SNI: Server Name Indication support

[ruicovelo]

As far as I can tell, there is no support for sslFlags and therefore no support for Server Name Indication.

Would you like to have it? I could have a crack at it since I need it for myself.

[EasyAsABC123]

@ruicovelo you are absolutely correct, currently this cookbook contains no SSL cert abilities and thereby doesn't support SNI either. Feel free to take a swing at it and then submit a pull request

[EasyAsABC123]

@ruicovelo any news on this?

[ruicovelo]

I did create code for this but was under pressure myself to get it in production so I didn't get around to curate it to fit this project. Allow me some time to see if I can do that now. I'll get back to you if I can't.

[EasyAsABC123]

@ruicovelo thanks, i appreciate it

[ruicovelo]

I'm struggling to understand where should I fit my code and even if I should fit it at all. It apparently would make sense to fit it into the site.rb resource but I went a completely different path.

I currently have a binding.rb resource and binding.rb provider. The code uses PowerShell and requires the WebAdministration module (Windows 2008 R2 and up).

By reading the site.rb I gathered that it allows to change existing bindings. My code requires you to delete the bindings and add them again.

binding.rb resource

Does it make any sense to include it this way? What could I do to fit it better?

[EasyAsABC123]

@ruicovelo yeah that makes it much more difficult. Is all this is a specific binding? because we can do that with iis_site's binding property. Or add one for SNI that does some magic if needed

[ruicovelo]

I reviewed the code and I think I can use the binding property. I'll try to do that.

[thomppg]

Hello, any update on this, or suggestions on how to enable SNI on bindings in my recipe?

[EasyAsABC123]

@thomppg the OP said he would use bindings so i'm assuming given the amount of time passed that he did. I don't know how to enable SNI but maybe someone will be able to assist you.

[ruicovelo]

Sorry, I was only able to implement this using powershell and WebAdministration module which is a completely different solution that this cookbook uses (appcmd.exe ?). So I wasn't able to fit my code in the iis cookbook without making some deep changes to it and wasn't able to get sslflags working with appcmd.exe.

[EasyAsABC123]

@ruicovelo no worries, this whole cookbook needs to be re-written using the DSC powershell from microsoft

[ghost]

Greetings. In case anyone else is attempting to bind a certificate using Chef and SNI, this is the sanitized error that I've been encountering. Took me a while to figure this out.

 ================================================================================
    Error executing action `create` on resource 'windows_certificate_binding[*.x.com]'
    ================================================================================

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    Expected process to exit with [0], but received '1'
    ---- Begin output of C:\Windows\system32\netsh.exe http add sslcert ipport=0.0.0.0:443 certhash=x appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY ----
    STDOUT: SSL Certificate add failed, Error: 1312
    A specified logon session does not exist. It may already have been terminated.
    STDERR:
    ---- End output of C:\Windows\system32\netsh.exe http add sslcert ipport=0.0.0.0:443 certhash=x appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY ----
    Ran C:\Windows\system32\netsh.exe http add sslcert ipport=0.0.0.0:443 certhash=x appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY returned 1

I determined that the error had to do with SNI because I was able to reproduce the error manually. In the IIS control panel, when I edit the binding, if I do NOT check the "Require Server Name Indication" box, I get the error above. As such, if I check the box, the binding to the certificate works fine, and that eventually led me to this issue.

Hope this helps anyone who may run into this issue in the future.