1

我正在使用 Windows Chef 食谱https://supermarket.chef.io/cookbooks/windows/versions/5.0.0#readme

创建和绑定 ssl。

首先我试过:

# Create/update certificate
windows_certificate "create cert" do
    source "c://hn/ssl/cert.pfx"
    pfx_password  {cert_pass}
    store_name "WEBHOSTING"
    action :create
end

# Bind certificate
windows_certificate_binding "bind to IIS" do
    action :create
    cert_name "{my_ssl_hash_number}"
    name_kind :hash
    port 443
    store_name "WEBHOSTING"
end

我得到以下错误:

STDOUT:SSL 证书添加失败,错误:1312 指定的登录会话不存在。它可能已经被终止。

我做了一些研究,看起来我导入的证书不可导出,需要授予私钥访问权限,参考来自: SSL Certificate add failed when binding to port

下面是我的第二次尝试:

# Create/update certificate
windows_certificate "create cert" do
    source "c://hn/ssl/cert.pfx"
    pfx_password  {cert_pass}
    store_name "WEBHOSTING"
    private_key_acl ["IIS_IUSRS"]
    action [:create, :acl_add]
end 

# Bind certificate
windows_certificate_binding "bind to IIS" do
    action :create
    cert_name "{my_ssl_hash_number}"
    name_kind :hash
    port 443
    store_name "WEBHOSTING"
end

但是,我仍然收到错误:

STDOUT:STDERR:C:\Users\Administrator\AppData\Local\Temp\chef-script20180823-492-10cuvyo.ps1:不存在私钥。

谁能帮我吗?如何正确导入 ssl 并绑定到 IIS?提前致谢。

4

2 回答 2

0

下面的代码厨师食谱我用来绑定 ssl 证书和 https 端口。我还注意如果添加了新证书,那么应该添加它。

hostname = node['hostname']
hostnamelike = 'CN=' + node['hostname'].to_s + '*'
powershell_script 'find ssl certificate  on local machine root and assign certificate' do
  code <<-EOH
  $iisSite='your site name'
  $hostname="#{hostname}"
  $hostnamelike="#{hostnamelike}"
  $protocol='https'
  $port=443
  Get-WebBinding -Port $port -Name $iissite | Remove-WebBinding
  $guid_value = [GUID]::NewGUID().ToString('B')
  $thumbprint = (Get-ChildItem cert:\\LocalMachine\\my | where-object { $_.Subject -like $hostnamelike  } | Select-Object -First 1).Thumbprint
  New-WebBinding -Name $iissite -IP "*" -Port $port -Protocol https
  netsh http show sslcert ipport=0.0.0.0:$port
  if ($LASTEXITCODE -eq 1) {
  netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
  }
  else {
  netsh http delete sslcert ipport=0.0.0.0:$port
  netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
  }
  EOH
end
于 2020-09-25T06:10:05.710 回答
-2

我的替代解决方案是使用 powershell 脚本添加 SSL 证书,而不是使用 windows 食谱

于 2019-02-13T19:12:37.847 回答