AdcsCertificationAuthority : Unable to setup EnterpriseSubordinateCA #136
Description
Details of the scenario you tried and the problem that is occurring
When using this DSC with ansible, Offline Root CA setup runs fine, but EnterpriseSubordinateCA don´t .
I tried to get this DSC to run as a PS script but I was unable to get it working ( my fault, not this DSC's )
Verbose logs showing the problem
This is the output of ansible runnig playbook with -vvv
TASK [windows : Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority] *********************************************************************************
task path: /etc/ansible/roles/windows/tasks/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml:40
Monday 19 September 2022 16:25:15 -0300 (0:00:49.671) 0:16:19.242 ******
Using module file /home/ansible/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_dsc.ps1
Pipelining is enabled.
<172.22.33.21> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5985 TO 172.22.33.21
EXEC (via pipeline wrapper)
ok: [172.22.33.21] => {
"changed": false,
"invocation": {
"module_args": {
"CACommonName": "MyLDomain Enterprise CA 01",
"CADistinguishedNameSuffix": "DC=ad,DC=mylocaldomain,DC=com,DC=br",
"CAType": "EnterpriseSubordinateCA",
"CertFile": null,
"CertFilePassword_password": null,
"CertFilePassword_username": null,
"CertificateID": null,
"Credential_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"Credential_username": "[email protected]",
"CryptoProviderName": "RSA#Microsoft Software Key Storage Provider",
"DatabaseDirectory": null,
"DependsOn": null,
"Ensure": "Present",
"HashAlgorithmName": "SHA256",
"IgnoreUnicode": null,
"IsSingleInstance": "Yes",
"KeyContainerName": null,
"KeyLength": 2048,
"LogDirectory": null,
"OutputCertRequestFile": "C:\\subca-eca01.req",
"OverwriteExistingCAinDS": true,
"OverwriteExistingDatabase": null,
"OverwriteExistingKey": null,
"ParentCA": null,
"PsDscRunAsCredential_password": null,
"PsDscRunAsCredential_username": null,
"ValidityPeriod": "Years",
"ValidityPeriodUnits": 5,
"module_version": "latest",
"resource_name": "AdcsCertificationAuthority"
}
},
"module_version": "5.0.0",
"reboot_required": false,
"verbose_test": [
"Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceTest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.",
"An LCM method call arrived from computer ECA01 with user sid S-1-5-21-967091583-3247568768-1330645744-1000.",
"[ECA01]: LCM: [ Start Test ] [[AdcsCertificationAuthority]DirectResourceAccess]",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: Testing ADCS EnterpriseSubordinateCA Status.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Calling InitializeDefaults method on the setup object.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Certification Authority will be installed with a new key.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Setting the AllowAdministratorInteraction property to False.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Setting the CAType property to EnterpriseSubordinateCA.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Setting the ValidityPeriodUnits property to 5.",
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",
"[ECA01]: LCM: [ End Test ] [[AdcsCertificationAuthority]DirectResourceAccess] True in 0.7500 seconds.",
"[ECA01]: LCM: [ End Set ] in 0.7970 seconds.",
"Operation 'Invoke CimMethod' complete.",
"Time taken for configuration job to complete is 1.029 seconds"
]
}
META: role_complete for 172.22.33.21
The issue is that DSC thiks it is already OK:
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",
Here are my roles/playbook tasks:
role: windows/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml
---
#DOC: https://github.com/dsccommunity/ActiveDirectoryCSDsc/wiki/AdcsCertificationAuthority
- name: Windows | ActiveDirectoryCSDsc DSC | Assert that ActiveDirectoryCSDsc module is installed
community.windows.win_psmodule:
name: ActiveDirectoryCSDsc
#accept_license: true
minimum_version: "5.0.0"
repository: PSGallery
state: present
- block:
- name: Read CAPolicy.inf template
set_fact:
tpl_content: "{{ lookup('ansible.builtin.template', 'rootca_CApolicy.inf.j2') }}"
- name: Create root CA CAPolicy.inf in host machine
ansible.windows.win_copy:
content: "{{ tpl_content }}"
dest: C:\Windows\CAPolicy.inf
when: adcs_catype == 'StandaloneRootCA'
- block:
- name: Read CAPolicy.inf template
set_fact:
tpl_content: "{{ lookup('ansible.builtin.template', 'esca_CApolicy.inf.j2') }}"
- name: Create CA CAPolicy.inf in host machine
ansible.windows.win_copy:
content: "{{ tpl_content }}"
dest: C:\Windows\CAPolicy.inf
when: adcs_catype == 'EnterpriseSubordinateCA'
- name: Enable ADCS Feature
win_feature:
name: ADCS-Cert-Authority
include_management_tools: true #RSAT-ADCS
- name: Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority
ansible.windows.win_dsc:
resource_name: AdcsCertificationAuthority
Ensure: Present
IsSingleInstance: "Yes"
CAType: "{{ adcs_catype }}" #one of EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA
#Credential: "{{ adcs_creds }}" # Reuse winRM credentials
Credential_username: "{{ adcs_username | default(ansible_user) }}"
Credential_password: "{{ adcs_password | default(ansible_password) }}"
CACommonName: "{{ adcs_cn }}"
CADistinguishedNameSuffix: "{{ adcs_dnsuffix }}"
CertFile: "{{ adcs_certfile | default(omit) }}"
CertFilePassword: "{{ adcs_certpass | default(omit) }}"
CertificateID: "{{ adcs_certid | default(omit) }}"
CryptoProviderName: "{{ adcs_crypto_provider | default('RSA#Microsoft Software Key Storage Provider') }}"
DatabaseDirectory: "{{ adcs_dbdir | default(omit) }}" # Default C:\Windows\System32\CertLog
HashAlgorithmName: "{{ adcs_hash }}"
IgnoreUnicode: "{{ adcs_ingore_unicode | default(omit) }}"
KeyContainerName: "{{ adcs_key_container | default(omit) }}"
KeyLength: "{{ adcs_keylength }}"
LogDirectory: "{{ adcs_logdir | default(omit) }}" # Default C:\Windows\System32\CertLog
OutputCertRequestFile: "{{ adcs_csr_file | default(omit) }}"
OverwriteExistingCAinDS: "{{ adcs_overwrite_ca | default(omit) }}"
OverwriteExistingDatabase: "{{ adcs_overwrite_db | default(omit) }}"
OverwriteExistingKey: "{{ adcs_overwrite_key | default(omit) }}"
ParentCA: "{{ adcs_parentca | default(omit) }}"
ValidityPeriod: "{{ adcs_validity_period | default('Years') }}" #Hours, Days, Months, Years
ValidityPeriodUnits: "{{ adcs_validity_units }}"
my playbook task session:
# - name: Setup Enterprise CA ( Works fine )
# ansible.windows.win_shell: |
# Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithm SHA256 -CACommonName "{{ eca01_cn }}" -CADistinguishedNameSuffix "{{ domain_dn }}" -OutputCertRequestFile C:\subca-eca01.req -Force
- name: Setup Enterprise CA ( does not work )
include_role:
name: windows
tasks_from: ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml
vars:
adcs_catype: EnterpriseSubordinateCA
adcs_username: "ansible@{{ guest_domain }}"
adcs_password: "%MYtesting-P@$$w0rd"
# adcs_overwrite_ca: true #tried to force with no effect
adcs_cn: "{{ eca01_cn }}"
adcs_dnsuffix: "{{ domain_dn }}"
adcs_crypto_provider: "RSA#Microsoft Software Key Storage Provider"
adcs_hash: SHA256
adcs_keylength: 2048
adcs_csr_file: C:\subca-eca01.req
adcs_validity_period: Years
adcs_validity_units: 5Suggested solution to the issue
The DSC configuration that is used to reproduce the issue (as detailed as possible)
# insert configuration hereThe operating system the target node is running
OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Version and build of PowerShell the target node is running
Name Value
PSVersion 5.1.17763.2931
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2931
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used ('dev' if using current dev branch)
5.0.0