The following script works interactively but fails when using DSC. DSC is a way of setting up a deployment pipeline for windows servers. https://learn.microsoft.com/en-us/powershell/dsc/getting-started/wingettingstarted?view=dsc-1.1
The certificate is already added to the certificate store. This succeeds interactively with administrator authority. It fails when in a DSC pull configuration.
$userName = "domain\user"
#example testuser1
$permission = "read"
#example read
$certStoreLocation = "\LocalMachine\My"
#example \LocalMachine\My
$certThumbprint = "24235c388df63e20dea2b21e0deadbeefe21c3cd"
#example 24235c388df63e20dea2b21e0deadbeefe21c3cd
# check if certificate is already installed
$certificateInstalled = Get-ChildItem cert:$certStoreLocation | Where thumbprint -eq $certThumbprint
Write-Host $certificateInstalled
# download & install only if certificate is not already installed on machine
if ($certificateInstalled -eq $null)
{
$message="Certificate with thumbprint:" $certThumbprint " does not exist at " $certStoreLocation
Write-Host $message -ForegroundColor Red
exit 1;
}else
{
try
{
$rule = new-object security.accesscontrol.filesystemaccessrule $userName, $permission, allow
$root = "c:\programdata\microsoft\crypto\rsa\machinekeys"
$l = ls Cert:$certStoreLocation
$l = $l |? {$_.thumbprint -like $certThumbprint}
$l |%{
$keyname = $_.privatekey.cspkeycontainerinfo.uniquekeycontainername
Write-Host "Keyname: $keyname"
Write-Host $keyname
$p = [io.path]::combine($root, $keyname)
if ([io.file]::exists($p))
{
$acl = get-acl -path $p
$acl.addaccessrule($rule)
echo $p
set-acl $p $acl
Write-Host "Set ACL"
}
}
}
catch
{
Write-Host "Caught an exception:" -ForegroundColor Red
Write-Host "$($_.Exception)" -ForegroundColor Red
exit 1;
}
}
exit $LASTEXITCODE
error message:
VERBOSE: [HOSTNAME]: LCM: [ End Set ] [[Script]SSLcertificateRights] in 0.1560 seconds.
PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message:
PowerShell Desired State Configuration does not support execution of commands in an interactive mode. Please ensure
that the underlying command is not prompting for user input, such as missing mandatory parameter, confirmation prompt
etc.
CategoryInfo : InvalidOperation: (:) [], CimException
FullyQualifiedErrorId : ProviderOperationExecutionFailure
PSComputerName : hostname.domain.ext
CodePudding user response:
My boss refactored it and made it work with DSC
[securestring]$secStringPassword = ConvertTo-SecureString $Node.CertificatePassword -AsPlainText -Force
[pscredential]$certCred = New-Object System.Management.Automation.PSCredential ($Node.CertificateUser, $secStringPassword)
PfxImport SSLcertificate
{
Ensure = 'Present'
Thumbprint = $Node.CertificateThumbPrint
Path = $Node.CertificatePath
Location = 'LocalMachine'
Exportable = $true
Store = 'My'
FriendlyName = $Node.CertificateFriendlyName
Credential = $certCred
}
script SSLcertificateRights
{
#always replace
TestScript = {
return $false
}
GetScript = { return "patate" }
SetScript = {
$rule = new-object security.accesscontrol.filesystemaccessrule $Using:Node.CertificateAdminUser, read, allow
$root = "c:\programdata\microsoft\crypto\rsa\machinekeys"
$l = ls Cert:"\LocalMachine\My"
$l = $l |? {$_.thumbprint -like $Using:Node.CertificateThumbPrint}
$l |% {
$keyname = $_.privatekey.cspkeycontainerinfo.uniquekeycontainername
$p = [io.path]::combine($root, $keyname)
if ([io.file]::exists($p))
{
$acl = get-acl -path $p
$acl.addaccessrule($rule)
echo $p
set-acl $p $acl
}
}
}
DependsOn = '[PfxImport]SSLcertificate'
}