Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". #724

Closed
drapiti opened this issue Apr 12, 2024 · 3 comments · Fixed by #726
Closed

Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". #724

drapiti opened this issue Apr 12, 2024 · 3 comments · Fixed by #726
Assignees
@LordHepipud
Labels
Bug There is an issue present Investigation The team is looking into the cause of the issue
Milestone
v1.12.3

Comments

@drapiti
Copy link

drapiti commented Apr 12, 2024

@LordHepipud using the latest framework 1.12.3 on some windows servers we are seeing the following error message when installing IcingaForWindows using the automated self service script.
Error:
image

Any idea what the problem may be?
@LordHepipud
Copy link
Collaborator

It looks like you have a different certutil installed on your system which seems to work different then the default Windows version.

Can you please check with this command, which binaries are found?

Get-Command certutil;

On my machines it will return

CommandType     Name                                               Version    Source                                                                                                
-----------     ----                                               -------    ------                                                                                                
Application     certutil.exe                                       10.0.20... C:\Windows\system32\certutil.exe

Maybe I should always enforce the binary at system32 and not expect the PowerShell to locate the correct one.

Can you please try on this quick patch on one of those machines:

  1. Navigate to
lib/webserver/ConvertTo-IcingaX509Certificate.psm1
  1. Open it with an administrative text editor and replace
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | certutil -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. With this:
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | & 'C:\Windows\system32\certutil.exe' -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. Afterwards save the file and rebuild the Icinga for Windows cache
icinga -Shell -RebuildCache;
  1. Try to install the certificate now
Install-IcingaForWindowsCertificate;

Does this resolve the issue? In case it does, I will provide a patch for 1.12.3. Please try this as well on Windows machines where it is currently working, to ensure we don't break anything.

@LordHepipud LordHepipud added this to the v1.12.3 milestone Apr 12, 2024
@LordHepipud LordHepipud added the Bug There is an issue present label Apr 12, 2024
@LordHepipud LordHepipud self-assigned this Apr 12, 2024
@LordHepipud LordHepipud mentioned this issue Apr 12, 2024
Merged
@LordHepipud LordHepipud added the Investigation The team is looking into the cause of the issue label Apr 12, 2024
@drapiti
Copy link
Author

drapiti commented Apr 12, 2024

It looks like you have a different certutil installed on your system which seems to work different then the default Windows version.

Can you please check with this command, which binaries are found?

Get-Command certutil;

On my machines it will return

CommandType     Name                                               Version    Source                                                                                                
-----------     ----                                               -------    ------                                                                                                
Application     certutil.exe                                       10.0.20... C:\Windows\system32\certutil.exe

Maybe I should always enforce the binary at system32 and not expect the PowerShell to locate the correct one.

Can you please try on this quick patch on one of those machines:

  1. Navigate to
lib/webserver/ConvertTo-IcingaX509Certificate.psm1
  1. Open it with an administrative text editor and replace
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | certutil -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. With this:
    if (-Not (Test-Path $TargetFile) -Or $TempFile -Or $Force) {
        Write-Output "$Password
        $Password" | & 'C:\Windows\system32\certutil.exe' -mergepfx "$CertFile" "$TargetFile" | Set-Variable -Name 'CertUtilOutput';
    }
  1. Afterwards save the file and rebuild the Icinga for Windows cache
icinga -Shell -RebuildCache;
  1. Try to install the certificate now
Install-IcingaForWindowsCertificate;

Does this resolve the issue? In case it does, I will provide a patch for 1.12.3. Please try this as well on Windows machines where it is currently working, to ensure we don't break anything.

Yes so you are spot on there is a third party certutil:
image

Tested your solution and it does resolve the issue.
I will post back if I have issues on other servers will update the local repo.

@drapiti
Copy link
Author

drapiti commented Apr 16, 2024

All ok so far with this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LordHepipud LordHepipud

Labels
Bug There is an issue present Investigation The team is looking into the cause of the issue
Projects
None yet
Milestone
v1.12.3
2 participants
@drapiti @LordHepipud