From 28ca1d9ab47b7c51f93d0d2bfd346ae887f958f8 Mon Sep 17 00:00:00 2001 From: James Ruskin Date: Fri, 22 Mar 2024 07:56:59 +0000 Subject: [PATCH] (#160) Removes Duplicate Nexus Cert Functionality Ensures that both the Set-SSLSecurity and Set-NexusCert are calling the same functionality, with only one copy to maintain. --- Set-SslSecurity.ps1 | 8 ++--- scripts/Get-Helpers.ps1 | 17 ++++++++--- scripts/Set-NexusCert.ps1 | 62 ++++++--------------------------------- 3 files changed, 26 insertions(+), 61 deletions(-) diff --git a/Set-SslSecurity.ps1 b/Set-SslSecurity.ps1 index 7a0afbc..c7507c6 100644 --- a/Set-SslSecurity.ps1 +++ b/Set-SslSecurity.ps1 @@ -112,13 +112,13 @@ process { } } + # Put certificate in TrustedPeople + Copy-CertToStore -Certificate $Certificate + <# Nexus #> # Stop Services/Processes/Websites required Stop-Service nexus - # Put certificate in TrustedPeople - Copy-CertToStore -Certificate $Certificate - # Generate Nexus keystore $null = New-NexusCert -Thumbprint $Certificate.Thumbprint @@ -153,7 +153,7 @@ process { (Get-Content -Path $ClientScript) -replace "{{hostname}}", $SubjectWithoutCn | Set-Content -Path $ClientScript New-NexusRawComponent -RepositoryName 'choco-install' -File $ClientScript - if ($Hardened) { + if ($Hardened) { # Disable anonymous authentication Set-NexusAnonymousAuth -Disabled diff --git a/scripts/Get-Helpers.ps1 b/scripts/Get-Helpers.ps1 index 6d0e3e2..2b20d2d 100644 --- a/scripts/Get-Helpers.ps1 +++ b/scripts/Get-Helpers.ps1 @@ -1634,11 +1634,15 @@ function Get-RemoteCertificate { } } -function New-NexusCert { +function Set-NexusCert { [CmdletBinding()] param( - [Parameter()] - $Thumbprint + # The thumbprint of the certificate to configure Nexus to use, from the LocalMachine\TrustedPeople store. + [Parameter(Mandatory)] + $Thumbprint, + + # The port to set Nexus to use for https. + $Port = 8443 ) if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) { @@ -1673,13 +1677,18 @@ function New-NexusCert { $nexusPath = 'C:\ProgramData\sonatype-work\nexus3' $configPath = "$nexusPath\etc\nexus.properties" - $configStrings = @('jetty.https.stsMaxAge=-1', 'application-port-ssl=8443', 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') + (Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath + + $configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$Port", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') $configStrings | ForEach-Object { if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) { $_ | Add-Content -Path $configPath } } + if ((Get-Service Nexus).Status -eq 'Running') { + Restart-Service Nexus + } } function Test-SelfSignedCertificate { diff --git a/scripts/Set-NexusCert.ps1 b/scripts/Set-NexusCert.ps1 index cc27dd2..4a00397 100644 --- a/scripts/Set-NexusCert.ps1 +++ b/scripts/Set-NexusCert.ps1 @@ -20,66 +20,22 @@ param( [Parameter(Mandatory)] [string] $Thumbprint, + [string]$Thumbprint, [Parameter()] - [string] - $NexusPort = '8443' + [uint16]$Port = 8443 ) -begin { - if($host.name -ne 'ConsoleHost') { - Write-Warning "This script cannot be ran from within PowerShell ISE" - Write-Warning "Please launch powershell.exe as an administrator, and run this script again" - break - } +if ($host.name -ne 'ConsoleHost') { + Write-Warning "This script cannot be ran from within PowerShell ISE" + Write-Warning "Please launch powershell.exe as an administrator, and run this script again" + break } -process { - $ErrorActionPreference = 'Stop' -if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) { - Remove-Item C:\ProgramData\nexus\etc\ssl\keystore.jks -Force -} - -$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe" -$password = "chocolatey" | ConvertTo-SecureString -AsPlainText -Force -$certificate = Get-ChildItem Cert:\LocalMachine\TrustedPeople\ | Where-Object { $_.Thumbprint -eq $Thumbprint } | Sort-Object | Select-Object -First 1 - -Write-Host "Exporting .pfx file to C:\, will remove when finished" -ForegroundColor Green -$certificate | Export-PfxCertificate -FilePath C:\cert.pfx -Password $password -Get-ChildItem -Path c:\cert.pfx | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $password -Write-Warning -Message "You'll now see prompts and other outputs, things are working as expected, don't do anything" -$string = ("chocolatey" | & $KeyTool -list -v -keystore C:\cert.pfx) -match '^Alias.*' -$currentAlias = ($string -split ':')[1].Trim() - -$passkey = '9hPRGDmfYE3bGyBZCer6AUsh4RTZXbkw' -& $KeyTool -importkeystore -srckeystore C:\cert.pfx -srcstoretype PKCS12 -srcstorepass chocolatey -destkeystore C:\ProgramData\nexus\etc\ssl\keystore.jks -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey -& $KeyTool -keypasswd -keystore C:\ProgramData\nexus\etc\ssl\keystore.jks -alias jetty -storepass $passkey -keypass chocolatey -new $passkey - -$xmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml' -[xml]$xml = Get-Content -Path 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml' -foreach ($entry in $xml.Configure.New.Where{ $_.id -match 'ssl' }.Set.Where{ $_.name -match 'password' }) { - $entry.InnerText = $passkey -} - -$xml.OuterXml | Set-Content -Path $xmlPath - -Remove-Item C:\cert.pfx - -$nexusPath = 'C:\ProgramData\sonatype-work\nexus3' -$configPath = "$nexusPath\etc\nexus.properties" - -(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath - -$configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$NexusPort", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') -$configStrings | ForEach-Object { - if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) { - $_ | Add-Content -Path $configPath - } -} +. $PSScriptRoot\Get-Helpers.ps1 -Restart-Service nexus +Set-NexusCert -Thumbprint $Thumbprint -Port $Port -Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect." -} \ No newline at end of file +Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect." \ No newline at end of file