search

chocolatey-archive / puppet-chocolatey

Chocolatey package provider
Apache License 2.0
88 stars 133 forks source link

Powershell 5.1 workaround (can't install chocolatey using chocolatey-chocolatey 1.2.6) #163

Open alexberry opened 4 years ago

alexberry commented 4 years ago

Older versions of powershell 5.1 do not negotiate tls versions, chocolatey.org recently disabled tls 1 and this broke their install script. Your puppet run will produce an error something like:

2020/02/07 10:11:57Z: Message: The errors from user scripts: puppet : Error: '# ========================================
======================================
At C:\Windows\TEMP\UserScript.ps1:15 char:1
+ puppet agent -vt --server=blahblahblah --certn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Error: '...===============:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

The right way to fix this is to patch your servers, the wrong way to do it is to borrow my fix in the interim:

https://github.com/alexberry/puppet-chocolatey/releases/tag/1.2.6-pwsh-workaround

Forked from this module, based on latest tag, a two line patch that upgrades the tls version used by powershell ahead of the request. The setting is transient and only good for that shell, so should have no further ill effect.

You can include it in your Puppetfile as follows, first remove the chocolatey-chocolatey module from your Puppetfile:

-mod 'chocolatey-chocolatey', '1.2.6'

Then add in this module:

+mod 'chocolatey',
+    :git => 'git://github.com/alexberry/puppet-chocolatey',
+    :ref => '1.2.6-pwsh-workaround'

Or, better yet, fork this module yourself, then save the following patch as workaround.patch:

diff --git a/templates/InstallChocolatey.ps1.erb b/templates/InstallChocolatey.ps1.erb
index 2dba364..8698faa 100644
--- a/templates/InstallChocolatey.ps1.erb
+++ b/templates/InstallChocolatey.ps1.erb
@@ -68,6 +68,8 @@ param (
   [string]$url,
   [string]$file
  )
+  Write-Output "Bodging tls"
+  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
   Write-Output "Downloading $url to $file"
   $downloader = new-object System.Net.WebClient
   $downloader.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;

Patch it as follows:

git clone https://github.com/<pathtoyourforkedrepo>
cd puppet-chocolatey
git checkout 1.2.6
git switch -c oldpwsh-workaround
git apply ../workaround.patch
git commit -a
git tag 1.2.6-pwsh-workaround
git push origin oldpwsh-workaround 1.2.6-pwsh-workaround

And then make the same Puppetfile changes as above, substituting in the url to your fork.

Not adding a pull request as this is an archived module, should really use puppetlabs-chocolatey instead, although a similar workaround may be needed there too.

alexberry commented 4 years ago

Looks like the puppetlabs-managed version of this module manages this already: https://github.com/puppetlabs/puppetlabs-chocolatey/blob/master/templates/InstallChocolatey.ps1.erb#L70-L78

TLDR switch to puppetlabs' module at your earliest convenience!