From e9fe5f201f5830167d2ca6168c08822c930efb41 Mon Sep 17 00:00:00 2001 From: Michael Crilly Date: Wed, 13 May 2015 15:35:08 +1000 Subject: [PATCH] $SubjectName variable unused; clean up Having used this script several times today, I came to notice the $SubjectName variable, being passed in via the CLI, is essentially ignored when generating the SSL certificates, rendering it useless. I believe it's a good idea to have it in place, so I've updated the script to reflect this. I also cleaned up some random new lines throughout the file, and expanded on a comment. It might be worth going a step further and commenting the file fully, as most people reviewing this file won't be familiar with PowerShell (like I wasn't unitl a few days ago). It could be helpful. --- .../scripts/ConfigureRemotingForAnsible.ps1 | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index a67ea8afb2..a70dc0354d 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -1,4 +1,4 @@ -# Configure a Windows host for remote management with Ansible +# Configure a Windows host for remote management with Ansible # ----------------------------------------------------------- # # This script checks the current WinRM/PSRemoting configuration and makes the @@ -10,9 +10,11 @@ # # Written by Trond Hindenes # Updated by Chris Church +# Updated by Michael Crilly # # Version 1.0 - July 6th, 2014 # Version 1.1 - November 11th, 2014 +# Version 1.2 - May 15th, 2015 Param ( [string]$SubjectName = $env:COMPUTERNAME, @@ -20,7 +22,6 @@ Param ( $CreateSelfSignedCert = $true ) - Function New-LegacySelfSignedCert { Param ( @@ -60,11 +61,12 @@ Function New-LegacySelfSignedCert $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") - # Return the thumbprint of the last installed cert. + # Return the thumbprint of the last installed certificate; + # This is needed for the new HTTPS WinRM listerner we're + # going to create further down. Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint } - # Setup error handling. Trap { @@ -73,14 +75,12 @@ Trap } $ErrorActionPreference = "Stop" - # Detect PowerShell version. If ($PSVersionTable.PSVersion.Major -lt 3) { Throw "PowerShell version 3 or higher is required." } - # Find and start the WinRM service. Write-Verbose "Verifying WinRM service." If (!(Get-Service "WinRM")) @@ -93,7 +93,6 @@ ElseIf ((Get-Service "WinRM").Status -ne "Running") Start-Service -Name "WinRM" -ErrorAction Stop } - # WinRM should be running; check that we have a PS session config. If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) { @@ -112,17 +111,19 @@ If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"})) # HTTPS-based endpoint does not exist. If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue) { - $cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My" + $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My" $thumbprint = $cert.Thumbprint + Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint" } Else { - $thumbprint = New-LegacySelfSignedCert -SubjectName $env:COMPUTERNAME + $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName + Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint" } # Create the hashtables of settings to be used. $valueset = @{} - $valueset.Add('Hostname', $env:COMPUTERNAME) + $valueset.Add('Hostname', $SubjectName) $valueset.Add('CertificateThumbprint', $thumbprint) $selectorset = @{} @@ -137,7 +138,6 @@ Else Write-Verbose "SSL listener is already active." } - # Check for basic authentication. $basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"} If (($basicAuthSetting.Value) -eq $false) @@ -150,7 +150,6 @@ Else Write-Verbose "Basic auth is already enabled." } - # Configure firewall to allow WinRM HTTPS connections. $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any @@ -177,19 +176,18 @@ $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $h If ($httpResult -and $httpsResult) { - Write-Verbose "HTTP and HTTPS sessions are enabled." + Write-Verbose "HTTP: Enabled | HTTPS: Enabled" } ElseIf ($httpsResult -and !$httpResult) { - Write-Verbose "HTTP sessions are disabled, HTTPS session are enabled." + Write-Verbose "HTTP: Disabled | HTTPS: Enabled" } ElseIf ($httpResult -and !$httpsResult) { - Write-Verbose "HTTPS sessions are disabled, HTTP session are enabled." + Write-Verbose "HTTP: Enabled | HTTPS: Disabled" } Else { Throw "Unable to establish an HTTP or HTTPS remoting session." } - Write-Verbose "PS Remoting has been successfully configured for Ansible."