Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xWebsite: finds certificates with no private key to bind to SSL. Doesn't choose a cert with most available time. #578

Closed
ThomasHughesIV opened this issue Jul 2, 2020 · 4 comments · Fixed by #633
Closed

xWebsite: finds certificates with no private key to bind to SSL. Doesn't choose a cert with most available time. #578

ThomasHughesIV opened this issue Jul 2, 2020 · 4 comments · Fixed by #633
Labels
bug The issue is a bug.

Comments

@ThomasHughesIV
Copy link

ThomasHughesIV commented Jul 2, 2020
edited
Loading

Details of the scenario you tried and the problem that is occurring

Using xWebSite to deploy SSL certificates using a subject name. When multiple certificates exist with the same subject name, xwebsite chooses one at random, not one with the most useable time. When multiple certificates exist with the same subject name, and one doesn't have a private key, the code may pick that cert and attempt to bind it to SSL, causing an error.

Verbose logs showing the problem

NA to share for security reasons

Suggested solution to the issue

Replace line 1476 with:
$Certificate = Find-Certificate @FindCertificateSplat | Where-Object {$_.HasPrivateKey -eq $true} | Sort-Object -Property NotAfter -Descending | Select-Object -First 1

The DSC configuration that is used to reproduce the issue (as detailed as possible)

        xWebSite BindCert {
            Ensure = 'Present'
            Name = 'Default Web Site'
            BindingInfo     = @(
                MSFT_xWebBindingInformation
                {
                    Protocol              = 'HTTPS'
                    Port                  = 443
                    CertificateSubject    = 'CN=DuplicateSubject'
                    CertificateStoreName  = 'MY'
                }
            )
        }

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used

3.1.1.1
ThomasHughesIV added a commit to ThomasHughesIV/xWebAdministration that referenced this issue Jul 2, 2020
@ThomasHughesIV
dsccommunity#578 Updated changelog
e772127
@johlju johlju added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Jul 5, 2020
@Joe-Rennert
Copy link
Contributor

We're experiencing this issue and hoping for a fix. I see PR #579 was created, but has not seen any movement in a while. Has it been abandoned? Can I help in anyway?

@johlju
Copy link
Member

johlju commented May 21, 2024

Yes it has been abandoned. I would need a unit test that validate the change. @Joe-Rennert if you have time then I suggest sending in a new PR with the change plus a unit test.

@ThomasHughesIV
Copy link
Author

ThomasHughesIV commented May 21, 2024 via email

@johlju
Copy link
Member

johlju commented May 21, 2024

No worries @ThomasHughesIV. Hopefully another contributor continue the work. 🙂

Joe-Rennert added a commit to Joe-Rennert/WebAdministrationDsc that referenced this issue May 22, 2024
@Joe-Rennert
Fix dsccommunity#578 - xWebSite: Choose cert with greatest validity
cf597f9
Joe-Rennert added a commit to Joe-Rennert/WebAdministrationDsc that referenced this issue May 22, 2024
@Joe-Rennert
Fix dsccommunity#578 - Update Changelog
3af12b0
Joe-Rennert added a commit to Joe-Rennert/WebAdministrationDsc that referenced this issue May 22, 2024
@Joe-Rennert
Fix dsccommunity#578 - Update unit tests
8f4cf7b
@Joe-Rennert Joe-Rennert mentioned this issue May 22, 2024
Merged
9 tasks
@johlju johlju removed the help wanted The issue is up for grabs for anyone in the community. label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Website: Choosing certificate with longest remaining validity Joe-Rennert/WebAdministrationDsc
3 participants
@johlju @ThomasHughesIV @Joe-Rennert