Utilizing win_iis_webbinding to update IIS certs

[John Martin]

Hello,

I'm new to Ansible and have been giving it some attention in my test environment to see how feasible it is to utilize in production... Mainly to provision/configure/manage 30 or so Windows web-servers.

I was able to copy and install my cert and bind it to my site with win_iis_webbinding; however, testing if I need to update the cert for whatever reason, I upload a new cert, change the certificate_hash, and nothing happens. The old cert is still in play. It's my understanding from looking around on other sites that the certificate_hash isn't inspected when reviewing pending changes on a playbook play regarding this module, so I'm curious if there's a way to accomplish updating the cert if the certificate_hash is different.

I attempted to run a play in the playbook to mark the port binding as absent before setting the new thumbprint in the certificate_hash, but received an error stating that it "Cannot create a file when that file already exists." 

Digging deeper I found that if I remove the play below that adds SSL Binding for new site, and only set state of the binding to absent, then the SSL binding is removed. If I try to add the play below in with the new thumbprint, I get the error that the file already exists and the binding reappears with the original cert, not the new updated one. So regardless of what I define the certificate_hash, the original hash always gets added.

Portion of Playbook:

#- name: Remove SSL Binding for newSite

#  win_iis_webbinding:

#    name: newSite

#    protocol: https

#    port: 443

#    state: absent

- name: Add SSL Binding for newSite

  win_iis_webbinding:

    name: newSite

    protocol: https

    port: 443

    certificate_hash: thumbprint (when changed, it gets skipped and never updates on IIS sites)

    state: present

Does anyone know of a way to update the cert on a site? Or would it just be best to explore options outside of the module to accomplish this task, such as running a win_shell command with an args, or something else along those lines...?

Thanks,

John

[Jordan Borean]

The win_iis_* modules are fairly old and have a few bugs associated with them. I started to rewrite them but haven't really been able to continue due to time commitments and the fact that DSC is probably better suited towards this task. My recommendation is to;

* Ensure PowerShell 5.0 is installed

* Install the xWebAdministration DSC resource using win_psmodule https://github.com/PowerShell/xWebAdministration or manually copy the files to the host (https://docs.ansible.com/ansible/devel/windows_dsc.html#custom-dsc-resources)

* Create a win_dsc task to modify a website's bindings using the xWebsite resource (https://docs.ansible.com/ansible/devel/windows_dsc.html#setup-iis-website)

The only requirements is that PS v5 is installed and that you are using the devel version of win_dsc, 2.4 does have that module but to be able to supply a dict value the devel one has to be used. If you aren't using devel and are on a released version, you can create a new file from https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_dsc.ps1 and add that to the library path for Ansible so it is available to your roles. It is recommended to rename the file from win_dsc so you don't get confused when using a custom module vs an inbuilt one.

Thanks

Jordan

[John Martin]

This is great information. Thank you for your help. I will read into the links provided and see if I can work out a resolution with DSC.

[John Martin]

I was able to successfully import the module, naming it win_dsc_devel. I verified it with an adhoc call, passing no parameters, confirming that Ansible sees the module. The problem I'm having, using the win_dsc example of the module to create an IIS website is that I get errors when attempting to parse the information regarding binding to my machine. 

---
- name: install xWebAdministration module
  win_psmodule:
    name: xWebAdministration
    state: present

- name: Create a new website
  win_dsc_devel:
    resource_name: xWebsite
    Name: newWebsite
    State: started
    PhysicalPath: C:\inetpub\wwwroot\newWebsite
    BindingInfo:
    - Protocol: https
      Port: 443
      CertificateStoreName: My
      CertificateThumbprint: MyThumbprint

If I comment out anything under the BindingInfo then the site is created fine. As soon as I try to pass binding info, it looks like I get the following error using win_dsc_devel:

 

fatal: [HostIPAddress]: FAILED! => {"changed": false, "failed": true, "module_version": "1.19.0.0", "msg": "Undefined class: CimInstance\r\n At line:7, char:2\r\n Buffer:\r\n  Protocol = \"https\";\n};^\n\ninsta\r\n", "reboot_required": false}

It appears as if anything getting passed to BindingInfo throws errors, whether using win_dsc_devel or the builtin win_dsc that was shipped with ansible core. 

I created a new ansible server to test, reinstalled ansible2.4.1.0 with pip and attempted to execute the Create New Website play in the example, keeping everything default, and using the builtin win_dsc_devel ensuring all directories exist on my server, only running the BindingInfo for the http 8080 port and it failed to execute. 

---
- name: install xWebAdministration module
  win_psmodule:
    name: xWebAdministration
    state: present


- name: install IIS features that are required
  win_dsc:
    resource_name: WindowsFeature
    Name: '{{item}}'
    Ensure: Present
  with_items:
  - Web-Server
  - Web-Asp-Net45


- name: create new website
  win_dsc:
    resource_name: xWebsite
    Name: NewIISSite
    State: Started
    PhysicalPath: C:\inetpub\wwwroot\
    BindingInfo:
    - Protocol: http
      Port: 8080

fatal: [HostIPAddress]: FAILED! => {

    "BindingInfo": [

        {

            "Port": 8080,

            "Protocol": "http"

        }

    ],

    "Name": "NewIISSite",

    "PhysicalPath": "C:\\inetpub\\wwwroot\\",

    "State": "Started",

    "attributes": [

        {

            "Key": "Name",

            "Name": "Name",

            "Value": "NewIISSite"

        },

        {

            "Key": "BindingInfo",

            "Name": "BindingInfo",

            "Value": [

                {

                    "Port": 8080,

                    "Protocol": "http"

                }

            ]

        },

        {

            "Key": "PhysicalPath",

            "Name": "PhysicalPath",

            "Value": "C:\\inetpub\\wwwroot\\"

        },

        {

            "Key": "State",

            "Name": "State",

            "Value": "Started"

        }

    ],

    "changed": false,

    "dsc_attributes": {

        "BindingInfo": [

            {

                "Port": 8080,

                "Protocol": "http"

            }

        ],

        "Name": "NewIISSite",

        "PhysicalPath": "C:\\inetpub\\wwwroot\\",

        "State": "Started"

    },

    "failed": true,

    "module_version": "1.19.0.0",

    "msg": "Failed to serialize properties into CimInstance.",

    "reboot_required": null,

    "resource_name": "xWebsite"

}

I tried multiple combinations of BindingInfo with my cert, without my cert, etc. 

Attempting to reimport the linked win_dsc as win_dsc_devel kicks back the following error:

fatal: [HostIPAddress]: FAILED! => {"changed": false, "failed": true, "module_version": "1.19.0.0", "msg": "Undefined class: CimInstance\r\n At line:5, char:2\r\n Buffer:\r\ntp\";\n    Port = 8080;\n};^\n\ninsta\r\n", "reboot_required": false}

The example from the website fails to run either, still flagging an error on BindingInfo parameters.

Overall, I see the potential for utilizing win_dsc, but I haven't had success with BindingInfo in it's entirety, using either the stock win_dsc or the imported win_dsc_devel. If you have any other ideas, let me know.

Thanks!

John

On Tuesday, November 14, 2017 at 8:12:21 PM UTC-5, Jordan Borean wrote:

[Jordan Borean]

That's weird I was able to get this task working in an optional integration test when developing these changes here https://github.com/ansible/ansible/blob/devel/test/integration/targets/win_dsc/tasks/destructive.yml#L62. Are you able to open a GitHub issue about this and I'll try and look into it.

[Igor Turovsky]

Hello, 

Sorry for replying for very old thread, but 

I see exactly the same issue with xWebsite.

Did you find the cause for it? 

Thank you,

- Igor

суббота, 18 ноября 2017 г., 4:25:43 UTC+3 пользователь Jordan Borean написал: