SSL Certificate Bindings on Windows with Chef
By ,
I recently needed to ensure some ssl certificates on windows installed correctly. I opened an issue at chef-cookbook/windows#313 but the gist of it is here:
As a windows chef user
I want to ensure a specific certificate binding to a port
In order to replace any existing binding with what I have specified
Given a certificate in pfx form
And it's successfully imported
When I write a windows_certificate_binding resource stanza
And specify the desired subject or fingerprint
And there is already another certificate bound to the desired port
Then the desired certificate binding should replace the existing one
What you currently have to do (using an encrypted data bag with password, subject and fingerpint, and a files/default/certificate.pfx):
iis_site 'Default Web Site' do
action :config
site_id 1
bindings 'http/*:80:,net.tcp/808:*,net.pipe/*,net.msmq/localhost,msmq.formatname/localhost,https/*:443:'
end
decrypted = data_bag_item('passwords', "certificate")
pfx = "c:\\chef\\certificate.pfx"
cookbook_file pfx
windows_certificate pfx do
pfx_password decrypted['password']
store_name 'MY'
user_store false
end
subject = decrypted['subject']
fingerprint = decrypted['fingerprint']
#removing the current one IF it doesn't match
windows_certificate_binding 'Unbind any non-matching certs' do
action :delete
name subject
name_kind :subject
address '0.0.0.0'
guard_interpreter :powershell_script
not_if <<-EOF
Import-Module WebAdministration
$x = Git-Item IIS:\SslBindings\0.0.0.0!443
$x.Thumbprint.CompareTo("#{fingerprint}")
EOF
end
# bind the correct one... this should be all we need to specify...
# if there is already a binding on this port... it does nothing
# it should replace it in my opinion
windows_certificate_binding 'Reuse RDP and WINRM self-signed cert for IIS' do
action :create
name_kind :subject
name subject
address '0.0.0.0'
end