Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCESysprep - makecert.exe utility not included in sysprep package #202

Open
aaronfury opened this issue Nov 4, 2020 · 2 comments
Open

GCESysprep - makecert.exe utility not included in sysprep package #202

aaronfury opened this issue Nov 4, 2020 · 2 comments
Assignees
@bkatyl

Comments

@aaronfury
Copy link

Overview

When attempting to run GCESysprep on a Windows 7 VM, the "Import-PfxCertificate" cmdlet is not available, so the script attempts to use an alternative method to install the self-signed certificate for WinRM. This method calls the "makecert.exe" utility that should be located at "C:\Program Files\Google\Compute Engine\tools\makecert.exe".

However, this utility is not present at this location, so the certificate generation fails and the WinRM HTTPS listener is not created.

Steps to Reproduce

  1. Import a Windows 7 VM using the GCE Image Import tool.
  2. Run GCESysprep on the VM.
  3. Power on the VM after GCESysprep completes (or create an image and a new VM).
  4. Observe the Serial port 1 output to confirm that no errors are reported and the "Setup of WinRM complete." message is logged
  5. Connect to the instance via RDP (or non-HTTPS remote PowerShell) and run the following PowerShell command from an elevated prompt: Get-ChildItem -Path WSMan:\localhost\Listener
  6. Note that the HTTPS listener is not present.
  7. Note that a self-signed certificate is not present in the Computer Certificate store.

Proposed workaround

Include the 'makecert.exe' utility in the google-compute-engine-sysprep Googet package.
@bkatyl
Copy link
Contributor

bkatyl commented Nov 7, 2020

Unfortuntely we can't include makecert.exe in the google-compute-engine-sysprep Googet package as that would be redistributing a Microsoft binary. To do that we would need redistribution rights.

I think a reasonable way to handle this would be to add a file existance check to instance_setup.ps1. if $script:gce_install_dir\tools\makecert.exe does not exist then call makecert.exe without a specified path. Then any customer needing this functionality only need to place makecert.exe in the system path prior to importing the image.

Would this address your use case?

@aaronfury
Copy link
Author

Hi Brian,
Thanks for the quick response. Now knowing that this is the case, I suppose we can include a step in our build process to copy that file manually. But I couldn't find anywhere that this is documented for GCESysprep, so it might be useful to at least update the documentation to reflect this rather than having it silently fail.

Alternatively, I would propose using an alternative certificate utility like openssl, which you can build and include rather than relying on a closed-source tool. I know openssl is tricky on Windows and the legacy versions of PowerShell don't help, but that seems like the "more correct" way to resolve this :-) I'm happy to contribute some code, but it might be a few weeks until I have time to take a stab at this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bkatyl bkatyl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bkatyl @aaronfury