Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xDscWebService] not in desired state when AcceptSelfSignedCertificates Parameter is not used #768

Open
ChristophHannappel opened this issue Mar 11, 2024 · 1 comment
Open

[xDscWebService] not in desired state when AcceptSelfSignedCertificates Parameter is not used #768

ChristophHannappel opened this issue Mar 11, 2024 · 1 comment
Labels
bug The issue is a bug. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub help wanted The issue is up for grabs for anyone in the community.

Comments

@ChristophHannappel
Copy link

ChristophHannappel commented Mar 11, 2024
edited

Problem description

If you create a Pullserver and do not set the AcceptSelfSignedCertificates Parameter the Set-TargetResource will set it to $true

[Parameter()]
        [System.Boolean]
        $AcceptSelfSignedCertificates = $true,

But the Test-TargetRessource will set it to $false

[Parameter()]
        [System.Boolean]
        $AcceptSelfSignedCertificates,

Because of that the Test-DscConfiguration command will report the Ressource not in desired state.

Verbose logs

Invoke-DscResource -Name xDscWebService -Method test -Property @{
    Ensure                   = 'Present'
    EndpointName             = 'PSDSCPullServer'
    ApplicationPoolName      = 'PSDSCPullServer'
    Port                     = 443
    PhysicalPath             = "E:\inetpub\wwwroot\PSDSCPullServer"
    CertificateThumbPrint    = 'CertificateThumbprint'
    ModulePath               = "E:\PSDSCPullServer\Modules"
    ConfigurationPath        = "E:\PSDSCPullServer\Configuration"
    State                    = 'Started'
    RegistrationKeyPath      = "E:\PSDSCPullServer\"
    DatabasePath             = "E:\PSDSCPullServer\Database"
    UseSecurityBestPractices = $false
    ConfigureFirewall        = $false
    } -Verbose -ModuleName xPSDesiredStateConfiguration
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourcetest,'className' = MSFT_DSCLocalConf
igurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer COMPUTERNAME with user sid S-MY-SID.
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Test     ]  [[xDSCWebService]DirectResourceAccess]
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check Ensure.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check Port.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check Application Pool.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check Binding.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Checking firewall rule settings.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check Physical Path property.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check State.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Get Full Path for Web.config file.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check DatabasePath.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check ModulePath.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check ConfigurationPath.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check RegistrationKeyPath.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Check AcceptSelfSignedCertificates.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] AcceptSelfSignedCertificates is disabled. Ch
ecking if module Selfsigned IIS module is NOT configured for web site at 'E:\inetpub\wwwroot\PSDSCPullServer\web.config'.
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Test-IISSelfSignedModuleEnabled: EndpointNam
e 'PSDSCPullServer'
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Test-IISSelfSignedModuleEnabled: web.confg p
ath 'E:\inetpub\wwwroot\PSDSCPullServer\web.config'
VERBOSE: [COMPUTERNAME]:                            [[xDSCWebService]DirectResourceAccess] Module present in web site. Current configur
ation does not match the desired state.
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Test     ]  [[xDSCWebService]DirectResourceAccess] False in 0.3150 seconds.
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Set      ]    in  0.8740 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.

InDesiredState 
-------------- 
False          
VERBOSE: Time taken for configuration job to complete is 0.96 seconds

DSC configuration

xDscWebService PSDSCPullServer {
            Ensure                       = 'Present'
            EndpointName                 = 'PSDSCPullServer'
            ApplicationPoolName          = 'PSDSCPullServer'
            Port                         = 443
            PhysicalPath                 = "E:\inetpub\wwwroot\PSDSCPullServer"
            CertificateThumbPrint        = 'CertificateThumbprint'
            ModulePath                   = "E:\PSDSCPullServer\Modules"
            ConfigurationPath            = "E:\PSDSCPullServer\Configuration"
            State                        = 'Started'
            RegistrationKeyPath          = "E:\PSDSCPullServer\"
            DatabasePath                 = "E:\PSDSCPullServer\Database"
            AcceptSelfSignedCertificates = $true
            UseSecurityBestPractices     = $false
            ConfigureFirewall            = $false
}

Suggested solution

Set the Parameter default value to the same value.

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value                                                                                                
----                           -----                                                                                                
PSVersion                      5.1.20348.2227                                                                                       
PSEdition                      Desktop                                                                                              
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                              
BuildVersion                   10.0.20348.2227                                                                                      
CLRVersion                     4.0.30319.42000                                                                                      
WSManStackVersion              3.0                                                                                                  
PSRemotingProtocolVersion      2.3                                                                                                  
SerializationVersion           1.1.0.1

xPSDesiredStateConfiguration version

Name                         Version Path                                                                                           
----                         ------- ----                                                                                           
xPSDesiredStateConfiguration 9.1.0   C:\Program Files\WindowsPowerShell\Modules\xPSDesiredStateConfiguration\9.1.0\xPSDesiredStat...
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub labels Mar 16, 2024
@johlju
Copy link
Member

johlju commented Mar 16, 2024

I think this need to be changed.

$true should be removed from this line

xPSDesiredStateConfiguration/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1

Line 332 in 1d48c47

$AcceptSelfSignedCertificates = $true,

Then this code should only run if $PSBoundParameters.ContainsKey('AcceptSelfSignedCertificates'):

xPSDesiredStateConfiguration/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1

Lines 597 to 606 in 1d48c47

if ($AcceptSelfSignedCertificates)
{
Write-Verbose -Message ($script:localizedData.EnableAcceptSelfSignedCertificates -f $EndpointName)
Enable-IISSelfSignedModule -EndpointName $EndpointName -Enable32BitAppOnWin64:$Enable32BitAppOnWin64
}
else
{
Write-Verbose -Message ($script:localizedData.DisableAcceptSelfSignedCertificates -f $EndpointName)
Disable-IISSelfSignedModule -EndpointName $EndpointName
}

Same here, this code should only run if $PSBoundParameters.ContainsKey('AcceptSelfSignedCertificates'):

xPSDesiredStateConfiguration/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1

Lines 1001 to 1045 in 1d48c47

if ($AcceptSelfSignedCertificates)
{
Write-Verbose -Message ($script:localizedData.AcceptSelfSignedCertificatesEnabled -f $webConfigFullPath)
if (Test-IISSelfSignedModuleInstalled)
{
if (Test-IISSelfSignedModuleEnabled -EndpointName $EndpointName)
{
Write-Verbose -Message ($script:localizedData.PullServerWebSiteModuleEnabledAndShouldBe -f $EndpointName)
}
else
{
Write-Verbose -Message ($script:localizedData.PullServerWebSiteModuleNotEnabledButShouldBe -f $EndpointName)
$desiredConfigurationMatch = $false
break
}
}
else
{
Write-Verbose -Message $script:localizedData.IisSelfSignedModuleNotInstalledButShouldBe
$desiredConfigurationMatch = $false
}
}
else
{
Write-Verbose -Message ($script:localizedData.AcceptSelfSignedCertificatesDisabled -f $webConfigFullPath)
if (Test-IISSelfSignedModuleInstalled)
{
if (Test-IISSelfSignedModuleEnabled -EndpointName $EndpointName)
{
Write-Verbose -Message ($script:localizedData.PullServerWebSiteModuleEnabledButShouldNotBe -f $EndpointName)
$desiredConfigurationMatch = $false
break
}
else
{
Write-Verbose -Message ($script:localizedData.PullServerWebSiteModuleNotEnabledAndShouldNotBe -f $EndpointName)
}
}
else
{
Write-Verbose -Message $script:localizedData.IisSelfSignedModuleNotInstalledAndShouldNotBe
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug. good first issue The issue should be easier to fix and can be taken up by a beginner to learn to contribute on GitHub help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johlju @ChristophHannappel