Certificate being installed in the wrong store's environment.

[ckoenig673]

Cookbook version

[4.3.1]

Chef-client version

[13.2.20]

Platform Details

[Windows 2012]

Scenario:

[When using the windows_certificate package, the certificate is not being added to the local computer store. It is always being added to the user store]

Steps to Reproduce:

[windows_certificate "D:/support/pfxfilename.pfx" do
store_name "MY"
pfx_password "pfxpassword"
user_store false
end]

Expected Result:

[I am expecting the certificate be installed in the personal local computer store vs the user store]

Actual Result:

[Certificate is installed in the local user store.]

[piyushawasthi]

Hi @ckoenig673 : This issue fixed in PR: chef/win32-certstore#37

[silverl]

Just hit this myself. Looking forward to the merge/release.

[silverl]

I just tested windows 4.3.4 against my VM, and the certificate is still ending up in the User store, not the Local Machine store.

My chef-client.log definitely indicates windows cookbook version 4.3.4.

[2018-07-19T10:19:31-04:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]]
[2018-07-19T10:19:37-04:00] INFO: Fetching gem metadata from https://www.rubygems.org/..........

Here's my code for installing the cert:

windows_certificate decoded_path do
  action :create
  pfx_password vault['encryption_cert_password']
  store_name 'MY'
  user_store false
  private_key_acl ['IIS_IUSRS', node['app_server']['syncqueue-user'], node['app_server']['aws-apppool-user']]
end

Platform Details:
Windows Server 2016 Standard
chef-client: Chef: 14.3.37

[tas50]

Still an issue with the latest code

[btm]

@silverl can you confirm what version of the win32-certstore gem is on this system?

C:\opscode\chef\embedded\bin\gem.bat list win32-certstore

It needs to be 0.1.7 which was released yesterday. I'm not sure that the cookbook necessarily would update it, it looks like the chef_gem resource in the windows cookbook is using the :install action and not the :upgrade action.

[silverl]

Hmm, I'm getting an empty list back. I'm using ChefDK so I changed the path to embedded.

PS C:\> C:\opscode\chefdk\embedded\bin\gem.bat list win32-certstore

*** LOCAL GEMS ***

I use Policyfiles, if that makes a difference.

[btm]

@silverl how are you running chef-client? running chef-client out of C:\opscode\chefdk\bin directly, or using a scheduled task, or using chef-apply, or? Can you share the whole command you're running for clarity?

[silverl]

Yes, running chef-client directly, on a new VM after a fresh provisioning using knife bootstrap windows winrm.

[btm]

@silverl oh, knife bootstrap should be installing the Chef Client on that VM, it's that install of chef-client that we're interested in, not one on your workstation that you're booting with. Can you run C:\opscode\chef\embedded\bin\gem.bat list win32-certstore on that system?

[silverl]

Came back with win32-certstore (0.1.3)

[amcappelli]

I have the same problem with #561 and not getting the latest gem, and confirmed changing https://github.com/chef-cookbooks/windows/blob/v4.3.4/resources/certificate.rb#L96 to :upgrade fixes the issue

[tas50]

This will be fixed by the new version of the Windows cookbook that ships today.