Windows Chef to add ssl certificate and bind to IIS

Question

I am using Windows Chef cookbook https://supermarket.chef.io/cookbooks/windows/versions/5.0.0#readme

to create and bind ssl.

First I tried:

# Create/update certificate
windows_certificate "create cert" do
    source "c://hn/ssl/cert.pfx"
    pfx_password  {cert_pass}
    store_name "WEBHOSTING"
    action :create
end

# Bind certificate
windows_certificate_binding "bind to IIS" do
    action :create
    cert_name "{my_ssl_hash_number}"
    name_kind :hash
    port 443
    store_name "WEBHOSTING"
end

And I'm getting below error:

STDOUT: SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.

And I did some research, looks like the cert I imported is not exportable, need to grant private key access, reference from: SSL Certificate add failed when binding to port

And below is my second attempt:

# Create/update certificate
windows_certificate "create cert" do
    source "c://hn/ssl/cert.pfx"
    pfx_password  {cert_pass}
    store_name "WEBHOSTING"
    private_key_acl ["IIS_IUSRS"]
    action [:create, :acl_add]
end 

# Bind certificate
windows_certificate_binding "bind to IIS" do
    action :create
    cert_name "{my_ssl_hash_number}"
    name_kind :hash
    port 443
    store_name "WEBHOSTING"
end

However, I'm still getting error:

STDOUT: STDERR: C:\Users\Administrator\AppData\Local\Temp\chef-script20180823-492-10cuvyo.ps1 : no private key exists.

Can anyone help me out? How can I correctly import the ssl and bind to the IIS? Thanks in advance.

score 0 · Answer 1 · answered Sep 25 '20 at 06:10

Below code chef recipe i have used to bind ssl certificate and https port.I have also take care if new certificate get added then it should be added.

hostname = node['hostname']
hostnamelike = 'CN=' + node['hostname'].to_s + '*'
powershell_script 'find ssl certificate  on local machine root and assign certificate' do
  code <<-EOH
  $iisSite='your site name'
  $hostname="#{hostname}"
  $hostnamelike="#{hostnamelike}"
  $protocol='https'
  $port=443
  Get-WebBinding -Port $port -Name $iissite | Remove-WebBinding
  $guid_value = [GUID]::NewGUID().ToString('B')
  $thumbprint = (Get-ChildItem cert:\\LocalMachine\\my | where-object { $_.Subject -like $hostnamelike  } | Select-Object -First 1).Thumbprint
  New-WebBinding -Name $iissite -IP "*" -Port $port -Protocol https
  netsh http show sslcert ipport=0.0.0.0:$port
  if ($LASTEXITCODE -eq 1) {
  netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
  }
  else {
  netsh http delete sslcert ipport=0.0.0.0:$port
  netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
  }
  EOH
end

score -2 · Accepted Answer · answered Feb 13 '19 at 19:12

-2

The alternative solution for me is to use powershell script to add the SSL certificate instead of using the windows cookbook

answered Feb 13 '19 at 19:12

Minwu Yu

311
1
6
24

Windows Chef to add ssl certificate and bind to IIS

2 Answers2