DSC Https Pull Server - An error occurred while sending the request

Welcome Forums DSC (Desired State Configuration) DSC Https Pull Server - An error occurred while sending the request

This topic contains 12 replies, has 4 voices, and was last updated by

 
Participant
1 month, 3 weeks ago.

  • Author
    Posts
  • #108143

    Participant
    Points: 21
    Rank: Member

    Hello,
    I've been struggling two weeks with the DSC Pull Server configuration. I had no success configuring an http/https pull server neither with ConfigurationId approach nor using ConfigurationNames
    Smb Pull server was the only server configuration that worked for me, but I aspire to https.
    I've ruled out some common mistakes I've read in other powershell.org posts,  documentation and forums:

    • Checking Remoting is enabled
    • Avoid using self-signed certificates. (I used IIS Management Console and a Root CA certificate to issue an appropriate server certificate)
    • Check Windows Management Framework (WFM) versions for node-server incompatibilities
    • Checking .Net Framework 4.5.2 or above is installed on Server 2012 for WMF 5.1 to work well.
    • Verify Web Service either using Verify-DSCPullServer function or pasting url https://[pullserver]:8080/PSDSCPullServer.svc in the browser, then checking there aren't SSL warnings and certificate is valid

    The following are the machine's configurations for my server and nodes:
    Server 2012 + WMF 5.1
    Name Value
    —- —–
    PSVersion 5.1.14409.1012
    PSEdition Desktop
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
    BuildVersion 10.0.14409.1012
    CLRVersion 4.0.30319.36440
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1

    Client Windows 10 Pro 1709
    Name Value
    —- —–
    PSVersion 5.1.16299.547
    PSEdition Desktop
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
    BuildVersion 10.0.16299.547
    CLRVersion 4.0.30319.42000
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1

    Configuration Id Approach

    1. Server Configuration
      I'm using xPSDesiredConfiguration 8.4.0.0 and xDscWebService Resource to configure the Server, this way

      configuration HTTPSPullServer
      {
      
          param
          (
              [string[]]$NodeName = 'localhost',
      
              [ValidateNotNullOrEmpty()]
              [string] $certificateThumbPrint
          )
      
          # Modules must exist on target pull server
          Import-DSCResource -ModuleName xPSDesiredStateConfiguration
      
          Node $NodeName
          {
              WindowsFeature DSCServiceFeature
              {
                  Ensure = "Present"
                  Name   = "DSC-Service"
              }
      
              #IIS Console
              WindowsFeature IISConsole {
                  Ensure = "Present"
                  Name   = "Web-Mgmt-Console"
              }
      
              xDscWebService PSDSCPullServer
              {
                  Ensure                  = "Present"
                  EndpointName            = "PSDSCPullServer"
                  Port                    = 8080
                  PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
                  CertificateThumbPrint   = $certificateThumbPrint
                  ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                  ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
                  State                   = "Started"
                  DependsOn               = "[WindowsFeature]DSCServiceFeature"
                  UseSecurityBestPractices = $true
              }
          }
      }
      
      HTTPSPullServer -NodeName vmdt01 -certificateThumbPrint '712FCD316ED524F785186DD144DD445A47CB66A5' -OutputPath E:\DSC\HTTPS\
      
      Start-DscConfiguration -ComputerName vmdt01 -Path E:\DSC\HTTPS -Verbose -Wait -Force
      

      (I've tried different combination on UseSecurityBestPractices and DisableSecurityBestPractices properties without success)

    2. Clients LCM Configuration (Using ConfigurationId approach)

      [DSCLocalConfigurationManager()]
      Configuration PullW10ClientsConfigId 
      {
         param
          (
                  [Parameter(Mandatory=$true)]
                  [string[]]$ComputerName,
      
                  [Parameter(Mandatory=$true)]
                  [string]$guid
          )
      
      	Node $ComputerName {
      	
      		Settings {
      
      			RefreshMode = 'Pull'
      		        RefreshFrequencyMins = 30
                              ConfigurationMode = 'ApplyAndAutoCorrect'
                              RebootNodeIfNeeded = $true
      			ConfigurationID = $guid
              }
      
                  ConfigurationRepositoryWeb DSCHTTPS {
                      ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                      CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                  }
      
                  ReportServerWeb ReportServer {
                      ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                      CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                      AllowUnsecureConnection = $True
      
                  }
      
      	}
      }
    3. Rename MOF files to match configurationId and apply
      New-DSCChecsum
    4. When I try to do
      Update-StartDscConfiguration -Computer vcontab1-w10 -Wait -Verbose

      I get the following errors and stack trace on the event viewer:


      Trabajo {B3C00709-9C7A-11E8-ACE3-000C2991FEC5}:
      Comando Do-DscAction de WebDownloadManager para configuración e2665f67-3a61-4989-9870-616a065298d6, resultado de llamada GET:
      + FullyQualifiedErrorId : WebDownloadManagerGetActionFailed
      + CategoryInfo : InvalidResult: (:) [], InvalidOperationException
      + ExceptionMessage : No se pudo obtener la acción del servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Action(ConfigurationId='e2665f67-3a61-4989-9870-616a065298d6')/GetAction.
      + InnerException : System.AggregateException: Se han producido uno o varios errores. ---> System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
      en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
      en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
      en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
      en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
      en Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(IHttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord)
      ---> (Nº de excepción interna 0) System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
      en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
      en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
      en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
      en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---< ---

      Where error in English are:

      System.Net.Http.HttpRequestException: An error occurred while sending the request
      System.Net.WebException: The underlying connection was closed: unexpected error
      System.IO.IOException: Cannot write data to the transport connection: The remote host forced the interruption of an exixting connection

    Whilst if I use Configuration Names approach I get the error earlier, during the node registration.

    Configuration Name Approach

    1. Server Configuration

      configuration HTTPSPullServer
      {
          param
          (
              [string[]]$NodeName = 'localhost',
      
              [ValidateNotNullOrEmpty()]
              [string] $certificateThumbPrint,
      
              [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
              [ValidateNotNullOrEmpty()]
              [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
          )
      
          # Modules must exist on target pull server
          Import-DSCResource -ModuleName xPSDesiredStateConfiguration
      
          Node $NodeName
          {
              WindowsFeature DSCServiceFeature
              {
                  Ensure = "Present"
                  Name   = "DSC-Service"
              }
      
              #Consola de IIS
              WindowsFeature IISConsole {
                  Ensure = "Present"
                  Name   = "Web-Mgmt-Console"
                  DependsOn = '[File]RegistrationKeyFile'
              }
      
              xDscWebService PSDSCPullServer
              {
                  Ensure                  = "Present"
                  EndpointName            = "PSDSCPullServer"
                  Port                    = 8080
                  PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
                  CertificateThumbPrint   = $certificateThumbPrint
                  ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                  ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
                  RegistrationKeyPath      = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
                  State                   = "Started"
                  DependsOn               = "[WindowsFeature]DSCServiceFeature"
                  UseSecurityBestPractices = $true          
              }
      
              File RegistrationKeyFile
              {
                  Ensure          = 'Present'
                  Type            = 'File'
                  DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
                  Contents        = $RegistrationKey
              }
          }
      }
      
      # Generate MOF
      HTTPSPullServer -NodeName vmdt01 -certificateThumbPrint '9F00EDBDFB791C7AAD9200E9E0BA8FD59684B419' -RegistrationKey 'e2665f67-3a61-4989-9870-616a065298d6' -OutputPath E:\DSC\HTTPS\
      
      Start-DscConfiguration -ComputerName vmdt01 -Path E:\DSC\HTTPS -Verbose -Wait -Force
    2. Client LCM (Configuration Name Approach)

      [DSCLocalConfigurationManager()]
      Configuration PullW10ClientsConfigNames 
      {
         param
          (
              [ValidateNotNullOrEmpty()]
              [string] $NodeName = 'localhost',
      
              [ValidateNotNullOrEmpty()]
              [string] $RegistrationKey #same as the one used to setup pull server in previous configuration
      
          )
      	Node $NodeName {
      	
      		Settings {
      
      			RefreshMode = 'Pull'
      		        RefreshFrequencyMins = 30
                              ConfigurationMode = 'ApplyAndAutoCorrect'
                              RebootNodeIfNeeded = $true
              }
                  
                  ConfigurationRepositoryWeb DSCHTTPS {
                      ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                      RegistrationKey = $RegistrationKey
                      ConfigurationNames = @('w10client')
                      AllowUnsecureConnection = $true
                  }
      
                  ReportServerWeb ReportServer {
                      ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                      CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                      AllowUnsecureConnection = $True
                  }
      	}
      }
      
      # Create the Computer.Meta.Mof in folder
      PullW10ClientsConfigNames -NodeName vcontab1-w10 -RegistrationKey 'e2665f67-3a61-4989-9870-616a065298d6' -OutputPath E:\DSC\HTTPS
      
      Set-DscLocalConfigurationManager -ComputerName vcontab1-w10 -Path E:\DSC\HTTPS -Verbose

      At this point, I get an error saying the DSC Agent with an specific AgentId could not be registered on the server.

      Here's the event log throwing the same errors than in the ConfigurationId approach


      Trabajo {0EE9AD70-9C80-11E8-ACE3-000C2991FEC5} :
      el cliente HTTP 3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5 no pudo registrar el agente de Dsc:
      + FullyQualifiedErrorId : RegisterDscAgentCommandFailed
      + CategoryInfo : InvalidResult: (:) [], InvalidOperationException
      + ExceptionMessage : No se pudo registrar el agente de Dsc con AgentId 3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5 con el servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Nodes(AgentId='3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5').
      + InnerException : System.AggregateException: Se han producido uno o varios errores. ---> System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
      en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
      en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
      en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
      en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
      en Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord)
      ---> (Nº de excepción interna 0) System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
      en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
      en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
      en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---
      en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
      en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
      --- Fin del seguimiento de la pila de la excepción interna ---< ---

    May somebody in the Powershell Community or the DevOps Collective Inc. give me a hint of where could be the matter?
    Is there an issue with the security protocols? Might be something related to Server 2012 OS, which was the first version that supported DSC? I'm lost here.

  • #108941

    Participant
    Points: 4
    Rank: Member

    Use Wireshark on the client to monitor the negotiation of the session.  The errors look to me like they could be due to TLS negotiation errors.  e.g. the server is expecting TLS 1.2 or higher and the client is requesting 1.0 or lower.

    I've not done a lot with DSC but I'm seeing a few .NET applications failing to connect to some servers now.  Fixing it usually involves updating either the client software (which has been built using a later version of .NET framework) or upgrading the .NET framework itself.

    Googling some articles on PowerShell and TLS it looks like it may default to TLS 1.0.

    On my fully patched Windows 10 an Invoke-WebRequest to PowerShell.org fails.  Wireshark shows it attempts to use TLS 1.0:

    TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 113
    Handshake Protocol: Client Hello

    This is immediately follow by the site sending a RST, closing the connection.

    You can force PowerShell use to a newer version with

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    The Invoke-WebRequest to PowerShell.org then succeeds:

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 197
    Handshake Protocol: Client Hello

    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 89
    Handshake Protocol: Server Hello

    I assume setting SecurityProtocol type will be honoured by DSC but I don't have a set up to test it on.

     

     

     

     

     

     

     

     

     

     

     

    • #109019

      Participant
      Points: 21
      Rank: Member

      Hello Matt,

      thank you for your answer.

      I used WireShark when trying to register a node client from the server and it seems to be an issue with the decryption on the client side. The only TLS1.2 traffic I see is due to an rdp connection.

      You can get traffic WireShark Logs (to be deleted) and filter them by 'http and tcp.port==5985'

      Let me point anyway some outstanding info:

      The request in order to registrate the node is sended using WinRM, which is HTTP over port 5985 to an ODATA service. The request

      POST http://[node]:5985/wsman

      includes some security encrypted information:

      >GSS-API Generic Security Service Application Program Interface
      
      OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
      
      >Authenticator
      
      etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
      
      cipher: 31f873aa4a7057309dcf46fdf2cf56ebceef6b11d51e22c6...

      Then, the response says:

      >MIME Multipart Media Encapsulation, Type: multipart/encrypted, Boundary: "Encrypted Bundary"
      
      The multipart dissector could not decrypt the message

      Is that due to the protocol version or the decryption algorithm?

       

      With regard to TLS, I tried before to configure protocols on the client and the server, and make them coherent. Changing [Net.ServicePointManager]::SecurityProtocol is fine to do some checkings, but it's not a defintive solution because the value gets reseted when you exit the shell.

      You have to modify some registry settings to enable or disable protocols.
      There's some Microsoft Documentation about TLS registry settings, but I find delicated changing this values.

      In this post, there's an explanation of how to force a specific protocol to be used in Powershell. Thre's even a link to an application that does it for you. Nevertheless, I can't get it working.

      I'll keep trying some more configs and asking for help.

      Regards

  • #109504

    Participant
    Points: 4
    Rank: Member

    Thanks for the capture.  The WinRM traffic looks OK.

    You can see from the capture that the client tries to establish the connection on port 8080 but that the server is sending a RST.  No HTTPS negotiation is taking place.

    Can you run a new capture with AllowUnsecureConnection set to $false, just for comparison.

    My inclination would then be to go back to basics.  Configure your pull server, a new one if necessary, with HTTP only and get that working.

     

    • #109516

      Participant
      Points: 21
      Rank: Member

      Hello again,

      I could get it running with non-secure http!

      At first, I got an Internal Server Error, and with WireShark I could trace the error:

      Provider 'Microsoft.Jet.OLEDB.4.0' not registred on the local machine.

      I read that version of the driver is not compatible with my 64bits S.O, so I installed Microsoft Acces Database Engine 2016, and changed the connection string setting for the driver to version = Microsoft.ACE.OLEDB.12.0

      In fact, I used xWebConfigKeyValue DSC resource of xWebAdministration module to configure it this way:

      xWebConfigKeyValue CorrectDBConnectionStr
      {
          ConfigSection = 'AppSettings'
          Key = 'dbconnectionstr'
          Value = 'Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Program Files\WindowsPowerShell\DscService\Devices.mdb;'
          WebsitePath = 'IIS:\sites\PSDSCPullServer'
          DependsOn = '[xDSCWebService]PSDSCPullServer'
      }

      Finally, I could make it run on a basic http configuration

      I was hoping the driver update fixed the thing for https as well, but, unfortunately, I'm still having the same problems. I let you two more captures from a client (when trying to be registered to the pull server), one using http, which succeds,  and another using https, which fails.

      I wonder if  there's something wrong with the certificate I generated that might be causing this. But I can't figure out what could that be. I generated  a server certificate from IIS Management Console using our own Certification Authority (CA). The result is a valid certificate and I ensured the involved nodes do trust the CA.

      The only thing I find strange, is that when I request through a browser the URL for the secured pull server (https://vmdt01.dggh.es:8080/PSDSCPullServer.svc) I'm prompted to choose a certificate in my machine to identify myself. That's not a normal ssl secured web behaviour.

      Thank you for your help so far

  • #109808

    Participant
    Points: 4
    Rank: Member

    Apologies, I was out last night so didn't get a chance to pick up the captures.  Glad HTTP is working.

    Still not seeing any attempt at TLS negotiation in the captures.  Can you check if the certificate is definitely bound to port 8080 in the IIS settings?

    If I get time over the weekend (it's a long weekend in the UK, yay!) I'll spin up a lab and see if I can recreate your scenario.

     

     

     

     

    • #109858

      Participant
      Points: 21
      Rank: Member

      Don't worry Matt, I'll be one week off too and resume afterwards.

      For the moment, I'm happy it worked on http. I also downgraded Microsoft Acces Database Engine to 2012, since I was experiencing some errors causing the application pool for pull server service to stop.

      I achieved some progress securing mof files and using partial configuration. The final touch will be securing communications.

      By the way, the certificate is bound to port 8080 on IIS settings.

  • #109819

    Participant
    Points: -19
    Rank: Member

    Can you export the pull server certificate (without private key) and copy to a node...

    then run:

    certutil -verify -urlfetch certificatename.cer

    and paste the output here?

    Thanks,

    Mike

    • #109855

      Participant
      Points: 21
      Rank: Member

      Hello Mike,

      here there is, with some interleaved Spanish lines 🙂

      Emisor:
      
      CN=Gargallo Hotels CA
      
      DC=dggh
      
      DC=es
      
      Hash de nombre(sha1): 375d1731ce1ecba03d452db3a0646728be014ea1
      
      Hash de nombre(md5): e47f7178037ccb030a34b05c099e6036
      
      Sujeto:
      
      CN=vmdt01.dggh.es
      
      OU=IT
      
      O=Gargallo Hotels S.L
      
      L=Barcelona
      
      S=Barcelona
      
      C=ES
      
      Hash de nombre(sha1): 94be95ba23a62d5afa60aa3acb3d4e33666284f9
      
      Hash de nombre(md5): dda648e4360045c04e84a650ae756007
      
      Nº. de serie de cert.: 610ed1df000000000005
      
       
      
      dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
      
      dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
      
      ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
      
      HCCE_LOCAL_MACHINE
      
      CERT_CHAIN_POLICY_BASE
      
      -------- CERT_CHAIN_CONTEXT --------
      
      ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      
      ChainContext.dwRevocationFreshnessTime: 56 Minutes, 11 Seconds
      
       
      
      SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      
      SimpleChain.dwRevocationFreshnessTime: 56 Minutes, 11 Seconds
      
       
      
      CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      
      Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es
      
      NotBefore: 25/07/2018 14:16
      
      NotAfter: 24/07/2020 14:16
      
      Subject: CN=vmdt01.dggh.es, OU=IT, O=Gargallo Hotels S.L, L=Barcelona, S=Barcelona, C=ES
      
      Serial: 610ed1df000000000005
      
      Template: WebServer
      
      Cert: 9f00edbdfb791c7aad9200e9e0ba8fd59684b419
      
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      
      ----------------  Certificado AIA  ----------------
      
      Comprobado "Certificado (0)" Tiempo: 0 a48d41b6cfa9d976f43a9fb62a96d82a62a22841
      
      [0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?cACertificate?base?objectClass=certificationAuthority
      
       
      
      ----------------  Certificado CDP  ----------------
      
      Comprobado "CRL de base (1d)" Tiempo: 0 af43afa887be98a9f3d3cfc4918e859cb39eda12
      
      [0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?certificateRevocationList?base?objectClass=cRLDistributionPoint
      
       
      
      Comprobado "Diferencia CRL (1d)" Tiempo: 0 bf180198e6408a713e46ce1edc350f3a2ce55ddd
      
      [0.0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?deltaRevocationList?base?objectClass=cRLDistributionPoint
      
       
      
      ----------------  CDP de CRL base  ----------------
      
      Aceptar "Diferencia CRL (1f)" Tiempo: 0 bf180198e6408a713e46ce1edc350f3a2ce55ddd
      
      [0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?deltaRevocationList?base?objectClass=cRLDistributionPoint
      
       
      
      ----------------  OCSP de certificado  ----------------
      
      No hay direcciones URL "Ninguno" Tiempo: 0 (null)
      
      --------------------------------
      
      CRL 1d:
      
      Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es
      
      ThisUpdate: 22/08/2018 13:56
      
      NextUpdate: 30/08/2018 2:16
      
      CRL: af43afa887be98a9f3d3cfc4918e859cb39eda12
      
      Delta CRL 1f:
      
      Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es
      
      ThisUpdate: 24/08/2018 13:57
      
      NextUpdate: 26/08/2018 2:17
      
      CRL: bf180198e6408a713e46ce1edc350f3a2ce55ddd
      
      Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor
      
       
      
      CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      
      Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es
      
      NotBefore: 25/07/2018 13:56
      
      NotAfter: 25/07/2028 14:06
      
      Subject: CN=Gargallo Hotels CA, DC=dggh, DC=es
      
      Serial: 3d0d0c6df8f52a8744157cf4abfc3d02
      
      Template: CA
      
      Cert: a48d41b6cfa9d976f43a9fb62a96d82a62a22841
      
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      
      ----------------  Certificado AIA  ----------------
      
      No hay direcciones URL "Ninguno" Tiempo: 0 (null)
      
      ----------------  Certificado CDP  ----------------
      
      No hay direcciones URL "Ninguno" Tiempo: 0 (null)
      
      ----------------  OCSP de certificado  ----------------
      
      No hay direcciones URL "Ninguno" Tiempo: 0 (null)
      
      --------------------------------
      
       
      
      Exclude leaf cert:
      
      Chain: 4fc5415621fc8b5c8a8fc732d40a314ed82b6fc5
      
      Full chain:
      
      Chain: 1e4897352b42447faa4777cb768b6be52612121b
      
      ------------------------------------
      
      Directivas de emisión comprobadas: Ninguno
      
      Directivas de aplicación comprobadas:
      
      1.3.6.1.5.5.7.3.1 Autenticación del servidor
      
      La comprobación de revocación del certificado de hoja ha sido correcta
  • #110909

    Participant
    Points: 4
    Rank: Member

    I did manage to build a lab for this, this week, a bit later than planned.

    Although I had a few problems (due to my inexperience with DSC), I couldn't replicate your error.

    My lab consisted of a Domain Controller, also acting as my root CA; a DSC pull server running Windows 2012 R2, fully patched and with WMF 5.1 installed and a Windows 10 Pro client (1803).

    I used the configuration ID approach as in your first example and used your script to configure my pull server.

    I created a slightly different configuration file and, following examples online, used the following command to set up the LCM:

    Set-DSCLocalConfigurationManager localhost -Path .\PullW10ClientsConfigNames\ -Verbose

     

    • #110971

      Participant
      Points: 21
      Rank: Member

      Hello Matt,

      I'm back. Thank your for your time trying to reproduce the error.

      There are some slightly differences between our environments. I run a Server 2012 (not the Released 2) but I remember trying in a R2 as well to rule out whether the problem was the S.O version with no results.

      And the client build also differs (1803 vs 1709). I'll update my W10 and tell you.

      Did you have to deal with changing TLS protocoll on the client?

      For now I'm working with unsecured communications but secure credentials inmof documents. I'll let the secure-communication step in stand-by and resume it later. I'll let you know any progress.

      Regards

  • #111343

    Participant
    Points: -19
    Rank: Member

    I couldn't see any issues with the certutil output sorry

  • #112685

    Participant
    Points: 56
    Rank: Member

    Is the root cert from your CA on the node attempting to pull down the config via HTTPS?

    You should be able to open https://vmdt01.dggh.es:8080/PSDSCPullServer.svc with no problems.

     

You must be logged in to reply to this topic.