Skip to content

Commit

Permalink
(#160) Rewrite Set-NexusCert to match Set-JenkinsCert
Browse files Browse the repository at this point in the history
  • Loading branch information
JPRuskin committed Mar 22, 2024
1 parent c8e8925 commit 5198683
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 45 deletions.
8 changes: 1 addition & 7 deletions Set-SslSecurity.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,6 @@ process {
$EndpointScript = "$ScriptDir\Register-C4bEndpoint.ps1"

if ($Hardened) {

$ClientSaltValue = New-CCMSalt
$ServiceSaltValue = New-CCMSalt
$ScriptBlock = @"
Expand Down Expand Up @@ -289,10 +288,7 @@ process {
}

Install-ChocolateyAgent @agentArgs
}

else {

} else {
# Agent Setup
$agentArgs = @{
CentralManagementServiceUrl = "https://$($SubjectWithoutCn):24020/ChocolateyManagementService"
Expand Down Expand Up @@ -327,9 +323,7 @@ Invoke-Expression (`$downloader.DownloadString("http://`$(`$HostName):80/Import-
}
$SslJson | ConvertTo-Json | Out-File "$env:SystemDrive\choco-setup\logs\ssl.json"
}

end {

# Hand back the created/found certificate to the caller.
$Certificate

Expand Down
78 changes: 40 additions & 38 deletions scripts/Get-Helpers.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -1469,47 +1469,58 @@ function Set-NexusCert {
$Port = 8443
)

if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) {
Remove-Item C:\ProgramData\nexus\etc\ssl\keystore.jks -Force
}

$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe"
$password = "chocolatey" | ConvertTo-SecureString -AsPlainText -Force
$certificate = Get-ChildItem Cert:\LocalMachine\TrustedPeople\ | Where-Object { $_.Thumbprint -eq $Thumbprint } | Sort-Object | Select-Object -First 1

Write-Host "Exporting .pfx file to C:\, will remove when finished" -ForegroundColor Green
$certificate | Export-PfxCertificate -FilePath C:\cert.pfx -Password $password
Get-ChildItem -Path c:\cert.pfx | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $password
Write-Warning -Message "You'll now see prompts and other outputs, things are working as expected, don't do anything"
$string = ("chocolatey" | & $KeyTool -list -v -keystore C:\cert.pfx) -match '^Alias.*'
$currentAlias = ($string -split ':')[1].Trim()
$KeyStorePath = 'C:\ProgramData\nexus\etc\ssl\keystore.jks'
$KeystoreCredential = [NetworkCredential]::new(
"Keystore",
(New-ServicePassword)
)
$TempCertPath = Join-Path $env:TEMP "$(New-Guid).pfx"

$passkey = '9hPRGDmfYE3bGyBZCer6AUsh4RTZXbkw'
& $KeyTool -importkeystore -srckeystore C:\cert.pfx -srcstoretype PKCS12 -srcstorepass chocolatey -destkeystore C:\ProgramData\nexus\etc\ssl\keystore.jks -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey
& $KeyTool -keypasswd -keystore C:\ProgramData\nexus\etc\ssl\keystore.jks -alias jetty -storepass $passkey -keypass chocolatey -new $passkey
try {
Write-Verbose "Exporting .pfx file to C:\, will remove when finished"
Get-ChildItem Cert:\LocalMachine\TrustedPeople\ | Where-Object { $_.Thumbprint -eq $Thumbprint } | Sort-Object | Select-Object -First 1 | Export-PfxCertificate -FilePath $TempCertPath -Password $KeystoreCredential.SecurePassword
# TODO: Is this the right place for this? # Get-ChildItem -Path $TempCertPath | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $KeystoreCredential.SecurePassword
Write-Warning -Message "You'll now see prompts and other outputs, things are working as expected, don't do anything"
$string = ($KeystoreCredential.Password | & $KeyTool -list -v -keystore $TempCertPath) -match '^Alias.*'
$currentAlias = ($string -split ':')[1].Trim()

if ((Test-Path $KeyStorePath)) {
Remove-Item $KeyStorePath -Force
}

$xmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
[xml]$xml = Get-Content -Path 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
foreach ($entry in $xml.Configure.New.Where{ $_.id -match 'ssl' }.Set.Where{ $_.name -match 'password' }) {
$entry.InnerText = $passkey
}
& $KeyTool -importkeystore -srckeystore $TempCertPath -srcstoretype PKCS12 -srcstorepass $KeystoreCredential.Password -destkeystore $KeyStorePath -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $KeystoreCredential.Password
& $KeyTool -keypasswd -keystore $KeyStorePath -alias jetty -storepass $KeystoreCredential.Password -keypass chocolatey -new $KeystoreCredential.Password

$xml.OuterXml | Set-Content -Path $xmlPath
$xmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
[xml]$xml = Get-Content -Path 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
foreach ($entry in $xml.Configure.New.Where{ $_.id -match 'ssl' }.Set.Where{ $_.name -match 'password' }) {
$entry.InnerText = $KeystoreCredential.Password
}

Remove-Item C:\cert.pfx
$xml.Save($xmlPath)
} finally {
if (Test-Path $TempCertPath) {
Remove-Item $TempCertPath -Force
}
}

$nexusPath = 'C:\ProgramData\sonatype-work\nexus3'
$configPath = "$nexusPath\etc\nexus.properties"
$configPath = "C:\ProgramData\sonatype-work\nexus3\etc\nexus.properties"

# Remove existing ssl config from the configuration
(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath

$configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$Port", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml')
$configStrings | ForEach-Object {
# Ensure each line is added to the configuration
@(
'jetty.https.stsMaxAge=-1'
"application-port-ssl=$Port"
'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml'
) | ForEach-Object {
if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) {
$_ | Add-Content -Path $configPath
}
}

if ((Get-Service Nexus).Status -eq 'Running') {
Restart-Service Nexus
}
Expand All @@ -1521,18 +1532,9 @@ function Test-SelfSignedCertificate {
[Parameter(ValueFromPipeline = $true)]
$Certificate = (Get-ChildItem -Path Cert:LocalMachine\My | Where-Object { $_.FriendlyName -eq $SubjectWithoutCn })
)

process {

if ($Certificate.Subject -eq $Certificate.Issuer) {
return $true
}
else {
return $false
}

$Certificate.Subject -eq $Certificate.Issuer
}

}

#endregion
Expand Down

0 comments on commit 5198683

Please sign in to comment.