Merge pull request #15275 from Cryptophobia/devel
Update ConfigureRemotingForAnsible.ps1
This commit is contained in:
Matt Davis
commit
5825958a5a
2 changed files with 41 additions and 1 deletions
|
|
@ -217,6 +217,9 @@ Pass the -CertValidityDays option to customize the expiration date of the genera
|
|||
Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces. (Without this option, the script will fail if any network interface on device is in PUBLIC zone)
|
||||
powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck
|
||||
|
||||
Pass the -ForceNewSSLCert switch to force a new SSL certificate to be attached to an already existing winrm listener. (Avoids SSL winrm errors on syspreped Windows images after the CN changes)
|
||||
powershell.exe -File ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert
|
||||
|
||||
.. note::
|
||||
On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
|
||||
Management Framework 3.0, it may be necessary to install this
|
||||
|
|
|
|||
|
|
@ -12,19 +12,26 @@
|
|||
# DOMAIN or PRIVATE zones. Provide this switch if you want to enable winrm on
|
||||
# a device with an interface in PUBLIC zone.
|
||||
#
|
||||
# Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert
|
||||
# must be forced on the WinRM Listener when re-running this script. This
|
||||
# is necessary when a new SID and CN name is created.
|
||||
#
|
||||
# Written by Trond Hindenes <trond@hindenes.com>
|
||||
# Updated by Chris Church <cchurch@ansible.com>
|
||||
# Updated by Michael Crilly <mike@autologic.cm>
|
||||
# Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
|
||||
#
|
||||
# Version 1.0 - July 6th, 2014
|
||||
# Version 1.1 - November 11th, 2014
|
||||
# Version 1.2 - May 15th, 2015
|
||||
# Version 1.3 - April 4th, 2016
|
||||
|
||||
Param (
|
||||
[string]$SubjectName = $env:COMPUTERNAME,
|
||||
[int]$CertValidityDays = 365,
|
||||
[switch]$SkipNetworkProfileCheck,
|
||||
$CreateSelfSignedCert = $true
|
||||
$CreateSelfSignedCert = $true,
|
||||
[switch]$ForceNewSSLCert
|
||||
)
|
||||
|
||||
Function New-LegacySelfSignedCert
|
||||
|
|
@ -147,6 +154,36 @@ If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))
|
|||
Else
|
||||
{
|
||||
Write-Verbose "SSL listener is already active."
|
||||
|
||||
# Force a new SSL cert on Listener if the $ForceNewSSLCert
|
||||
if($ForceNewSSLCert){
|
||||
|
||||
# Create the new cert.
|
||||
If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
|
||||
{
|
||||
$cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
|
||||
$thumbprint = $cert.Thumbprint
|
||||
Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
||||
}
|
||||
Else
|
||||
{
|
||||
$thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
|
||||
Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
||||
}
|
||||
|
||||
$valueset = @{}
|
||||
$valueset.Add('Hostname', $SubjectName)
|
||||
$valueset.Add('CertificateThumbprint', $thumbprint)
|
||||
|
||||
# Delete the listener for SSL
|
||||
$selectorset = @{}
|
||||
$selectorset.Add('Transport', 'HTTPS')
|
||||
$selectorset.Add('Address', '*')
|
||||
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
|
||||
|
||||
# Add new Listener with new SSL cert
|
||||
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
|
||||
}
|
||||
}
|
||||
|
||||
# Check for basic authentication.
|
||||
|
|
|
|||
Loading…
Reference in a new issue