DSC and HTTPS protocol problem

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of gizm0 gizm0 2 years ago.

  • Author
    Posts
  • #20529
    Profile photo of gizm0
    gizm0
    Participant

    Has anyone tried to get Powershell DSC (Windows 2012 R2 & Reskit wave 8) pull server to work with HTTPS? I tried following these steps http://www.systemcentercentral.com/day-6-configuring-an-https-dsc-pull-server/, but when I ran get-dscconfiguration in pull server I get error

    "Get-DscConfiguration : The following exception occurred while retrieving the string: "Exception calling "ToString" with "0"
    argument(s): "There is no Runspace available to run scripts in this thread. You can provide one in the DefaultRunspace property of
    the System.Management.Automation.Runspaces.Runspace type. The script block you attempted to invoke was: if( $this.Proto...n)
    }""
    At line:1 char:1
    + Get-DscConfiguration
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get-DscConfigurat
    ion], CimException
    + FullyQualifiedErrorId : MI RESULT 1,Get-DscConfiguration"

    It seems to be working without HTTPS by using unencrypted HTTP.

    Any idea what is wrong?

    Configuration can be found from here: http://pastebin.com/TXuDNRbP

  • #20654
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, I'd need to see a bit more of what you're actually doing (you don't really mention at what point in the process this error is happening), and if you're following someone else's steps you might contact them about this, but in general, yes, I've set up DSC on several machines to use HTTPS for the pull server.

  • #20656
    Profile photo of gizm0
    gizm0
    Participant

    This is what i have done basically (same steps as in that article) step by step:
    -new virtual machine windows 2012 r2 for pull server
    -new self signed certificate on the same computer and checked that the certificate is in local machine storage
    -enabled dsc feature
    -download and extract xPSDesiredStateConfiguration to modules directory %programfiles%\WindowsPowerShell\modules
    -Enable a WS Management listener
    -run this configuration in powershell http://pastebin.com/TXuDNRbP
    -after this i tried to verify the configuration with get-dscconfiguration command on pull server
    -this is the point where i get the error after i ran the command above on the pull server

    I must be missing something, but what....?

  • #20657
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, I'm not sure a self-signed cert would work. The target node has to "trust" the certificate presented by the web server, and by definition a self-signed cert is only trusted by the machine that generated the cert. So that wouldn't work for SSL. The SSL cert on the pull server needs to be a real SSL cert.

    But that's not necessarily the problem you're having, since you're not even getting the configuration to run. I'm not sure how you set up a WS-Man listener; it should have been sufficient to simply run Enable-PSRemoting. WS-Man doesn't need to be set up to use SSL.

    Are you able to manually verify that any of the config completed? Running Get-WindowsFeature should show the DSC service feature, for example, and you should be able to verify that the file paths contain the .svc files, and so on.

  • #20663
    Profile photo of gizm0
    gizm0
    Participant

    That's true, if you use self-signed you have to have that same certificate on client side also.

    I have tried both set-wsmanquickconfig and enable-psremoting -force (see attachment).

    Get-windowsfeature returns this:
    Get-WindowsFeature -name DSC*

    Display Name Name Install State
    ———— —- ————-
    [X] Windows PowerShell Desired State Configurati... DSC-Service Installed

    I tried setting up DSC pull server without HTTPS and that seems to be working ok on the same server. When I change "CertificateThumbPrint" value to use certificate thumbprint it inserts the config ok, but get-dscconfiguration shows the same error as before. So I figured out that there must be something that needs to be also changed when you change from HTTP to HTTPS

  • #20669
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    Could just be a bug in the xDscWebService resource. If I get some time, I'll see if I can reproduce this.

  • #20701
    Profile photo of gizm0
    gizm0
    Participant

    Thanks. Maybe it is something that I have missed with those steps....

You must be logged in to reply to this topic.