Merge pull request #283 from chocolatey/serviceCertificateThumbprint

(#281) Prevents Creation Of Unrequired Self-Signed Certificate

Author: ryanrichter94

README.md

@@ -125,7 +125,7 @@ Below are the minimum requirements for setting up your C4B server via this guide
     > <li>Creates a "choco-install" raw repository</li>
     > <li>Sets up "ChocolateyInternal" on C4B Server as source, with API key</li>
     > <li>Adds firewall rule for repository access</li>
-    > <li>Installs MS Edge, and disables first-run experience</li>
+    > <li>Installs MS Edge, as Internet Explorer cannot access the Sonatype Nexus site</li>
     > <li>Outputs data to a JSON file to pass between scripts</li>
     > </ul>
     > </details>

Set-SslSecurity.ps1

@@ -22,12 +22,12 @@ param(
     # Ignored if supplied alongside -Subject.
     [Parameter(ValueFromPipeline, ParameterSetName='Thumbprint')]
     [ArgumentCompleter({
-        Get-ChildItem Cert:\LocalMachine\My | ForEach-Object {
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
             [System.Management.Automation.CompletionResult]::new(
                 $_.Thumbprint,
                 $_.Thumbprint,
-                'ParameterValue',
-                $_.FriendlyName
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
             )
         }
     })]

Start-C4bCcmSetup.ps1

@@ -17,10 +17,21 @@ param(
     [System.Management.Automation.PSCredential]
     $DatabaseCredential = (Get-Credential -Username ChocoUser -Message 'Create a credential for the ChocolateyManagement DB user (document this somewhere)'),
 
-    #Certificate to use for CCM service
+    # Certificate to use for CCM service
     [Parameter()]
+    [Alias('CertificateThumbprint')]
+    [ArgumentCompleter({
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
+            [System.Management.Automation.CompletionResult]::new(
+                $_.Thumbprint,
+                $_.Thumbprint,
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
+            )
+        }
+    })]
     [String]
-    $CertificateThumbprint
+    $Thumbprint
 )
 process {
     $DefaultEap = $ErrorActionPreference
@@ -116,31 +127,27 @@ process {
     $hostName = [System.Net.Dns]::GetHostName()
     $domainName = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().DomainName
 
-    if(-Not $hostName.endswith($domainName)) {
+    if (-not $hostName.EndsWith($domainName)) {
         $hostName += "." + $domainName
     }
 
     Write-Host "Installing Chocolatey Central Management Service"
-    if($CertificateThumbprint){
+    $chocoArgs = @('install', 'chocolatey-management-service', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=`"/ConnectionString:'Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'`"", '--no-progress')
+    if ($Thumbprint) {
         Write-Verbose "Validating certificate is in LocalMachine\TrustedPeople Store"
-        if($CertificateThumbprint -notin (Get-ChildItem Cert:\LocalMachine\TrustedPeople | Select-Object -Expand Thumbprint)){
-            Write-Warning "You specified $CertificateThumbprint for use with CCM service, but the certificate is not in the required LocalMachine\TrustedPeople store!"
-            Write-Warning "Please place certificate with thumbprint: $CertificateThumbprint in the LocalMachine\TrustedPeople store and re-run this step"
-            throw "Certificate not in correct location....exiting."
-        } 
-        else {
+        if (-not (Get-Item Cert:\LocalMachine\TrustedPeople\$Thumbprint -EA 0) -and -not (Get-Item Cert:\LocalMachine\My\$Thumbprint -EA 0)) {
+            Write-Warning "You specified $Thumbprint for use with CCM service, but the certificate is not in the required LocalMachine\TrustedPeople store!"
+            Write-Warning "Please place certificate with thumbprint: $Thumbprint in the LocalMachine\TrustedPeople store and re-run this step"
+            throw "Certificate not in correct location... exiting."
+        } elseif ($MyCertificate = Get-Item Cert:\LocalMachine\My\$Thumbprint -EA 0) {
+            Write-Verbose "Copying certificate from 'Personal' store to 'TrustedPeople'"
+            Copy-CertToStore $MyCertificate
+        } else {
             Write-Verbose "Certificate has been successfully found in correct store"
-            $chocoArgs = @('install', 'chocolatey-management-service', '-y', "--package-parameters-sensitive='/ConnectionString:Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User Id=$DatabaseUser;Password=$DatabaseUserPw'")
-            & Invoke-Choco @chocoArgs
-
-            Set-CcmCertificate -CertificateThumbprint $CertificateThumbprint
         }
+        $chocoArgs += @("--package-parameters='/CertificateThumbprint=$Thumbprint'")
     }
-
-    else {
-        $chocoArgs = @('install', 'chocolatey-management-service', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=`"/ConnectionString:'Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'`"", '--no-progress')
-        & Invoke-Choco @chocoArgs
-    }
+    & Invoke-Choco @chocoArgs
 
     Write-Host "Installing Chocolatey Central Management Website"
     $chocoArgs = @('install', 'chocolatey-management-web', "--source='ChocolateyInternal'", '-y', "--package-parameters-sensitive=""'/ConnectionString:Server=Localhost\SQLEXPRESS;Database=ChocolateyManagement;User ID=$DatabaseUser;Password=$DatabaseUserPw;'""", '--no-progress')

Start-C4bSetup.ps1

@@ -63,6 +63,16 @@ param(
     # the local machine certificate stores.
     # Only used in Unattend mode for the SSL setup script.
     [Parameter(ParameterSetName='Unattended')]
+    [ArgumentCompleter({
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
+            [System.Management.Automation.CompletionResult]::new(
+                $_.Thumbprint,
+                $_.Thumbprint,
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
+            )
+        }
+    })]
     [string]
     $Thumbprint,
 
@@ -150,16 +160,14 @@ try {
 
     # Kick off unattended running of remaining setup scripts.
     if ($Unattend) {
+        $Certificate = @{}
+        if ($Thumbprint) {$Certificate.Thumbprint = $Thumbprint}
+
         Set-Location "$env:SystemDrive\choco-setup\files"
         .\Start-C4BNexusSetup.ps1
-        .\Start-C4bCcmSetup.ps1 -DatabaseCredential $DatabaseCredential
+        .\Start-C4bCcmSetup.ps1 @Certificate -DatabaseCredential $DatabaseCredential
         .\Start-C4bJenkinsSetup.ps1
-        if ($Thumbprint) {
-            .\Set-SslSecurity.ps1 -Thumbprint $Thumbprint
-        }
-        else {
-            .\Set-SslSecurity.ps1
-        }
+        .\Set-SslSecurity.ps1 @Certificate
     }
 } finally {
     $ErrorActionPreference = $DefaultEap

scripts/Set-CCMCert.ps1

@@ -16,8 +16,19 @@ PS> .\Set-CCMCert.ps1 -CertificateThumbprint 'Your_Certificate_Thumbprint_Value'
 [CmdletBinding()]
 param(
     [Parameter(Mandatory)]
+    [Alias("CertificateThumbprint")]
+    [ArgumentCompleter({
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
+            [System.Management.Automation.CompletionResult]::new(
+                $_.Thumbprint,
+                $_.Thumbprint,
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
+            )
+        }
+    })]
     [String]
-    $CertificateThumbprint
+    $Thumbprint
 )
 
 begin {
@@ -41,14 +52,14 @@ process {
     #Add new CCM Web IIS Binding
         Write-Verbose "Adding new IIS binding to Chocolatey Central Management"
         $guid = [Guid]::NewGuid().ToString("B")
-        netsh http add sslcert ipport=0.0.0.0:443 certhash=$CertificateThumbprint certstorename=MY appid="$guid"
+        netsh http add sslcert ipport=0.0.0.0:443 certhash=$Thumbprint certstorename=MY appid="$guid"
         Get-WebBinding -Name ChocolateyCentralManagement | Remove-WebBinding
         New-WebBinding -Name ChocolateyCentralManagement -Protocol https -Port 443 -SslFlags 0 -IpAddress '*'        
 
     #Write Thumbprint to CCM Service appsettings.json
         $appSettingsJson = 'C:\ProgramData\chocolatey\lib\chocolatey-management-service\tools\service\appsettings.json'
         $json = Get-Content $appSettingsJson | ConvertFrom-Json
-        $json.CertificateThumbprint = $CertificateThumbprint
+        $json.CertificateThumbprint = $Thumbprint
         $json | ConvertTo-Json | Set-Content $appSettingsJson -Force
 
     #Try Restarting CCM Service

scripts/Set-JenkinsCert.ps1

@@ -11,7 +11,19 @@
 param(
     # Thumbprint of the certificate stored in the Trusted People cert-store.
     [Parameter(Mandatory)]
-    [string]$Thumbprint,
+    [Alias("CertificateThumbprint")]
+    [ArgumentCompleter({
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
+            [System.Management.Automation.CompletionResult]::new(
+                $_.Thumbprint,
+                $_.Thumbprint,
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
+            )
+        }
+    })]
+    [String]
+    $Thumbprint,
 
     # Port number to use for Jenkins HTTPS.
     [uint16]$Port = 7443

scripts/Set-NexusCert.ps1

@@ -18,7 +18,18 @@ PS> .\Set-NexusCert.ps1 -Thumbprint 'Your_Certificate_Thumbprint_Value' -NexusPo
 [CmdletBinding()]
 param(
     [Parameter(Mandatory)]
-    [string]
+    [Alias("CertificateThumbprint")]
+    [ArgumentCompleter({
+        Get-ChildItem Cert:\LocalMachine\TrustedPeople | ForEach-Object {
+            [System.Management.Automation.CompletionResult]::new(
+                $_.Thumbprint,
+                $_.Thumbprint,
+                "ParameterValue",
+                ($_.Subject -replace "^CN=(?<FQDN>.+),?.*$",'${FQDN}')
+            )
+        }
+    })]
+    [String]
     $Thumbprint,
 
     [Parameter()]