Username with $ fails on Windows

[jdrom]

Likely an edge case, but I was trying to run vcert on a Windows server where my username includes "$" in it (an odd company standard but it is what it is). This results in what appears to be PowerShell failures as I presume the $ isn't properly escaped somewhere in the source code. As such, no certificate is requested or imported.

I believe it's from the TMP/TEMP environment variable, as if I modify this before running to something like C:\temp, instead of the default C:\Users$Name\AppData\Local\Temp, vcert does run successfully.

Should be able to reproduce by creating a local Windows user with "$Name" as the username, and attempting to run vcert as that user while logged in.

[luispresuelVenafi]

Hi @jdrom , thank you for reaching out

Could you provide a template of what you were trying to do? Like are you using VCert CLI? VCert SDK? VCert Playbook? Which platform are you trying to reach (TLPSDC p.k.a TPP, TLSPC p.k.a. VaaS)? Version of the VCert software?

Edit: Side question, any reason why are you not using Token Auth in case you are using TPP?

[jdrom]

I'm inclined to say I'm accessing TPP using vcert.exe version 5.3.0 which is running a playbook based upon sample.capi.yaml. I believe I am using token auth as I generated a token (ran vcert getcred) to put in the playbook. Sorry that I don't really know all the acronyms you mentioned as I'm not the owner of our Venafi platform.

The error output is below, the step prior to this is "retrieving certificate from CAPI Store" that I've omitted. The "~1" in the path of the error messages is how it shows, which is not my username.

2024-01-30T19:24:27.156-0600 ERROR capistore/powershell.go:185 failed to run script file {"stderr": ". : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n"}

2024-01-30T19:24:27.161-0600 ERROR capistore/powershell.go:159 failed to run script function {"functionName": "retrieve-cert", "stdout": "", "error": "failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n"}

2024-01-30T19:24:27.171-0600 ERROR capistore/powershell.go:123 failed to install certificate into CAPI {"stdout": "", "error": "failed to run script function "retrieve-cert": failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n", "errorVerbose": "failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n\nfailed to run script function "retrieve-cert""}

2024-01-30T19:24:27.175-0600` ERROR installer/capi.go:80 failed to retrieve certificate from CAPI store {"error": "failed to install certificate into CAPI, stdout: '': failed to run script function "retrieve-cert": failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n", "errorVerbose": "failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n\nfailed to run script function "retrieve-cert"\nfailed to install certificate into CAPI, stdout: ''"}

2024-01-30T19:24:27.189-0600` ERROR service/service.go:50 error checking certificate in task {"task": "DC", "error": "error checking for certificate DC: failed to install certificate into CAPI, stdout: '': failed to run script function "retrieve-cert": failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n"}

2024-01-30T19:24:27.189-0600 ERROR vcert/playbook.go:148 error running task {"task": "DC", "error": "error checking for certificate DC: failed to install certificate into CAPI, stdout: '': failed to run script function "retrieve-cert": failed to run script file: . : The term 'C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1' is not \r\nrecognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if \r\na path was included, verify that the path is correct and try again.\r\nAt line:1 char:3\r\n+ . C:\Users\~1\AppData\Local\Temp\venafi-winrm-execute-28902b3f-54b8-4 ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (C:\Users\~1\App...20cc6fcb979.ps1:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\nretrieve-cert : The term 'retrieve-cert' is not recognized as the name of a cmdlet, function, script file, or operable \r\nprogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:1 char:97\r\n+ ... ecute-28902b3f-54b8-4add-8b5b-520cc6fcb979.ps1; retrieve-cert -friend ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (retrieve-cert:String) [], CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n \r\n"}

[luispresuelVenafi]

Hi @jdrom ,
Got it. So the username issue is not coming from auth in TPP (no need to worry about acronyms, mostly wanted to make sure which platform you were trying on as you could also been using TLS Protect Cloud, from your input and the fact you are using Token auth gives me enough to tell you are using TPP).

Could you also provide the following?

• TPP version
• Template of the playbook you are trying to run?
• Since you are using CAPI store, are there any other environment specifics you are doing for your task purpose?

[jdrom]

I was told we're on TPP version 23.1. Effectively using the default template: https://github.com/Venafi/vcert/blob/master/examples/playbook/sample.capi.yaml. Commented out trustBundle and put in my API token.

My end goal is for it to update the bindings for WinRM and Remote Desktop. I've sorted out how to handle that with PowerShell script being called via afterInstallAction along with adding setEnvVars:["thumbprint"] into the certificateTasks so that I can pass the newly created certificate's thumbprint to the script.

It's really just this weird bug where it's trying to run the scripts from TEMP and doesn't seem to like that the path has a "$" in it due to my Windows username having a "$". The same playbook works fine on other environments where my Windows username does not contain a "$".

[BeardedPrincess]

Hey @jdrom,

I believe this issue has something to do with the character escaping.

I think I see now after reading the log output above a bit closer. I have an idea of where the issue is.. let me do some testing and get back to you here.

Edit: No need to upload the playbook.. I got it ;)

[rvelaVenafi]

@jdrom @BeardedPrincess has this issue been resolved? does VCert needs fix?

[BeardedPrincess]

Yes, this still needs to be investigated / resolved. Let's keep this one open for now @rvelaVenafi