From 0d3167cd068202f49776663aaaf1c0a262ea2ff5 Mon Sep 17 00:00:00 2001 From: Topher Cullen Date: Thu, 13 Apr 2017 20:21:19 +0000 Subject: [PATCH 1/3] Verify windows password is part of the provided options WinRM config data is passed in the user data to the AWS api. Part of this includes an optional winrm user creation. The user can only be created if a password is passed to the gem. it cannot wait for the password from AWS, as this is only available after the user data is paased and the server created Signed-off-by: Topher Cullen --- lib/chef/knife/ec2_server_create.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/chef/knife/ec2_server_create.rb b/lib/chef/knife/ec2_server_create.rb index 343ea99a..8b795c3f 100644 --- a/lib/chef/knife/ec2_server_create.rb +++ b/lib/chef/knife/ec2_server_create.rb @@ -1011,7 +1011,7 @@ def eip_scope def ssl_config_user_data user_related_commands = "" winrm_user = locate_config_value(:winrm_user).split("\\") - if (winrm_user[0] == ".") || (winrm_user[0] == "") ||(winrm_user.length == 1) + if (winrm_user[0] == ".") || (winrm_user[0] == "") ||(winrm_user.length == 1) && locate_config_value(:winrm_password) user_related_commands = <<-EOH net user /add #{locate_config_value(:winrm_user).delete('.\\')} #{windows_password} #{@allow_long_password}; net localgroup Administrators /add #{locate_config_value(:winrm_user).delete('.\\')}; From 8eec16848218e5e9d9f1167f3d5df2370ddb0c1b Mon Sep 17 00:00:00 2001 From: Topher Cullen Date: Wed, 26 Apr 2017 05:45:06 +0000 Subject: [PATCH 2/3] Change Wirm cert to 10 year expiry Signed-off-by: Topher Cullen --- lib/chef/knife/ec2_server_create.rb | 30 ++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/chef/knife/ec2_server_create.rb b/lib/chef/knife/ec2_server_create.rb index 8b795c3f..c7d21809 100644 --- a/lib/chef/knife/ec2_server_create.rb +++ b/lib/chef/knife/ec2_server_create.rb @@ -1029,7 +1029,35 @@ def ssl_config_user_data If (-Not $vm_name) { $vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/local-ipv4 } -New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name + +$name = new-object -com "X509Enrollment.CX500DistinguishedName.1" +$name.Encode("CN=$vm_name", 0) +$key = new-object -com "X509Enrollment.CX509PrivateKey.1" +$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" +$key.KeySpec = 1 +$key.Length = 2048 +$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" +$key.MachineContext = 1 +$key.Create() +$serverauthoid = new-object -com "X509Enrollment.CObjectId.1" +$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") +$ekuoids = new-object -com "X509Enrollment.CObjectIds.1" +$ekuoids.add($serverauthoid) +$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" +$ekuext.InitializeEncode($ekuoids) +$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" +$cert.InitializeFromPrivateKey(2, $key, "") +$cert.Subject = $name +$cert.Issuer = $cert.Subject +$cert.NotBefore = get-date +$cert.NotAfter = $cert.NotBefore.AddYears(10) +$cert.X509Extensions.Add($ekuext) +$cert.Encode() +$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" +$enrollment.InitializeFromRequest($cert) +$certdata = $enrollment.CreateRequest(0) +$enrollment.InstallResponse(2, $certdata, 0, "") + $thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint; $create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'" iex $create_listener_cmd From 62bc5f0e3c2f6c3afa8694f10dddf2ab4caef645 Mon Sep 17 00:00:00 2001 From: Topher Cullen Date: Wed, 26 Apr 2017 05:56:29 +0000 Subject: [PATCH 3/3] Revert "Change Wirm cert to 10 year expiry" This reverts commit 8eec16848218e5e9d9f1167f3d5df2370ddb0c1b. Signed-off-by: Topher Cullen --- lib/chef/knife/ec2_server_create.rb | 30 +---------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/lib/chef/knife/ec2_server_create.rb b/lib/chef/knife/ec2_server_create.rb index c7d21809..8b795c3f 100644 --- a/lib/chef/knife/ec2_server_create.rb +++ b/lib/chef/knife/ec2_server_create.rb @@ -1029,35 +1029,7 @@ def ssl_config_user_data If (-Not $vm_name) { $vm_name = invoke-restmethod -uri http://169.254.169.254/latest/meta-data/local-ipv4 } - -$name = new-object -com "X509Enrollment.CX500DistinguishedName.1" -$name.Encode("CN=$vm_name", 0) -$key = new-object -com "X509Enrollment.CX509PrivateKey.1" -$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" -$key.KeySpec = 1 -$key.Length = 2048 -$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" -$key.MachineContext = 1 -$key.Create() -$serverauthoid = new-object -com "X509Enrollment.CObjectId.1" -$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") -$ekuoids = new-object -com "X509Enrollment.CObjectIds.1" -$ekuoids.add($serverauthoid) -$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" -$ekuext.InitializeEncode($ekuoids) -$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" -$cert.InitializeFromPrivateKey(2, $key, "") -$cert.Subject = $name -$cert.Issuer = $cert.Subject -$cert.NotBefore = get-date -$cert.NotAfter = $cert.NotBefore.AddYears(10) -$cert.X509Extensions.Add($ekuext) -$cert.Encode() -$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" -$enrollment.InitializeFromRequest($cert) -$certdata = $enrollment.CreateRequest(0) -$enrollment.InstallResponse(2, $certdata, 0, "") - +New-SelfSignedCertificate -certstorelocation cert:\\localmachine\\my -dnsname $vm_name $thumbprint = (Get-ChildItem -Path cert:\\localmachine\\my | Where-Object {$_.Subject -match "$vm_name"}).Thumbprint; $create_listener_cmd = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=`"$vm_name`";CertificateThumbprint=`"$thumbprint`"}'" iex $create_listener_cmd