Windows Chef 添加 ssl 证书并绑定到 IIS
Windows Chef to add ssl certificate and bind to IIS
我正在使用 Windows 厨师食谱 https://supermarket.chef.io/cookbooks/windows/versions/5.0.0#readme
创建并绑定 ssl。
首先我尝试了:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
action :create
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
我遇到以下错误:
STDOUT: SSL Certificate add failed, Error: 1312 A specified
logon session does not exist. It may already have been terminated.
然后我做了一些研究,看起来我导入的证书是不可导出的,需要授予私钥访问权限,参考来自:
SSL Certificate add failed when binding to port
下面是我的第二次尝试:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
private_key_acl ["IIS_IUSRS"]
action [:create, :acl_add]
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
但是,我仍然遇到错误:
STDOUT:
STDERR: C:\Users\Administrator\AppData\Local\Temp\chef-script20180823-492-10cuvyo.ps1
: no private key exists.
谁能帮帮我?如何正确导入 ssl 并绑定到 IIS?提前致谢。
我的替代解决方案是使用 powershell 脚本添加 SSL 证书,而不是使用 windows 食谱
下面的代码厨师食谱我已经用来绑定 ssl 证书和 https port.I 也注意如果添加了新证书,那么应该添加它。
hostname = node['hostname']
hostnamelike = 'CN=' + node['hostname'].to_s + '*'
powershell_script 'find ssl certificate on local machine root and assign certificate' do
code <<-EOH
$iisSite='your site name'
$hostname="#{hostname}"
$hostnamelike="#{hostnamelike}"
$protocol='https'
$port=443
Get-WebBinding -Port $port -Name $iissite | Remove-WebBinding
$guid_value = [GUID]::NewGUID().ToString('B')
$thumbprint = (Get-ChildItem cert:\LocalMachine\my | where-object { $_.Subject -like $hostnamelike } | Select-Object -First 1).Thumbprint
New-WebBinding -Name $iissite -IP "*" -Port $port -Protocol https
netsh http show sslcert ipport=0.0.0.0:$port
if ($LASTEXITCODE -eq 1) {
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
else {
netsh http delete sslcert ipport=0.0.0.0:$port
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
EOH
end
我正在使用 Windows 厨师食谱 https://supermarket.chef.io/cookbooks/windows/versions/5.0.0#readme
创建并绑定 ssl。
首先我尝试了:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
action :create
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
我遇到以下错误:
STDOUT: SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
然后我做了一些研究,看起来我导入的证书是不可导出的,需要授予私钥访问权限,参考来自: SSL Certificate add failed when binding to port
下面是我的第二次尝试:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
private_key_acl ["IIS_IUSRS"]
action [:create, :acl_add]
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
但是,我仍然遇到错误:
STDOUT: STDERR: C:\Users\Administrator\AppData\Local\Temp\chef-script20180823-492-10cuvyo.ps1 : no private key exists.
谁能帮帮我?如何正确导入 ssl 并绑定到 IIS?提前致谢。
我的替代解决方案是使用 powershell 脚本添加 SSL 证书,而不是使用 windows 食谱
下面的代码厨师食谱我已经用来绑定 ssl 证书和 https port.I 也注意如果添加了新证书,那么应该添加它。
hostname = node['hostname']
hostnamelike = 'CN=' + node['hostname'].to_s + '*'
powershell_script 'find ssl certificate on local machine root and assign certificate' do
code <<-EOH
$iisSite='your site name'
$hostname="#{hostname}"
$hostnamelike="#{hostnamelike}"
$protocol='https'
$port=443
Get-WebBinding -Port $port -Name $iissite | Remove-WebBinding
$guid_value = [GUID]::NewGUID().ToString('B')
$thumbprint = (Get-ChildItem cert:\LocalMachine\my | where-object { $_.Subject -like $hostnamelike } | Select-Object -First 1).Thumbprint
New-WebBinding -Name $iissite -IP "*" -Port $port -Protocol https
netsh http show sslcert ipport=0.0.0.0:$port
if ($LASTEXITCODE -eq 1) {
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
else {
netsh http delete sslcert ipport=0.0.0.0:$port
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
EOH
end