AppSettings Thumbprint

PowerShell Universal
1 
Product: PowerShell Universal
Version: 3.4.1-3

Hi @adam , I have reconfigured appsettings.json to use thumbprint as per the documentation rather than using pfx with plain text password but the PowerShellUniversal service starts and stops shortly after.

{
  "Kestrel": {
    "Endpoints": {
      "HTTPS": {
         "Url": "https://*:443",
           "Certificate": {
             "Thumbprint": "***",
             "Store": "My",
             "Location": "LocalMachine",
             "AllowInvalid": "true"
           }
      }
   }
}

I have imported the pfx successfully to Cert:\LocalMachine\My\ and i can see it in PowerShell. Thumbprint is correct but the service wont remain started.

I get this error in the log:
2022-10-25 15:41:25.748 +00:00 [FTL] Failed to start PowerShell Universal.
System.ObjectDisposedException: Cannot access a disposed object.
Object name: ‘IServiceProvider’.
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ThrowHelper.ThrowObjectDisposedException()
at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
at UniversalAutomation.StartupService.RunInitializationScript() in C:\actions-runner_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 332
at UniversalAutomation.StartupService.RunStartup() in C:\actions-runner_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 234
at UniversalAutomation.StartupService.TryRunStartup() in C:\actions-runner_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 187

Any thoughts?

2

I think its trying to export the certificate from the certificate store, but the certificate is not exportable so its failing. This works when using pem and key so all good!

3

Interesting. We shouldn’t be exporting the cert at all so I’m not sure why that didn’t work. Glad you have a workaround.

4

Sounds a bit like its not fixed, but rather worked around using another method.

I’m facing the same issue trying to use a Certificate from the cert store by its thumbprint

2022-10-31 13:13:51.223 +01:00 [FTL] Failed to start PowerShell Universal.
System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'IServiceProvider'.
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ThrowHelper.ThrowObjectDisposedException()
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
   at PowerShellUniversal.Client.get__config() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 33
   at PowerShellUniversal.Client.StartAsync() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 48
   at UniversalAutomation.StartupService.RunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 242
   at UniversalAutomation.StartupService.TryRunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 187

{
  "Kestrel": {
    "Endpoints": {
      "HTTP": {
        "Url": "http://*:5000"
      },
      "HTTPS": {
        "Url": "https://*:443",
        "Certificate": {
          "Thumbprint": "stuffhere",
          "Store": "My",
          "Location": "LocalMachine",
          "AllowInvalid": "true"
        }
      }
    },
    "RedirectToHttps": "true"
  },
  "Plugins": [
    "UniversalAutomation.LiteDBv5"
  ],
  "Data": {
    "RepositoryPath": "%ProgramData%\\UniversalAutomation\\Repository",
    "ConnectionString": "%ProgramData%\\UniversalAutomation\\database.db"
  }
}
5

Trying the example with a self signed cert works by subject, but generates the same error when using thumbnail.
Exporting the cert as PFX with password also generates the same error.

6

Any other errors in the logs? It’s actually past where we setup the cert and it’s attempting to run the initialization script. It leads me to believe the server is starting to shut down for some reason and has disposed the service provider which is causing this error.

I currently can’t reproduce this.

    "Kestrel": {
        "Endpoints": {
            "HTTP": {
                "Url": "http://*:5000"
            },
            "HTTPS": {
                "Url": "https://*:5001",
                "Certificate": {
                    "Thumbprint": "5CE8504B50E20127C4FE547551DC7A41A672689D",
                    "Store": "My",
                    "Location": "LocalMachine",
                    "AllowInvalid": "true"
                }
            }
        },
        "RedirectToHttps": "true"
    },

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
5CE8504B50E20127C4FE547551DC7A41A672689D  CN=localhost         Server Authentication

image
image1188×291 19.6 KB

1 Like
7

Don’t know if its relevant that i’m running my site with a gSMA.

Here the log from C:\ProgramData\PowerShellUniversal, where I made an attempt with PFX, then the working localhost example based on subjectname, and an attempt with localhost based on thumbprint.

Not much to work with.

2022-10-31 13:29:43.867 +01:00 [FTL] Failed to start PowerShell Universal.
System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'IServiceProvider'.
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ThrowHelper.ThrowObjectDisposedException()
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
   at PowerShellUniversal.Client.get__config() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 33
   at PowerShellUniversal.Client.StartAsync() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 48
   at UniversalAutomation.StartupService.RunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 242
   at UniversalAutomation.StartupService.TryRunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 187
2022-10-31 13:31:16.785 +01:00 [INF] User profile is available. Using 'C:\Users\S_PSU_ssdfgsdfg$\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
2022-10-31 13:31:17.387 +01:00 [INF] Now listening on: http://[::]:5000
2022-10-31 13:31:17.387 +01:00 [INF] Now listening on: https://[::]:443
2022-10-31 13:31:17.389 +01:00 [INF] Application started. Hosting environment: Production; Content root path: C:\Program Files (x86)\Universal\
2022-10-31 13:32:25.757 +01:00 [INF] User profile is available. Using 'C:\Users\S_PSU_sdfgsdfg$\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
2022-10-31 13:32:28.101 +01:00 [FTL] Failed to start PowerShell Universal.
System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'IServiceProvider'.
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ThrowHelper.ThrowObjectDisposedException()
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
   at PowerShellUniversal.Client.get__config() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 33
   at PowerShellUniversal.Client.StartAsync() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Client.cs:line 48
   at UniversalAutomation.StartupService.RunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 242
   at UniversalAutomation.StartupService.TryRunStartup() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\StartupService.cs:line 187

Setting log level to debug adds nothing to the log when it errors out.

8

It could be relevant. I can try to get that setup in my lab to see if I experience the issue.

Do you have any errors in the application log in event viewer about this?

9

uhh loads!

Error 1

Application: Universal.Server.exe
CoreCLR Version: 6.0.1022.47605
.NET Version: 6.0.10
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Universal.Server.Program.<>c__DisplayClass3_0.<Main>b__0(Options o) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Program.cs:line 76
   at CommandLine.ParserResultExtensions.WithParsed[T](ParserResult`1 result, Action`1 action)
   at Universal.Server.Program.Main(String[] args) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Program.cs:line 58

Error 2

Faulting application name: Universal.Server.exe, version: 1.0.0.0, time stamp: 0x6331eb0e
Faulting module name: KERNELBASE.dll, version: 10.0.20348.1129, time stamp: 0x2a5524ce
Exception code: 0xe0434352
Fault offset: 0x000000000003ef5c
Faulting process id: 0x1208
Faulting application start time: 0x01d8ed29c6d80d00
Faulting application path: C:\Program Files (x86)\Universal\Universal.Server.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 748dc11f-af58-45fe-81aa-6626d4acdb56
Faulting package full name: 
Faulting package-relative application ID:

Information 3

Fault bucket 1793097619794429271, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: Universal.Server.exe
P2: 1.0.0.0
P3: 6331eb0e
P4: KERNELBASE.dll
P5: 10.0.20348.1129
P6: 2a5524ce
P7: e0434352
P8: 000000000003ef5c
P9: 
P10: 

Attached files:
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.f34240fc-9050-43ef-bd6c-97c2f59f039e.tmp.dmp
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.98c7d22b-b697-4008-bd23-0ebb67886d9d.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.96c87143-5e8a-46be-ac34-163255208bdf.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.dd2f70d7-f22f-42d0-93bd-468db89c4b1b.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d256ff24-75ec-4a6a-8ecf-17e31763662a.tmp.txt

These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Universal.Server_642135d5123cd4a55053e3fd5280572d625acc20_187f3dda_26046589-de08-400d-88e7-32b23fa725e3

Analysis symbol: 
Rechecking for solution: 0
Report Id: 748dc11f-af58-45fe-81aa-6626d4acdb56
Report Status: 268435456
Hashed bucket: fb98b91f57a4788518e25cc8f3720557
Cab Guid: 0
10

Perfect. That’s what I needed. I’ll see what we can do.

1 Like
11

@PorreKaj Are you editing appsettings.json in Program Files (x86) or ProgramData?

12

C:\ProgramData\PowerShellUniversal

if that’s the issue i’m gonna go to bed…

13

It’s not. If you had done it the other way, then I see the problem but it’s something else.

14

Great :smiley:

This is the first time I’m hosting outside IIS,
All settings must be specified in the programdata one yes?

15

It’s not a hard requirement but that’s what I would recommend. It’s just easier for upgrades.

1 Like
16

Using the example with the self signed cert, I’m not getting the same errors, as mentioned, but its not letting me get to the site with https:

2022-11-02 11:40:09.733 +01:00 [DBG] Failed to authenticate HTTPS connection.
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCH_CREDENTIALS* scc)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCH_CREDENTIALS* secureCredential)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchCredentials(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
   at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan`1 inputBuffer, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan`1 incomingBuffer)
   at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)

{
  "Kestrel": {
    "EndpointDefaults": { 
      "Protocols": "Http1"
    },
    "Endpoints": {
      "HTTP": {
        "Url": "http://*"
      },
      "HTTPS": {
        "Url": "https://*:443",
        "Certificate": {
          "Subject": "localhost",
          "Store": "My",
          "Location": "LocalMachine",
          "AllowInvalid": "true"
        }
      }
    },
    "RedirectToHttps": "false"
  },
  "Plugins": [
    "UniversalAutomation.LiteDBv5"
  ],
  "Data": {
    "RepositoryPath": "%ProgramData%\\UniversalAutomation\\Repository",
    "ConnectionString": "%ProgramData%\\UniversalAutomation\\database.db"
  }
}

I wonder if it might be relevant.

17

Running the service with LocalSystem instead of an gMSA works using the Localhost self signed example.

No luck on using thumbprint still. @adam, still getting the "Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found or is out of date.
" error in event log

18

I managed to get my HTTPS site working (using exported cert) and gMSA, the issue being me using er certificate request template without server auth (stupid long template name cut off that part :smiley: ), kestrel being a bit more verbose could probably have told me that.

Either way, still not able to use thumbprint, butat least now I can get on with it.