ge-aerospace/powershell-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62c0c7bb06fa5cf497b782979b9a329ef58afcd1
powershell-scripts/winrm-https/deployment-package/WILDCARD-CERT-FIX.txt
cproudlock 62c0c7bb06 Initial commit: Organized PowerShell scripts for ShopDB asset collection 
Structure:
- asset-collection/: Local PC data collection scripts
- remote-execution/: WinRM remote execution scripts
- setup-utilities/: Configuration and testing utilities
- registry-backup/: GE registry backup scripts
- winrm-https/: WinRM HTTPS certificate setup
- docs/: Complete documentation

Each folder includes a README with detailed documentation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-10 10:57:54 -05:00

237 lines
8.5 KiB
Plaintext
Raw Blame History

================================================================================
WILDCARD CERTIFICATE FIX - IMPORTANT TECHNICAL DETAIL
================================================================================
Date: 2025-10-17
Issue: Certificate CN mismatch error during HTTPS listener creation
================================================================================
PROBLEM
================================================================================
When deploying WinRM HTTPS with wildcard certificate, received error:
"The WinRM client cannot process the request. The certificate CN and
the hostname that were provided do not match."
Error Number: -2144108311 (0x803380E9)
================================================================================
ROOT CAUSE
================================================================================
WinRM HTTPS listener creation requires the hostname parameter to EXACTLY match
the certificate's Common Name (CN).
Certificate Details:
- Subject: CN=*.logon.ds.ge.com
- CN: *.logon.ds.ge.com (wildcard format)
Previous (Incorrect) Approach:
- Passed specific PC FQDN to listener: g9kn7pz3esf.logon.ds.ge.com
- WinRM compared: "*.logon.ds.ge.com" (cert CN) vs "g9kn7pz3esf.logon.ds.ge.com" (hostname)
- Result: MISMATCH → Error
================================================================================
SOLUTION
================================================================================
The listener hostname parameter must use the EXACT CN from the certificate,
which is the wildcard format: *.logon.ds.ge.com
Fixed Code (Setup-WinRM-HTTPS.ps1):
# Extract the CN value from certificate subject
if ($certSubject -match 'CN=([^,]+)') {
$certCN = $matches[1] # This captures "*.logon.ds.ge.com"
}
# Use the certificate CN (wildcard) for listener hostname
$listenerHostname = $certCN # "*.logon.ds.ge.com"
# Create listener with wildcard hostname
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname="*.logon.ds.ge.com";CertificateThumbprint="...";Port="5986"}
================================================================================
HOW IT WORKS
================================================================================
Listener Configuration:
- Listener Hostname: *.logon.ds.ge.com (wildcard)
- Certificate CN: *.logon.ds.ge.com (wildcard)
- Match: ✓ SUCCESS
Client Connection:
- Clients still connect using specific FQDN: g9kn7pz3esf.logon.ds.ge.com
- WinRM matches this against the wildcard: *.logon.ds.ge.com
- Certificate validation succeeds because wildcard covers all subdomains
Example:
# Client connects using specific hostname
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Server listener accepts because:
# - Listener hostname: *.logon.ds.ge.com
# - Client hostname: g9kn7pz3esf.logon.ds.ge.com
# - Wildcard match: ✓ (g9kn7pz3esf matches *)
================================================================================
TECHNICAL DETAILS
================================================================================
WinRM Listener Hostname Validation:
1. WinRM creates listener with hostname="*.logon.ds.ge.com"
2. Certificate CN must match listener hostname EXACTLY
3. Wildcard CN "*.logon.ds.ge.com" = Listener hostname "*.logon.ds.ge.com" ✓
4. Listener accepts connections from any hostname matching *.logon.ds.ge.com
Certificate Validation During Connection:
1. Client connects to: g9kn7pz3esf.logon.ds.ge.com:5986
2. Server presents certificate with CN: *.logon.ds.ge.com
3. Client validates: Does "g9kn7pz3esf.logon.ds.ge.com" match "*.logon.ds.ge.com"?
4. Wildcard validation: ✓ YES (wildcard * matches "g9kn7pz3esf")
5. Connection succeeds
================================================================================
WHAT CHANGED IN THE SCRIPT
================================================================================
File: Setup-WinRM-HTTPS.ps1
Function: New-WinRMHTTPSListener
Changes:
1. Extract certificate CN from Subject field
2. Use certificate CN (wildcard) as listener hostname
3. Added logging to show both FQDN and listener hostname
4. Added explanatory notes in output
Before:
$winrmArgs = "create ... @{Hostname=`"$Hostname`";..."
# Where $Hostname = "g9kn7pz3esf.logon.ds.ge.com"
After:
$listenerHostname = $certCN # "*.logon.ds.ge.com"
$winrmArgs = "create ... @{Hostname=`"$listenerHostname`";..."
================================================================================
TESTING THE FIX
================================================================================
On Target PC:
# Check listener configuration
winrm enumerate winrm/config/listener
# Should show:
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = *.logon.ds.ge.com ← WILDCARD FORMAT
...
From Management Server:
# Test connection using specific hostname
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL -Port 5986
# Should succeed because:
# - Server listener: *.logon.ds.ge.com
# - Client request: g9kn7pz3esf.logon.ds.ge.com
# - Wildcard match: ✓
================================================================================
APPLIES TO ALL PCS
================================================================================
This fix applies to ALL 175 shopfloor PCs:
- All use the same wildcard certificate
- All listeners configured with: Hostname=*.logon.ds.ge.com
- All clients connect with specific FQDN: hostname.logon.ds.ge.com
- Wildcard matching works for all PCs
Example PCs:
- g1jjvh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- g1jjxh63esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- g9kn7pz3esf.logon.ds.ge.com → matches *.logon.ds.ge.com ✓
- ... (all 175 PCs match)
================================================================================
VERIFICATION COMMANDS
================================================================================
Check Listener Configuration:
winrm enumerate winrm/config/listener
# Look for:
Hostname = *.logon.ds.ge.com ← Must be wildcard!
Check Certificate:
Get-ChildItem Cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*logon.ds.ge.com*"} |
Select-Object Subject, Thumbprint, NotAfter
Test Connection (from management server):
Test-WSMan -ComputerName HOSTNAME.logon.ds.ge.com -UseSSL -Port 5986
Create Remote Session:
$cred = Get-Credential
Enter-PSSession -ComputerName HOSTNAME.logon.ds.ge.com `
-Credential $cred -UseSSL -Port 5986
================================================================================
STATUS
================================================================================
Fix Applied: ✓ YES
File Updated: Setup-WinRM-HTTPS.ps1
Ready for Testing: ✓ YES
Next Step: Re-run deployment on test PC (G9KN7PZ3ESF)
================================================================================
EXPECTED RESULTS
================================================================================
After running updated deployment script:
1. Certificate import: ✓ SUCCESS
Subject: CN=*.logon.ds.ge.com
2. Listener creation: ✓ SUCCESS
Hostname: *.logon.ds.ge.com (wildcard)
3. Test connection: ✓ SUCCESS
Test-WSMan -ComputerName g9kn7pz3esf.logon.ds.ge.com -UseSSL
4. Remote session: ✓ SUCCESS
Enter-PSSession with -UseSSL flag
================================================================================
ADDITIONAL NOTES
================================================================================
- This is standard behavior for wildcard certificates with WinRM
- The listener hostname MUST match the certificate CN exactly
- Clients use specific FQDNs; wildcard matching happens automatically
- This approach is documented in Microsoft's WinRM HTTPS documentation
- No changes needed on client side (management server)
================================================================================
REFERENCES
================================================================================
WinRM Configuration:
- Listener Address: * (all IP addresses)
- Transport: HTTPS
- Port: 5986
- Hostname: *.logon.ds.ge.com (must match cert CN)
- Certificate Thumbprint: C1412765B2839E9081FCEA77BB1E6D8840203509
Wildcard Certificate:
- Subject: CN=*.logon.ds.ge.com
- Valid for: All subdomains of logon.ds.ge.com
- Valid until: 2027-10-17
- Key Size: 2048-bit RSA
================================================================================
Reference in New Issue View Git Blame Copy Permalink