Merge pull request #15275 from Cryptophobia/devel

Update ConfigureRemotingForAnsible.ps1

docsite/rst/intro_windows.rst

@@ -217,6 +217,9 @@ Pass the -CertValidityDays option to customize the expiration date of the genera
 Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces.  (Without this option, the script will fail if any network interface on device is in PUBLIC zone)
   powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck
 
+Pass the -ForceNewSSLCert switch to force a new SSL certificate to be attached to an already existing winrm listener. (Avoids SSL winrm errors on syspreped Windows images after the CN changes)
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert
+
 .. note::
    On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
    Management Framework 3.0, it may be necessary to install this

examples/scripts/ConfigureRemotingForAnsible.ps1

@@ -12,19 +12,26 @@
 # DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
 # a device with an interface in PUBLIC zone.
 #
+# Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert
+# must be forced on the WinRM Listener when re-running this script. This
+# is necessary when a new SID and CN name is created.
+#
 # Written by Trond Hindenes <trond@hindenes.com>
 # Updated by Chris Church <cchurch@ansible.com>
 # Updated by Michael Crilly <mike@autologic.cm>
+# Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
 #
 # Version 1.0 - July 6th, 2014
 # Version 1.1 - November 11th, 2014
 # Version 1.2 - May 15th, 2015
+# Version 1.3 - April 4th, 2016
 
 Param (
     [string]$SubjectName = $env:COMPUTERNAME,
     [int]$CertValidityDays = 365,
     [switch]$SkipNetworkProfileCheck,
-    $CreateSelfSignedCert = $true
+    $CreateSelfSignedCert = $true,
+    [switch]$ForceNewSSLCert
 )
 
 Function New-LegacySelfSignedCert
@@ -147,6 +154,36 @@ If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))
 Else
 {
     Write-Verbose "SSL listener is already active."
+    
+    # Force a new SSL cert on Listener if the $ForceNewSSLCert
+    if($ForceNewSSLCert){
+        
+        # Create the new cert.
+        If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
+        {
+            $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
+            $thumbprint = $cert.Thumbprint
+            Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
+        }
+        Else
+        {
+            $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
+            Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
+        }
+
+        $valueset = @{}
+        $valueset.Add('Hostname', $SubjectName)
+        $valueset.Add('CertificateThumbprint', $thumbprint)
+
+        # Delete the listener for SSL
+        $selectorset = @{}
+        $selectorset.Add('Transport', 'HTTPS')
+        $selectorset.Add('Address', '*')
+        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
+
+        # Add new Listener with new SSL cert
+        New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
+    }
 }
 
 # Check for basic authentication.