search

dsccommunity / CertificateDsc

DSC resources to simplify administration of certificates on a Windows Server.
https://dsccommunity.org
MIT License
122 stars 69 forks source link

Test-TargetResource fails if server language is not English (Get-CertificateTemplateInformation) #240

Open jmarkert opened 4 years ago

jmarkert commented 4 years ago

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

VERBOSE: [PSComputerName]: LCM:  [ StartenRessource]  [[CertReq]SSLWebServerCertificate]
VERBOSE: [PSComputerName]: LCM:  [ StartenTesten   ]  [[CertReq]SSLWebServerCertificate]
VERBOSE: [PSComputerName]:                            [[CertReq]SSLWebServerCertificate] Test-TargetResource: Testing Certificate with Subject '<subject>' issued by <CAServerFQDN>\<CARootName>.
VERBOSE: [PSComputerName]:                            [[CertReq]SSLWebServerCertificate] Test-TargetResource: Certificate with Subject '<subject>' issued by <CAServerFQDN>\<CARootName> found with thumbprint '<thumbprint>'.
WARNING: [PSComputerName]:                            [[CertReq]SSLWebServerCertificate] No template name found in Active Directory for 'Vorlage=SSLWebServerCertificate(1.3.6.1.4.1.311.21.8.5734392.6195358.14893705.12992936.3444946.62.3384218.1234567)
Höhere Versionsnummer=100
Niedrigere Versionsnummer=5
'.
Die Name-Eigenschaft kann nicht gefunden werden.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
    + PSComputerName        : PSComputerName

VERBOSE: [PSComputerName]:                            [[CertReq]SSLWebServerCertificate] Test-TargetResource: The certificate with subject '<subject>' issued by '<CAServerFQDN>\<CARootName>' with thumbprint <thumbprint> has the wrong template .
VERBOSE: [PSComputerName]: LCM:  [ BeendenTesten   ]  [[CertReq]SSLWebServerCertificate]  in 0.5000 Sekunden.
Die PowerShell DSC-Ressource "[CertReq]SSLWebServerCertificate" mit SourceInfo
"C:\git\projects\powershellDSC\genmof.ps1::373::9::CertReq" hat beim Ausführen der Funktion
"Test-TargetResource" mindestens einen Fehler ohne Abbruch ausgegeben. Diese Fehler werden im ETW-Kanal namens
"Microsoft-Windows-DSC/Operational" protokolliert. Weitere Informationen finden Sie in diesem Kanal.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : PSComputerName

Suggested solution to the issue

The switch regex in Get-CertificateTemplateInformation have to match localized string data like this:

Vorlage=SSLWebServerCertificate(1.3.6.1.4.1.311.21.8.5734392.6195358.14893705.12992936.3444946.62.3384218.1234567)
Höhere Versionsnummer=100
Niedrigere Versionsnummer=5

For me it did a quick hack in source\Modules\CertificateDsc.Common\CertificateDsc.Common.psm1:632

"$($script:localizedData.FormattedTemplateRegexTemplate)=(?:(?<DisplayName>.+)\((?<Oid>[\d.]+)\))|(?<Oid>[\d.]+)\s*$($script:localizedData.FormattedTemplateRegexMajor)=(?<MajorVersion>\d+)\s*$($script:localizedData.FormattedTemplateRegexMinor)=(?<MinorVersion>\d+)"

I added a source\Modules\CertificateDsc.Common\de-DE\CertificateDsc.Common.strings.psd1 containing:

...
FormattedTemplateRegexTemplate      = Vorlage
FormattedTemplateRegexMajor         = Höhere\sVersionsnummer
FormattedTemplateRegexMinor         = Niedrigere\sVersionsnummer
...

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration CertReqTest {

    param()
    Import-DscResource -ModuleName "CertificateDsc"

    node CertReqTest {

        CertReq "SSLWebServerCertificate" {
            CARootName          = 'CARootName'
            CAServerFQDN        = 'CAServerFQDN'
            KeyLength           = '2048'
            Exportable          = $true
            ProviderName        = 'Microsoft RSA SChannel Cryptographic Provider'
            OID                 = '1.3.6.1.4.1.311.21.8.5734392.6195358.14893705.12992936.3444946.62.3384218.1234567'
            KeyUsage            = '0xa0'
            CertificateTemplate = 'SSLWebserver'
            UseMachineContext   = $true
            FriendlyName        = 'SSL Certificate for WebServer'
            Subject             = 'CN=Subject'
            SubjectAltName      = 'dns=dnsname.domain.local'
            AutoRenew           = $true
        }
    }
}

CertReqTest -OutputPath ./mof 
Start-DscConfiguration -Verbose -Wait -Path ./mof  -Force

=> Run it a 2nd time to ensure the certifcate exists

The operating system the target node is running

OsName               : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-Bit
WindowsBuildLabEx    : 9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735
OsLanguage           : de-DE
OsMuiLanguages       : {de-DE}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14409.1018
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1018
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

5.0.0

PlagueHO commented 3 years ago

Thanks for raising this @jmarkert - it is a good catch and should be an easy fix as you've done most of the work. 😀