Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional Restart in RenewCertificate.ps1 #763

Open
Wintermute2k6 opened this issue Nov 19, 2024 · 1 comment
Open

Additional Restart in RenewCertificate.ps1 #763

Wintermute2k6 opened this issue Nov 19, 2024 · 1 comment

Comments

@Wintermute2k6
Copy link

Could you please include an additional Restart-IcingaWindowsService inside of the RenewCertificate.ps1 mostly because it seems Windows doesn't recognize that the cert file is already created but the filehandle seems not lifted so the service doesn't realize it is already present and useable.

A restart inside the script seems to solve the the issue.
@Wintermute2k6
Copy link
Author

Suggestion:

Use-Icinga -Minimal;

# This script will simply install the Icinga for Windows certificate everyime the
# scheduled task is running. This does not impact our system at all, because we
# can update the certificate at any time without having to worry about the state

# To make the configuration of the task as easy as possible, we should fetch
# the current configuration of our REST-Api and check if we provide a custom
# certificate file. In case we do, ensure we use this certificate
# for the icingaforwindows.pfx creation instead of the auto lookup
# We do only require to check for cert files on the disk, as the cert store
# is fetched automatically
[hashtable]$RegisteredBackgroundDaemons = Get-IcingaBackgroundDaemons;
[string]$CertificatePath                = '';

if ($RegisteredBackgroundDaemons.ContainsKey('Start-IcingaWindowsRESTApi')) {
    if ($RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi'].ContainsKey('CertFile')) {
        $CertificatePath = $RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi']['CertFile'];
    }
    if ($RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi'].ContainsKey('-CertFile')) {
        $CertificatePath = $RegisteredBackgroundDaemons['Start-IcingaWindowsRESTApi']['-CertFile'];
    }
}

# Wait during the initial run as long as the certificate is not available
while ($TRUE) {
    Install-IcingaForWindowsCertificate -CertFile $CertificatePath;

    if ((Test-IcingaForWindowsCertificate) -eq $FALSE) {
        Write-IcingaEventMessage -EventId 1508 -Namespace 'Framework';
        Start-Sleep -Seconds 60;

        continue;
    }

    break;
}

Restart-IcingaWindowsService;

# Ensure we import the Icinga ca.crt to the root store, which allows us to use the certificate
# of the agent to connect the the Icinga for Windows API without having to break the certificate trust
[bool]$CAImportSuccess = Import-IcingaCAToAuthRoot;

if ($CAImportSuccess -eq $FALSE) {
    Write-IcingaEventMessage -EventId 1509 -Namespace 'Framework';
    exit 1;
}

# Tell the Task-Scheduler that the script was executed fine
exit 0;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Wintermute2k6