Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows certificate - no keys found on pfx #8325

Open
thomppg opened this Issue Mar 26, 2019 · 5 comments

Comments

Projects
None yet
4 participants
@thomppg
Copy link

commented Mar 26, 2019

Hello, I am using the having issues with the private keys of a pfx but only when chef client runs as a scheduled task. If it runs as the windows service or from the command line, it works as expected.

My recipe is very simple,

windows_certificate "c:/folder/#{certname}" do
pfx_password "XXXXX"
end

The certificate installs into the correct store, but when I try and mange the keys of certificate I get a pop up informing me that No Keys found for certificate. I am currently running chef-client 14.8.12 on Windows 2019 Server. But have also tried chef-client 14.11.21

Chef client reports that it completes successfully in the log file every time.

I have seen that there has been changes around this in the last couple of months, but the issue persistent when running it is a scheduled task.

@Nimesh-Msys

This comment has been minimized.

Copy link
Contributor

commented Mar 27, 2019

Yes, we fixed that issue in win32-certstore-0.2.4.
Chef-14.8.12 still uses older version of win32-certstore as per its compatibility. But I'm sure this would run nicely on Chef-14.11.21. Could you please re-check the versions you are working on!

Well, as per the discrepant behavior, I would also suggest you to check the chef-client version that is running via task scheduler. In case of multiple installations, there are chances that scheduler is still using some older version of Chef.

Additionally, you may check the correct version of win32-certstore that is installed. (Usually at C://Opscode/chefdk/embedded/lib/ruby/gems/2.5.0/gems/ )

@thomppg

This comment has been minimized.

Copy link
Author

commented Mar 27, 2019

Nimesh-Msys, Thanks for your help. Unfortuately the issue is still occuring

I have installed chef 14.11.21, after un-installing the 14.8.12 chef. When I run the chef client from command prompt with the following command chef-client -c c:\chef\client.rb I can view the private keys of the certificate

If it runs as a scheduled task with the default configuration /c "C:\opscode\chef\embedded\bin\ruby.exe C:\opscode\chef\bin\chef-client -L C:\chef\chef-client.log -c C:\chef\client.rb" I get the no keys found message.

If I modify the installation to use the windows service instead of the task scheuled task, I can view the private keys.

When I check the directory C:\opscode\chef\embedded\lib\ruby\gems\2.5.0\gems there is a directory called win32-certstore-0.2.4

I can confirm when looking at the log file for both the scheduled task, service and the console chef run that the version of chef being called is 14.8.12

@Nimesh-Msys

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Okay, sounds reasonable ! As expected with 14.8.12 it wouldn't work well.
For re-confirming the things, I tried and check the same things as you mentioned.

  1. Installed 14.8.12
  2. Created a task and ran windows_certificate -> Certificate was imported without its private key
  3. Uninstalled and installed 14.11.21
  4. Deleted that certificate from store
  5. Ran that task again -> Certificate was imported with private keys !

I can confirm when looking at the log file for both the scheduled task, service and the console chef run that the version of chef being called is 14.8.12

This is confusing ! When 14.11.21 is installed, and you're running chef-client using TaskScheduler, how could it run 14.8.12. What I could think of:

  • Are we checking the correct logs ?
    • Please do take a look at the terminal for version confirmation
    • Check the timestamps at which log was created !!
    • Or try and change log file path.
  • Is it because you're running chef as some another user, for whom prev version is installed ?
    • Ideally, chef should be installed and run with root privilege, as a system user.

Please do take a look, as things are running fine at our end.

@thomppg

This comment has been minimized.

Copy link
Author

commented Mar 29, 2019

Nimesh-Msys. Sorry the statement should say.

"I can confirm when looking at the log file for both the scheduled task, service and the console chef run that the version of chef being called is 14.11.21"

@Nimesh-Msys

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Ok. Still while importing,it shouldn't have raised "no keys found". I also tried and created the task with default configs as you mentioned & everything is running fine.

when I try and mange the keys of certificate I get a pop up

@thomppg How are you managing the keys, manually through certificate store or with some automated script via scheduler? Could you please share some more info about the task, logs or complete recipe that are you using. Or any specific difference that you could observe between client run using scheduler and service, it would be more helpful.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.