New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two tier PKI deployment fails on initial deployment #57

Closed
sad1qjaffer opened this Issue Aug 21, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@sad1qjaffer
Copy link

sad1qjaffer commented Aug 21, 2018

When deploying a two tier PKI using this module an error is thrown by the sub CA once it has generated its req file. The error message is shown below.

New-AzureRmResourceGroupDeployment : 09:12:44 - VM has reported a failure when processing extension 'ConfigureSubCA'.
Error message: "DSC Configuration 'Main' completed with error(s). Following are the first few: PowerShell DSC resource
MSFT_AdcsCertificationAuthority failed to execute Set-TargetResource functionality with error message:
System.InvalidOperationException: The Active Directory Certificate Services installation is incomplete. To complete
the installation, use the request file "c:\windows\system32\certsrv\certenroll\AzureLab-CS1.req" to obtain a
certificate from the parent CA. Then, use the Certification Authority snap-in to install the certificate. To complete
this procedure, right-click the node with the name of the CA, and then click Install CA Certificate. The operation
completed successfully. 0x0 (WIN32: 0) The SendConfigurationApply function did not succeed.".

In my configuration I'm using Azure Blob storage to transfer req/crt files between the root and sub CA but this error prevents the configuration from completing. When the deployment is re-run after this error has been generated it runs through to completion.

Is there a way to suppress this error during deployment or can a flag be added to the ADCSCertificationAuthority resource so it knows that it must silently wait for the request to be completed

Thanks!

@PlagueHO

This comment has been minimized.

Copy link
Collaborator

PlagueHO commented Aug 23, 2018

Hi @sad1qjaffer - thanks for raising this question. So it sounds like when the resource tries to install the CA server but is deploying a SubCA it returns an error when the REQ file is generated - even though this really isn't an error. I've done this myself (https://github.com/PlagueHO/LabBuilder/blob/dev/LabBuilder/dsclibrary/MEMBER_SUBCA.DSC.ps1#L188) but I didn't notice the exception - however, I was usually running in the mode that automatically applied the config repeatedly - and I think the last time I did this I was using an older version of the resource that didn't actually 'Throw' an exception that was returned by Install-AdcsCertificationAuthority (see https://github.com/PowerShell/ActiveDirectoryCSDsc/blob/dev/DSCResources/MSFT_AdcsCertificationAuthority/MSFT_AdcsCertificationAuthority.psm1#L475).

It would be possible to make a change to cause this "exception" to be suppressed (shown as a warning or verbose message) when OutputCertRequestFile was set and CAType was set to EnterpriseSubordinateCA. But I'd want to make sure only that specific error was being suppressed.

@PlagueHO

This comment has been minimized.

Copy link
Collaborator

PlagueHO commented Aug 23, 2018

Does this sound like this suggestion might work for you?

@sad1qjaffer

This comment has been minimized.

Copy link

sad1qjaffer commented Aug 23, 2018

Hi @PlagueHO

Thanks for getting back to me on this, and your lab builder library has been a huge help!

I had a look at how the resource is configured and noticed that "erroraction silentlycontinue" has been completely removed as an option when using Install-AdcsCertificationAuthority. I think, as you say - in this particular scenario a verbose log may be a better approach. This would provide the information required for debugging but prevent a configuration from being interrupted.

I'm relatively new to Github so am not 100% sure of the procedure for how a change like this would be implemented. Can you please advise on how we can move this forward?

@stale

This comment has been minimized.

Copy link

stale bot commented Sep 22, 2018

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

@stale stale bot added the stale label Sep 22, 2018

@sjnnkm

This comment has been minimized.

Copy link

sjnnkm commented Oct 29, 2018

The same issue I'm also facing. The deployment returns warning message but the continuous integration tool treats it as error. If by any means in DSC code if this message can be ignored (sample implementation code ) will really help.

@stale stale bot removed the stale label Oct 29, 2018

@stale

This comment has been minimized.

Copy link

stale bot commented Nov 28, 2018

This issue has been automatically marked as stale because it has not had activity from the community in the last 30 days. It will be closed if no further activity occurs within 10 days. If the issue is labelled with any of the work labels (e.g bug, enhancement, documentation, or tests) then the issue will not auto-close.

@mortenlerudjordet

This comment has been minimized.

Copy link

mortenlerudjordet commented Dec 21, 2018

Added simple fix so this scenario does not create an error in PR: #65

@stale stale bot removed the stale label Dec 21, 2018

@PlagueHO

This comment has been minimized.

Copy link
Collaborator

PlagueHO commented Dec 22, 2018

Thanks @sad1qjaffer - I missed this comment! I'm glad LabBuilder is useful - I haven't had as much time to put into it lately unfortunately. But you're right - this could definitely be corrected. Thank you @mortenlerudjordet for picking this up. I've started the review.

@PlagueHO PlagueHO closed this in #65 Dec 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment