New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Export-PluginArgs : Access is denied #442
Comments
Hi @mshlmv, thanks for reaching out. I'm not seeing the Access Denied error in the output you posted. I do see a CryptographicException apparently thrown by Export-PluginArgs though. That error is likely the cause of the following error with Submit-ChallengeValidation. Can you try running your New-PACertificate call with Verbose and Debug output so I can hopefully get a better sense of where this is happening within Export-PluginArgs? $ApiToken = 'XXX'
$DnsName = 'xxx.xxx.com'
$AdminCertEmail = 'admin@xxx.com'
Set-PAServer LE_PROD
$DebugPreference = 'Continue'
$newCert = New-PACertificate $DnsName -AcceptTOS -Install -Contact $AdminCertEmail -Plugin Selectel -PluginArgs $pArgs -Verbose |
I'm sorry, I missed this line when copying. OK, now full verbose output:
|
Ok, there's the Access Denied still seeming to happen during an export of the plugin args. It seems I don't have enough debug logging enable to know exactly which line inside Are you using an alternate config location by any chance? Or is there any reason why the order's pluginargs.json file wouldn't be writable by the user running the module? You can find the exact folder location using |
This comment was marked as outdated.
This comment was marked as outdated.
No, the config is located by default in the user's home directory. Now I run the script as a domain administrator and it works fine Why local administrator rights are not enough for this is not clear :( |
The fact that it works with domain admin and not local admin is even more weird when using the default home directory location. The basic module functionality should work even with a non-admin account when writing to the home directory. Are home directories on this server mounted from a network location or synchronized with OneDrive? Something that would make them not as simple as just a folder structure on the local disk? You could probably run some filesystem specific tests by like creating a folder in LOCALAPPDATA and trying to create a file in it. $testdir = Join-Path $env:LOCALAPPDATA 'mytest'
if (-not (Test-Path $testdir -PathType Container)) {
New-Item -ItemType Directory -Path $testdir -Force -EA Stop
}
'test content' | Out-File (Join-Path $testdir 'myfile.txt') -Force -EA Stop |
@mshlmv out of interest, what version of windows are you running and what malware/defender type protection is running? Any non-default settings you can think of? |
@rmbolger thank you for guess. @webprofusion-chrisc thank you for your interest. |
By "everything", do you mean the cert issuance or just the test code I posted? If the cert issuance still results in an error, you might try deleting the existing |
@rmbolger following your last advice rm -r C:\Users\local-admin\AppData\Local\Posh-ACME\
Import-Module Posh-ACME -Force
Set-PAServer LE_STAGE
Please review the Terms of Service here: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
$newCert = New-PACertificate $DnsName -AcceptTOS -Install -Contact $AdminCertEmail -Plugin Selectel
-PluginArgs $pArgs
Export-PluginArgs : Access is denied.
At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.14.0\Public\New-PAOrder.ps1:306 char:9
+ Export-PluginArgs -Order $order -PluginArgs $PluginArgs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Export-PluginArgs], CryptographicException
+ FullyQualifiedErrorId : System.Security.Cryptography.CryptographicException,Export-PluginArgs
cmdlet Add-DnsTxt at command pipeline position 1
Supply values for the following parameters:
SelectelAdminToken: |
Now I'm testing it on a non-domain server and I don't get an error, but I still get a value request for the token cmdlet Add-DnsTxt at command pipeline position 1
Supply values for the following parameters:
SelectelAdminToken: |
On the non-domain server, had you setup your |
I get prompt only in LE_STAGE environment, if I enable LE_PROD, everything works fine |
After a series of experiments , I can draw several conclusions On a non-domain computer, if you run Posh-ACME by connecting via SSH as a local administrator, then nothing works. If you connect via RDP by the same user, then everything works fine. On a domain computer under a domain administrator, both SSH and RDP work. And it does not work under the local administrator in any way. |
I can't say I've tested using Posh-ACME via SSH against a Windows box. But I don't see why the protocol used to connect would make a difference. I don't doubt the results of your tests. I just don't have the expertise to explain why it might be happening. The differences between a domain-joined system and non-domain-joined are also a mystery. At the end of the day, what the module is doing under the hood for the Out of curiosity, what OS version are we talking about here? What SSH server? |
I'm also getting this error. I'm running the script as part of an ansible playbook and it's connecting via winrm. The server is running windows 2019, domain joined, and running on AWS. |
I may have stumbled on the culprit after I started looking for other places you might get Access Denied during that function call. My current theory is that the Access Denied is actually happening on the calls to ConvertFrom-SecureString that use the Windows DPAPI libraries by default. This blog post explains a bit more about what might be going on. https://blog.stangroome.com/2012/05/17/powershell-remoting-user-profiles-delegation-and-dpapi/ If I'm right, a workaround should be fairly simple. You'll need to enable The UseAltPluginEncryption flag basically changes how the SecureString and PSCredential variables are saved to disk that doesn't rely on DPAPI anymore. |
I just ran into the same issue while setting up some new servers, and as above it was happening only when I was using PowerShell remoting (WinRM). |
Thanks for the confirmation, @CaiB. I'm not sure if there's anything I can necessarily do in the module to avoid needing the Alt Plugin Encryption workaround. But I'll try to find a good place in the docs to mention it might be necessary when using PS remoting. |
Added a FAQ entry about this on the doc site. |
Hi there.
I have Posh-ACME 4.14.0 and I tried to get certificate with powershell script automation.
But I get an error when passing the API key (apparently).
Connected via ssh, I run this script as a local administrator on a computer in the domain
The text was updated successfully, but these errors were encountered: