Skip to content

Commit 08ae924

Browse files
authored
merge release 2.6.1 to main
2 parents c3d8ddb + 8fcca68 commit 08ae924

30 files changed

+1766
-668
lines changed

CHANGELOG.md

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,26 @@
1+
2.6.1
2+
* Documentation updates for the 2.6 release
3+
* Fix a naming typo in the 2.5 migration SQL script
4+
* Update integration-manifest.json
5+
* Updated the Alias in IIS to also include Site-Name. NOTE: Inventory will need to be performed prior to any management job to include new Alias format.
6+
* Added Bindings check when attempting to add bindings that already exist or are ambiguous. NOTE: If you wish to add multiple bindings with the same IP:Port, Hostname must be included and SNI flag must be set to a minimum of '1'. Failure to do this can result in failed jobs with a binding conflict error message.
7+
* Bumped Keyfactor.Orchestrator.Common to 3.2.0 to correct signing issue.
8+
* Bumped System.IO.Packaging to 6.0.2 & 8.0.1 for .Net vulnerabilities.
9+
110
2.6.0
211
* Added the ability to run the extension in a Linux environment. To utilize this change, for each Cert Store Types (WinCert/WinIIS/WinSQL), add ssh to the Custom Field <b>WinRM Protocol</b>. When using ssh as a protocol, make sure to enter the appropriate ssh port number under WinRM Port.
312
* NOTE: For legacy purposes the Display names WinRM Protocol and WinRM Port are maintained although the type of protocols now includes ssh.
413
* Moved all inventory and management jobs to external PowerShell script file .\PowerShellScripts\WinCertScripts.ps1
14+
* NOTE: This version was not publicly released.
515

616
2.5.1
717
* Fixed WinSQL service name when InstanceID differs from InstanceName
818

919
2.5.0
1020
* Added the Bindings to the end of the thumbprint to make the alias unique.
11-
* Using new IISWebBindings commandlet to use additional SSL flags when binding certificate to website.
21+
* Using new IISWebBindings cmdlet to use additional SSL flags when binding certificate to website.
1222
* Added multi-platform support for .Net6 and .Net8.
13-
* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absense of the WebAdministration module in PS SDK 7.4.x+)
23+
* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absence of the WebAdministration module in PS SDK 7.4.x+)
1424
* Fixed issue to update multiple websites when using the same cert.
1525
* Removed renewal thumbprint logic to update multiple website; each job now updates its own specific certificate.
1626

@@ -19,7 +29,7 @@
1929
* Fix an issue with "Delete" script in the Legacy IIS Migration that did not remove some records from dependent tables
2030

2131
2.4.3
22-
* Adding Legacy IIS Migration scripting and Readme guide
32+
* Adding Legacy IIS Migration scripting and ReadMe guide
2333

2434
2.4.2
2535
* Correct false positive error when completing an IIS inventory job.
@@ -64,7 +74,7 @@
6474
* Display name for IISU changed to "IIS Bound Certificate".
6575
* Display name for WinCert changed to "Windows Certificate".
6676
* Display names for several Store and Entry parameters changed to be more descriptive and UI friendly.
67-
* Significant readme cleanup
77+
* Significant ReadMe cleanup
6878

6979
2.1.0
7080
* Fixed issue that was occurring during renewal when there were bindings outside of http and https like net.tcp
@@ -75,7 +85,7 @@
7585
* Removed any password references in trace logs and output settings in JSON format
7686

7787
2.0.0
78-
* Add support for reenrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use.
88+
* Add support for re-enrollment jobs (On Device Key Generation) with the ability to specify a cryptographic provider. Specification of cryptographic provider allows HSM (Hardware Security Module) use.
7989
* Local PAM Support added (requires Universal Orchestrator Framework version 10.1)
8090
* Certificate store type changed from IISBin to IISU. See README for migration notes.
8191

@@ -98,6 +108,6 @@
98108
* Last release to support Windows Orchestrator (KF8)
99109

100110
1.0.2
101-
* Remove dependence on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote powershell
111+
* Remove dependence on Windows.Web.Administration on the orchestrator server. The agent will now use the local version on the managed server via remote PowerShell
102112
* add support for the IncludePortInSPN flag
103113
* add support to use credentials from Keyfactor for Add/Remove/Inventory jobs.

IISU/ClientPSCertStoreReEnrollment.cs

Lines changed: 76 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
using System.Linq;
3131
using Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU;
3232
using Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinSql;
33+
using System.Numerics;
3334

3435
namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore
3536
{
@@ -127,10 +128,68 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
127128
switch (bindingType)
128129
{
129130
case CertStoreBindingTypeENUM.WinIIS:
131+
OrchestratorJobStatusJobResult psResult = OrchestratorJobStatusJobResult.Unknown;
132+
string failureMessage = "";
133+
130134
// Bind Certificate to IIS Site
131135
IISBindingInfo bindingInfo = new IISBindingInfo(config.JobProperties);
132-
WinIISBinding.BindCertificate(_psHelper, bindingInfo, thumbprint, "", storePath);
136+
var results = WinIISBinding.BindCertificate(_psHelper, bindingInfo, thumbprint, "", storePath);
137+
if (results != null && results.Count > 0)
138+
{
139+
if (results[0] != null && results[0].Properties["Status"] != null)
140+
{
141+
string status = results[0].Properties["Status"]?.Value as string ?? string.Empty;
142+
int code = results[0].Properties["Code"]?.Value is int iCode ? iCode : -1;
143+
string step = results[0].Properties["Step"]?.Value as string ?? string.Empty;
144+
string message = results[0].Properties["Message"]?.Value as string ?? string.Empty;
145+
string errorMessage = results[0].Properties["ErrorMessage"]?.Value as string ?? string.Empty;
146+
147+
switch (status)
148+
{
149+
case "Success":
150+
psResult = OrchestratorJobStatusJobResult.Success;
151+
_logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned successfully with Code: {code}, on Step: {step}");
152+
break;
153+
case "Skipped":
154+
psResult = OrchestratorJobStatusJobResult.Failure;
155+
failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} - message:\n {errorMessage}");
156+
_logger.LogDebug(failureMessage);
157+
break;
158+
case "Warning":
159+
psResult = OrchestratorJobStatusJobResult.Warning;
160+
_logger.LogDebug($"PowerShell function New-KFIISSiteBinding returned with a Warning on step: {step} with code: {code} - message: {message}");
161+
break;
162+
case "Error":
163+
psResult = OrchestratorJobStatusJobResult.Failure;
164+
failureMessage = ($"PowerShell function New-KFIISSiteBinding failed on step: {step} with code: {code} - message: {errorMessage}");
165+
_logger.LogDebug(failureMessage);
166+
break;
167+
default:
168+
psResult = OrchestratorJobStatusJobResult.Unknown;
169+
_logger.LogWarning("Unknown status returned from New-KFIISSiteBinding: " + status);
170+
break;
171+
}
172+
}
173+
else
174+
{
175+
_logger.LogWarning("Unexpected object returned from PowerShell.");
176+
psResult = OrchestratorJobStatusJobResult.Unknown;
177+
}
178+
}
179+
else
180+
{
181+
_logger.LogWarning("PowerShell script returned with no results.");
182+
psResult = OrchestratorJobStatusJobResult.Unknown;
183+
}
184+
185+
jobResult = new JobResult
186+
{
187+
Result = psResult,
188+
JobHistoryId = config.JobHistoryId,
189+
FailureMessage = failureMessage
190+
};
133191
break;
192+
134193
case CertStoreBindingTypeENUM.WinSQL:
135194
// Bind Certificate to SQL Instance
136195
string sqlInstanceNames = "MSSQLSERVER";
@@ -139,18 +198,26 @@ public JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submit
139198
sqlInstanceNames = config.JobProperties["InstanceName"]?.ToString() ?? "MSSQLSERVER";
140199
}
141200
WinSqlBinding.BindSQLCertificate(_psHelper, sqlInstanceNames, thumbprint, "", storePath, false);
201+
202+
jobResult = new JobResult
203+
{
204+
Result = OrchestratorJobStatusJobResult.Success,
205+
JobHistoryId = config.JobHistoryId,
206+
FailureMessage = ""
207+
};
208+
142209
break;
143210
}
144-
145211
}
146-
147-
jobResult = new JobResult
212+
else
148213
{
149-
Result = OrchestratorJobStatusJobResult.Success,
150-
JobHistoryId = config.JobHistoryId,
151-
FailureMessage = ""
152-
};
153-
214+
jobResult = new JobResult
215+
{
216+
Result = OrchestratorJobStatusJobResult.Failure,
217+
JobHistoryId = config.JobHistoryId,
218+
FailureMessage = "There was no thumbprint to bind."
219+
};
220+
}
154221
}
155222
else
156223
{

IISU/ImplementedStoreTypes/WinIIS/IISBindingInfo.cs

Lines changed: 39 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,10 @@
1616

1717
// 021225 rcp 2.6.0 Cleaned up and verified code
1818

19+
using Markdig.Syntax;
1920
using System;
2021
using System.Collections.Generic;
22+
using System.Web.Services.Description;
2123

2224
namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU
2325
{
@@ -29,6 +31,12 @@ public class IISBindingInfo
2931
public string Port { get; set; }
3032
public string? HostName { get; set; }
3133
public string SniFlag { get; set; }
34+
public string Thumbprint { get; private set; }
35+
36+
public IISBindingInfo()
37+
{
38+
39+
}
3240

3341
public IISBindingInfo(Dictionary<string, object> bindingInfo)
3442
{
@@ -40,15 +48,44 @@ public IISBindingInfo(Dictionary<string, object> bindingInfo)
4048
SniFlag = MigrateSNIFlag(bindingInfo["SniFlag"].ToString());
4149
}
4250

51+
public static IISBindingInfo ParseAliaseBindingString(string alias)
52+
{
53+
if (string.IsNullOrWhiteSpace(alias))
54+
throw new ArgumentException("Alias cannot be null or empty.", nameof(alias));
55+
56+
var parts = alias.Split(':');
57+
if (parts.Length < 4 || parts.Length > 5)
58+
throw new FormatException("Alias must be in the format of Thumbprint:IPAddress:Port[:Hostname]");
59+
60+
return new IISBindingInfo
61+
{
62+
Thumbprint = parts[0],
63+
SiteName = parts[1],
64+
IPAddress = parts[2],
65+
Port = parts[3],
66+
HostName = parts.Length == 5 ? parts[4] : null
67+
};
68+
}
69+
70+
4371
private string MigrateSNIFlag(string input)
4472
{
45-
// Check if the input is numeric, if so, just return it as an integer
4673
if (int.TryParse(input, out int numericValue))
4774
{
4875
return numericValue.ToString();
4976
}
5077

51-
if (string.IsNullOrEmpty(input)) { throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag flag must not be empty or null."); }
78+
if (string.IsNullOrEmpty(input))
79+
throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag must not be empty or null.");
80+
81+
// Normalize input
82+
var trimmedInput = input.Trim().ToLowerInvariant();
83+
84+
// Handle boolean values
85+
if (trimmedInput == "true")
86+
return "1";
87+
if (trimmedInput == "false")
88+
return "0";
5289

5390
// Handle the string cases
5491
switch (input.ToLower())

IISU/ImplementedStoreTypes/WinIIS/Inventory.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ public JobResult ProcessJob(InventoryJobConfiguration jobConfiguration, SubmitIn
107107
{
108108
_logger.LogTrace(LogHandler.FlattenException(ex));
109109

110-
var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{LogHandler.FlattenException(ex)}'";
110+
var failureMessage = $"Inventory job failed for Site '{jobConfiguration.CertificateStoreDetails.StorePath}' on server '{jobConfiguration.CertificateStoreDetails.ClientMachine}' with error: '{ex.Message}'";
111111
_logger.LogWarning(failureMessage);
112112

113113
return new JobResult
@@ -164,7 +164,7 @@ public List<CurrentInventoryItem> QueryIISCertificates(RemoteSettings settings)
164164
new CurrentInventoryItem
165165
{
166166
Certificates = new[] {cert.CertificateBase64 },
167-
Alias = cert.Thumbprint + ":" + cert.Binding?.ToString(),
167+
Alias = cert.Thumbprint + ":" + cert.SiteName + ":" + cert.Binding?.ToString(),
168168
PrivateKeyEntry = cert.HasPrivateKey,
169169
UseChainLevel = false,
170170
ItemStatus = OrchestratorInventoryItemStatus.Unknown,

0 commit comments

Comments
 (0)