0

I've created a domain certificate for my DSC web pull server (issued by my internal CA) and retrieved the thumbprint.
I exported the certificate from inetmgr and installed it on the pull server (both local machine and user).
I then put the thumbprint in the script in the CertificateThumbprint parameter.

However when I re-run the config script to generate the new MOF and restart the DSC configuration, I can still only get to the site via http and not https.

When I try to navigate to the pull server site with https I get TLS warnings. (I'm on Windows Server 2016, PS version 5.1)

Cheers

EDIT:

Below is the script for generating the MOF with the thumbprint inside.

 configuration CreatePullServer
 {
 param
 (
 [string[]]$ComputerName = 'localhost'
 )

Import-DSCResource -ModuleName xPSDesiredStateConfiguration
Import-DscResource -ModuleName PSDesiredStateConfiguration

Node $ComputerName
{
WindowsFeature DSCServiceFeature
{
  Ensure = "Present"
  Name  = "DSC-Service"
}

xDSCWebService PSDSCPullServer
{
  Ensure         = "Present"
  EndpointName      = "PSDSCPullServer"
  AcceptSelfSignedCertificates = $true
  Port          = 8080
  PhysicalPath      = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
  CertificateThumbPrint  = '881B26142BABAFEF7490FB1CD48EA1D572628087'
  ModulePath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
  ConfigurationPath    = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
  State          = "Started"
  UseSecurityBestPractices = $True
  DependsOn        = "[WindowsFeature]DSCServiceFeature"
}

xDscWebService PSDSCComplianceServer
{
  Ensure         = "Present"
  EndpointName      = "PSDSCComplianceServer"
  Port          = 9080
  PhysicalPath      = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
  CertificateThumbPrint  = 'AllowUnencryptedTraffic'
  State          = "Started"
  UseSecurityBestPractices = $True
  DependsOn        = ("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer")
}

}

}

CreatePullServer -ComputerName pullsrv01 -verbose

And here is an image of the TLS message when I try to navigate to the https site

EDIT 2:

I've managed to get it working by adding a certificate to a new site binding for port 443, but unfortunately it still doesn't redirect from 8080 to the https site on 443.

Shiffle McDoobles
  • 1
  • 3
  • A rather old article, but see the tips on checking the web.config at https://prosumblogsite.wordpress.com/2014/09/19/configuring-your-new-dsc-pull-server-2/ – Matthew Wetmore Apr 11 '17 at 20:33
  • Are you able to access the https site directly from the pull server, or is it only a remote client/server issue? – Matthew Wetmore Apr 11 '17 at 20:36
  • I'm unable to access the https site even on the pull server – Shiffle McDoobles Apr 12 '17 at 09:59
  • At this point it is not a DSC problem, but an IIS/Certificate problem you need to fix this first. Server 2016 supports all TLS versions out of the box, so I assume there is something wrong with your certificate. Try a different browser. – Peter Hahndorf Apr 12 '17 at 10:48
  • I've created another domain certificate that is signed by our internal CA. And then tried opening this new one up in IE and Chrome. IE's message is the same, and Chrome's message is "This site can't provide a secure connection" and ERR_SSL_PROTOCOL_ERROR – Shiffle McDoobles Apr 12 '17 at 11:35

1 Answers1

0

I resolved this issue by adding a site binding with the certificate for the PSDSC Pull Server site using IIS.

Thanks to Peter Hahndorf for verifying the problem lay either with IIS or the cert!

Shiffle McDoobles
  • 1
  • 3