microsoft/SDN

SLB deploy fails missing path for Certificate

DCoates-InnovateLtd opened this issue · 1 comments

Hi,

I have deployed a PKI Server and setup Certificate Auto Enrollment. I have set the template to use CA managed Certificates and i am getting this error when deploying the SLB Service in VMM. I have traced this issue to be within ProcessCertificate.ps1. it looks as though the function GivePermissionToNetworkService where it doesn't export the private key so this line is null. ($targetCertPrivKey = $targetCert.PrivateKey) $Cert which is the calling parameter is from the following lines as and far as i can tell is valid and correct. ($certThumbprint = GetCertChain
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where { $_.Thumbprint -eq $certThumbprint }
)

I am using VMM 2022 and Windows Server 2022 Datacenter.

Error (22632)
The script command standard error matched the failure policy setting "Match any string" with its result C:\ProgramData\VirtualMachineManagerData\TempResources\2ead76435a714deaa65b17a4b605fde9\ProcessCertificate.ps1 :
Cannot bind argument to parameter 'Path' because it is null.
At line:1 char:4

  • & {./ProcessCertificate.ps1 false; exit $LastExitCode }
+ CategoryInfo          : InvalidData: (:) [ProcessCertificate.ps1], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,ProcessCertificate.ps1. For more information, see the standard error log c:\processcertificate\error.log.

Recommended Action
If the script command's job restart action is set to restart, then the script will be re-executed. Otherwise, the script command will be skipped when the job is restarted, in which case corrective action should be taken to mitigate the effects of the script command failure.

Error (20400)
3 parallel subtasks failed during execution.

Error (21952)
Application deployment failed for one or more tiers or application hosts in the service SLB. Check job logs to get more information on the failed operation.

Recommended Action
Check error messages and retry the operation if needed.

function GivePermissionToNetworkService($targetCert)
{
$targetCertPrivKey = $targetCert.PrivateKey
$privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys*" | where {$_.Name -eq $targetCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
$privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
$permission = "NT AUTHORITY\NETWORK SERVICE","Read","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$privKeyAcl.AddAccessRule($accessRule)
Set-Acl $privKeyCertFile.FullName $privKeyAcl
}

issue is explained in #596