windows 2016 winrm for HTTPS connection using packer

729 views
Skip to first unread message

golden...@gmail.com

unread,
Jun 5, 2019, 3:49:28 PM6/5/19
to Packer
Hi all -

Has anyone had any luck configuring winrm for HTTPS? I've tried multiple tweaks on the user-data script and still cannot get it to work.

I'm still in the process of confirming whether it's a packer issue or a configuration issue.

Any help would be appreciated. 

Best,
Andrew

Louis Mayorga

unread,
Jun 5, 2019, 3:50:42 PM6/5/19
to Packer

golden...@gmail.com

unread,
Jun 5, 2019, 3:53:19 PM6/5/19
to Packer
do you have examples of your bootstrap script and enable rdp script? 

Louis Mayorga

unread,
Jun 5, 2019, 3:57:34 PM6/5/19
to Packer
<powershell>
wmic UserAccount set PasswordExpires=False
net user Administrator <ADMIN_PASSWORD_HERE>
write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm

</powershell>

golden...@gmail.com

unread,
Jun 5, 2019, 4:04:10 PM6/5/19
to Packer
Thank you. I was actually able to get this to work on the base windows 2016 AMI, but I am attempting to run this on the CIS level 1 hardened AMI from the AWS Marketplace (found here). The source AMI ID is ami-024c544bd4659d547 and the source AMI name is CIS Microsoft Windows Server 2016 Benchmark 1.0.0.24 Level 1-b1776421-c8ab-411d-8a73-34f06d3ceadf-ami-05c3f6c249aec43d9.4.

I can't narrow down which setting is cause this to fail.

Luis Mayorga

unread,
Jun 5, 2019, 4:06:59 PM6/5/19
to packe...@googlegroups.com
Usually winrm settings.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/cff810a6-7d91-4a17-b8c9-9bc092182960%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Luis Mayorga
Software & Devops Engineer
E. lmayorga@lm3corp.com
T. @louismayorga
Message has been deleted

golden...@gmail.com

unread,
Jun 5, 2019, 4:28:19 PM6/5/19
to Packer
I believe it's related to this issue https://github.com/hashicorp/packer/issues/6205 (if you want additional background). 

Here is my current user data script:



On Wednesday, June 5, 2019 at 3:49:28 PM UTC-4, golden...@gmail.com wrote:
Reply all
Reply to author
Forward
0 new messages