search

puppetlabs / puppetlabs-iis

Manage IIS for Windows Server 2008 and above. Maintain application sites, pools, virtual applications, and many other IIS settings.
Apache License 2.0
13 stars 64 forks source link

Module continuously does corrective changes to configured bindings. #346

Closed aaronhilton0 closed 1 year ago

aaronhilton0 commented 2 years ago

Describe the Bug

The puppetlabs-iis module is continuously doing corrective changes to binding configurations within the manifests. I am able to duplicate the problem with some of the example code on the forge modules page. Examples of code and output are below.

Expected Behavior

The module should set the binding configurations once and only make changes when corrections are actually needed

Steps to Reproduce

I was able to reproduce with the following Puppet code

# using example in forge
class profile::iis_site2 {

# Create Directories

file { 'c:\\inetpub\\complete':
  ensure => 'directory'
}

file { 'c:\\inetpub\\complete_vdir':
  ensure => 'directory'
}

# Set Permissions

acl { 'c:\\inetpub\\complete':
  permissions => [
    {'identity' => 'IIS_IUSRS', 'rights' => ['read', 'execute']},
  ],
}

acl { 'c:\\inetpub\\complete_vdir':
  permissions => [
    {'identity' => 'IIS_IUSRS', 'rights' => ['read', 'execute']},
  ],
}

# Configure IIS

iis_application_pool { 'complete_site_app_pool':
  ensure                  => 'present',
  state                   => 'started',
  managed_pipeline_mode   => 'Integrated',
  managed_runtime_version => 'v4.0',
}

# Application Pool No Managed Code .Net CLR Version set up
iis_application_pool {'test_app_pool':
    ensure                    => 'present',
    enable32_bit_app_on_win64 => true,
    managed_runtime_version   => '',
    managed_pipeline_mode     => 'Classic',
    start_mode                => 'AlwaysRunning'
  }

iis_site { 'complete':
  ensure           => 'started',
  physicalpath     => 'c:\\inetpub\\complete',
  applicationpool  => 'complete_site_app_pool',
  enabledprotocols => 'https',
  bindings         => [
    {
      'bindinginformation'   => '*:443:',
      'protocol'             => 'https',
      'certificatehash'      => '3598FAE5ADDB8BA32A061C5579829B359409856F',
      'certificatestorename' => 'MY',
      'sslflags'             => 1,
    },
  ],
  require => File['c:\\inetpub\\complete'],
}

iis_virtual_directory { 'vdir':
  ensure       => 'present',
  sitename     => 'complete',
  physicalpath => 'c:\\inetpub\\complete_vdir',
  require      => File['c:\\inetpub\\complete_vdir'],
}

}

This code reports the following corrective changes every time the agent runs.

Running Puppet agent on demand ...
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for ah-node2win-a13c00-0.us-west1-c.c.customer-support-scratchpad.internal
Info: Applying configuration version 'ahpepri2019-a13c00-0-production-5fe7e9cc693'
Notice: /Stage[main]/Profile::Iis_site2/Iis_site[complete]/bindings: bindings changed [
  {
    'certificatestorename' => '',
    'protocol' => 'https',
    'sslflags' => 1,
    'certificatehash' => '',
    'bindinginformation' => '*:443:'
  }] to [
  {
    'bindinginformation' => '*:443:',
    'protocol' => 'https',
    'certificatehash' => '3598FAE5ADDB8BA32A061C5579829B359409856F',
    'certificatestorename' => 'MY',
    'sslflags' => 1
  }] (corrective)
Notice: Applied catalog in 7.94 seconds
Press any key to continue . . .

Environment

Additional Context

Add any other context about the problem here.

david22swan commented 2 years ago

Writing down thoughts.....

Questions?????

david22swan commented 2 years ago

Think I have found the cause of the issue, ink here: https://stackoverflow.com/questions/59765860/powershells-addsslcertificate-not-working-on-iis-10-non-server-binding

david22swan commented 2 years ago

Looking deeper into the issue, look's like it may arise from our commands being out of date. We may need to update the code to use New-WebBinding rather than the current Add-WebConfiguration.

https://docs.microsoft.com/en-us/powershell/module/webadministration/new-webbinding?view=windowsserver2022-ps

david22swan commented 2 years ago

Have made some progress:

PR shown here: https://github.com/puppetlabs/puppetlabs-iis/pull/349/files

aaronhilton0 commented 2 years ago

Customer has tested against commit '125c510' and reports that the certificate hash appears to be correctly populated, however it is still showing as a corrective change. Looking through the updated log file, it appears that it is adding 'port' => 80 every run. I've asked the customer to manually add the SSL certificate and will update this issue when I have results.

cummingscody commented 2 years ago

Customer has reported they can manually assign the cert for binding in IIS and it works.

cummingscody commented 2 years ago

@david22swan Any further thoughts on this?

david22swan commented 2 years ago

@cummingscody apologies, had missed the updated saying you'd replied. Could you show me the exact update message

david22swan commented 2 years ago

All work now being moved to Jira, here is the associated new ticket: https://tickets.puppetlabs.com/browse/CONT-25

github-actions[bot] commented 1 year ago

Hello! 👋

This issue has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which issues need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the issue with a comment.

pmcmaw commented 1 year ago

@cummingscody @aaronhilton0 Just wondering if you are happy with the resolution and can we close this?

pmcmaw commented 1 year ago

Closing due to no response, if you are still seeing this issue please reopen.