like we may have a winner! Thanks to http://social.technet.microsoft.com/wiki/contents/articles/28753.powershell-trick-copy-certificates-from-one-store-to-another.aspx
<powershell>
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP dir=in localport=5986 action=allow
$SourceStoreScope = 'LocalMachine'
$SourceStorename = 'Remote Desktop'
$SourceStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $SourceStore.Certificates | Where-Object -FilterScript {
$_.subject -like '*'
}
$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'
$DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)
$SourceStore.Close()
$DestStore.Close()
winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}
net stop winrm
sc config winrm start=auto
net start winrm
</powershell>
PS C:\>
PS C:\> winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{Hostname=`"($certId)`"`;CertificateThumbprint=
`"($cert.Thumbprint)`"`}
ResourceCreated
Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters
ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
SelectorSet
Selector: Address = *, Transport = HTTPS
PS C:\>
PS C:\> winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.113.70.46, 127.0.0.1, ::1, 2001:0:5ef5:79fd:e5:39d5:f58e:b9d1, fe80::5efe:10.113.70.46%14, fe80::e5
:39d5:f58e:b9d1%13, fe80::cdb1:4e6e:148e:bb3a%15
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint = 18315D1A11CA40F46A5EC777012986055095BB75
ListeningOn = 10.113.70.46, 127.0.0.1, ::1, 2001:0:5ef5:79fd:e5:39d5:f58e:b9d1, fe80::5efe:10.113.70.46%14, fe80::e5
:39d5:f58e:b9d1%13, fe80::cdb1:4e6e:148e:bb3a%15
Now to try and dynamically get that ssl cert into place in .chef/trusted_certs
I also put together some info for getting windows to offer up winrm over ssl using the self-signed rdp certificate (cross post http://lists.opscode.com/sympa/arc/chef/2015-09/msg00290.html)
On boot ec2 windows instances print a lot of useful stuff to the aws console, including the rdp self signed ssl certificate fingerprint. It's useful to verify that you are connecting to the host you provisioned (similar to checking an ssh hosts fingerprint). However in chef we use winrm, so I needed to update the user_data to copy over the rdp certificate and enable it's use for winrm.
# ec2 console log snippit
2015/09/29 09:41:22Z: RDPCERTIFICATE-SUBJECTNAME: IP-0A7146CD
2015/09/29 09:41:22Z: RDPCERTIFICATE-THUMBPRINT:
112941B4213F118B4E3373520F0DC91F7169E1E8
$ openssl s_client -connect 10.113.70.205:5986 < /dev/null 2>/dev/null
| openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=11:29:41:B4:21:3F:11:8B:4E:33:73:52:0F:0D:C9:1F:71:69:E1:E8
The instance comes up with knife winrm complaining about certs (See https://github.com/chef/knife-windows/issues/284#issuecomment-144087203) , and it seems no combination of knife ssl fetch/check works.
I'm not sure where I would look in chef-provisioning-aws to automatically import the certificate (similar to knife ssl fetch) and check it against the ec2 console fingerprint or how to configure it to utilize those certs and connect over ssl. Pointers to code or docs welcome
I include some user_data, chef-provisioning recipe, and console output for your perusal:
<powershell>
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
netsh advfirewall firewall add rule name="WinRM 5986" protocol=TCP
dir=in localport=5986 action=allow
$SourceStoreScope = 'LocalMachine'
$SourceStorename = 'Remote Desktop'
$SourceStore = New-Object -TypeName
System.Security.Cryptography.X509Certificates.X509Store -ArgumentList
$SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $SourceStore.Certificates | Where-Object -FilterScript {
$_.subject -like '*'
}
$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'
$DestStore = New-Object -TypeName
System.Security.Cryptography.X509Certificates.X509Store -ArgumentList
$DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)
$SourceStore.Close()
$DestStore.Close()
winrm create winrm/config/listener?Address=*+Transport=HTTPS
`@`{Hostname=`"($certId)`"`;CertificateThumbprint=`"($cert.Thumbprint)`"`}
net stop winrm
sc config winrm start=auto
net start winrm
</powershell>
with_machine_options bootstrap_options: {
winrm_transport: {
https: {
# This is what I'd prefer not to do, still doesn't connect
no_ssl_peer_verification: true
}
},
user_data: setup_winrm_ssl_user_data_from_above,
image_id: 'ami-7bc3e04b'
# aws-marketplace/CIS Microsoft Windows Server 2012 R2
# Benchmark v1.1.0-26bb465c-ce26-4da9-afb8-040b2f8c9a7f-ami-7a88f312.2
}
machine_name = 'win-2012-hardened-X'
m = machine "#{machine_name}" do
action :allocate
end
ruby_block "Security Info on #{machine_name}" do
block do
# wait for the machine to be in a ready state
mr=resources(machine: machine_name).provider_for_action(:ready)
mr.load_current_resource
machine=mr.action_ready
# grab a pointer to the chef-provisioning driver
# so we can call driver.config and driver.ec2.*
driver = node.run_state[:chef_provisioning].drivers.values.first
i=driver.ec2.instances[machine.machine_spec.reference['instance_id']]
# check for rdp certificate fingerprint
i.console_output.lines.each do |l|
Chef::Log.warn l.chomp
end
# just to look ot the machine_spec
machine.machine_spec.reference.pretty_inspect.lines.each do |l|
Chef::Log.warn l.chomp
end
# decrypt the password
pem = Cheffish.get_private_key(machine.machine_spec.reference['key_name'],
driver.config)
private_key = OpenSSL::PKey::RSA.new(pem)
encrypted_admin_password =
driver.wait_for_admin_password(machine.machine_spec)
decoded = Base64.decode64(encrypted_admin_password)
decrypted_password = private_key.private_decrypt decoded
Chef::Log.warn "knife ssl fetch https://#{i.private_ip_address}:5985";
Chef::Log.warn "rdesktop -u Administrator -p
'#{decrypted_password}' -g 1280x800 #{i.private_ip_address}"
Chef::Log.warn "knife winrm --winrm-port 5986 --winrm-transport ssl
--winrm-password '#{decrypted_password}' -m #{i.private_ip_address}
hostname"
# a nice place to rest until we get figure out how to get winrm +
ssl working
# TRY RUNNING 'knife winrm' HERE **************************************************
byebug
# as execution won't work until we configure winrm to actually
communicate to the node
machine.execute_always('dir "cert:\localmachine\Remote
Desktop"').stdout.lines.each do |l|
Chef::Log.warn l.chomp
end
end
end
# someday!
machine "#{machine_name}" do
action :converge
end
full ec2-get-console, there is an ec2config issued reboot to get a unique hostname
2015/09/29 09:39:16Z: Windows sysprep configuration complete.
2015/09/29 09:39:19Z: AMI Origin Version: 2014.12.10
2015/09/29 09:39:19Z: AMI Origin Name:
Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/09/29 09:39:19Z: OsVersion: 6.3
2015/09/29 09:39:19Z: OsServicePack: NotFound
2015/09/29 09:39:19Z: OsProductName: Windows Server 2012 R2 Standard
2015/09/29 09:39:19Z: OsBuildLabEx: 9600.17476.amd64fre.winblue_r5.141029-1500
2015/09/29 09:39:19Z: Language: en-US
2015/09/29 09:39:19Z: EC2 Agent: Ec2Config service v2.2.12.301
2015/09/29 09:39:19Z: EC2 Agent: Ec2Config service fileversion v2.2.12.301
2015/09/29 09:39:48Z: Driver: AWS PV Storage Host Adapter v7.2.4.1
2015/09/29 09:39:48Z: Driver: Intel(R) 82599 Virtual Function v1.0.15.3
2015/09/29 09:39:50Z: Message: Waiting for meta-data accessibility...
2015/09/29 09:39:51Z: Message: Meta-data is now available.
2015/09/29 09:39:53Z: AMI-ID: ami-7bc3e04b
2015/09/29 09:39:53Z: Instance-ID: i-d0b3ec16
2015/09/29 09:39:54Z: Ec2SetPassword: Enabled
2015/09/29 09:39:56Z: Username: Administrator
2015/09/29 09:39:56Z: Password: <Password>
mMpNuqSphbwA+Ry/ZPDPKQ+v4s5fhTwh7O42Toaw18aWNUzkVh4+++MQ0hLrT6BR2YKsODMElJOshqE+yMxEUM/xr8pgP1ihOAHn/QT1o5qDzeBBByXQxx90/FtxM6OmcxdtxbGfJE4FK54uGB52ao9IlMBSY1LFq/+ipoDY+rpw+owHtEaFE666I8+wSD6Ys4MNZ+It18DigsnjTH+hYU22HeXHKt6cMkgGV7YkhAmb99H0teFzHxtjvtWRIxKliZisbfFH6Cay29q/S1LQvSjE8r3RKQXVLHUste89Di32Qwzjpj7GKl4/8mOevoEmtOgT2s0hWjvyFBng6zHRAw==
</Password>
2015/09/29 09:39:58Z: RDPCERTIFICATE-SUBJECTNAME: WIN-PQBS6I717AU
2015/09/29 09:39:58Z: RDPCERTIFICATE-THUMBPRINT:
30DFDDE350CC06379340488EF8FE9F2A34AEA398
2015/09/29 09:40:01Z: Message: Product activation was successful
2015/09/29 09:40:02Z: Message: Ec2Config Service is rebooting the
instance. Please be patient.
2015/09/29 09:41:06Z: Windows sysprep configuration complete.
2015/09/29 09:41:06Z: AMI Origin Version: 2014.12.10
2015/09/29 09:41:06Z: AMI Origin Name:
Windows_Server-2012-R2_RTM-English-64Bit-Base
2015/09/29 09:41:06Z: OsVersion: 6.3
2015/09/29 09:41:06Z: OsServicePack: NotFound
2015/09/29 09:41:06Z: OsProductName: Windows Server 2012 R2 Standard
2015/09/29 09:41:06Z: OsBuildLabEx: 9600.17476.amd64fre.winblue_r5.141029-1500
2015/09/29 09:41:06Z: Language: en-US
2015/09/29 09:41:06Z: EC2 Agent: Ec2Config service v2.2.12.301
2015/09/29 09:41:06Z: EC2 Agent: Ec2Config service fileversion v2.2.12.301
2015/09/29 09:41:22Z: Driver: AWS PV Storage Host Adapter v7.2.4.1
2015/09/29 09:41:22Z: Driver: Intel(R) 82599 Virtual Function v1.0.15.3
2015/09/29 09:41:22Z: Message: Waiting for meta-data accessibility...
2015/09/29 09:41:22Z: Message: Meta-data is now available.
2015/09/29 09:41:22Z: AMI-ID: ami-7bc3e04b
2015/09/29 09:41:22Z: Instance-ID: i-d0b3ec16
2015/09/29 09:41:22Z: Ec2SetPassword: Disabled
2015/09/29 09:41:22Z: RDPCERTIFICATE-SUBJECTNAME: IP-0A7146CD
2015/09/29 09:41:22Z: RDPCERTIFICATE-THUMBPRINT:
112941B4213F118B4E3373520F0DC91F7169E1E8
2015/09/29 09:41:23Z: Message: Windows is Ready to use
2015/09/29 09:41:41Z: Message: Executing User Data with PID: 2652
This should now be ready to resolve.
Your final UserData effort references certId, but doesn't define it. You're missing a $certId = $env:COMPUTERNAME
Currently we open 5986 (winrm ssl) but do not enable it.
We should support verifying the SSL Certificate before connecting. The easiest way to do that would be to retrieve the RDP ssl certificate signature in via GetConsoleOutput as it's available in the console output on lines with RDPCERTIFICATE:
It is available via the the certificate store:
But is created without the ability to export:
I couldn't find a way to export or copy via the command line, but using the gui to copy and paste via mmc, I was able to copy from
Remote Desktop/Certificates/HOSTNAME
toPersonal(My?)/Certiifcates/Hostname
Maybe someone with windows foo can provide that magic.
Once the certificate is available in
cert:\localmachine\my
(it doesn't seem to work if you leave it incert:\localmachine\Remote Desktop
you can use the following powershell to createRunning that powershell results in:
That's looking pretty good.
Now let's try with
openssl client
and make sure we can actually communicate and see the original cert.knife ssl fetch/verify
seems to have an issue chef/knife-windows#284 and I'm tracking that sepately, and we'll have to find a way to integrate that into chef-provisioning since we won't be shelling out to knife etc.