Multiple Certificates for site

PowerShell Universal
1 
Product: PowerShell Universal
Version: 2.1.2

We just shifted our PSU site over to live behind an F5 load balancer with a new domain url for it. As such, I naturally adjusted the appsettings.json to point toward the new certificate for the site from the old one.

However, we are now running into an issue where Automation scripts cannot make connection to the UA Server or calls to run other scripts. Depending on what URL we use we have 2 issues.

Using this new F5 based domain name, we get a time out. We’ve already determined that this likely is a firewall related rule that could require adjustments.

If we use the original site url, which is the system.domain.com it will throw a SSL cert check error.

Ideally, we would prefer to just let our scripts in Automation continue to use the system.domain.com since it’s basically a direct call back to itself.

Is there either a way in PS7 with the Connect-UAServer and *-UAScript commands to skip certificate check, or a method in appsettings.json to allow the site to validate against both certificates?

2

While this may be frowned upon, I’m bumping this thread for visibility as I’m still seeking a potential solution.

3

Is it possible to use Kestrels SNI configuration for this? Configure endpoints for the ASP.NET Core Kestrel web server | Microsoft Docs

You’d have two certificates and depending on the host name, it would serve the proper certificate and then you shouldn’t get the cert error.

4

Took a few days to loop back on this. I was able to get a somewhat working example in my lab (bad cert chains somewhat disrupted the test).

I implemented the configuration in my production site a short while ago and the uascript cmdlets look to now successfully run against the original name without SSL/Certificate related errors.

For the sake of leaving not only the confirmation of the solution but also helpful info for the next person, here is an example of my kestrel config with dummy names swapped in. In my case I have the certs in localmachine/personal store for access.

"Kestrel": {
    "Endpoints": {
      "MySniEndpoint":{
        "Url": "https://*",
        "SslProtocols": ["Tls12"],
        "Sni": {
          "system.domain.com": {
            "Protocols":"Http1AndHttp2AndHttp3",
            "SslProtocols": ["Tls12","Tls13"],
            "Certificate": {
              "Subject": "system.domain.com",
              "Store": "My",
              "Location": "LocalMachine",
              "AllowInvalid":true
            },
            "ClientCertificateMode" : "NoCertificate"
          },
            "sweetname.domain2.com": {
              "Protocols":"Http1AndHttp2AndHttp3",
              "SslProtocols": ["Tls12","Tls13"],
              "Certificate": {
                "Subject": "sweetname.domain2.com",
                "Store": "My",
                "Location": "LocalMachine",
                "AllowInvalid":true
              }
          },
          "*": {
            // At least one subproperty needs to exist per SNI section or it
            // cannot be discovered via IConfiguration
            "Protocols": "Http1AndHttp2AndHttp3"
          }
        }
      }
    },
    "Certificates": {
      "Default": {
        "Subject": "system.domain.com",
        "Store": "My",
        "Location": "LocalMachine",
        "AllowInvalid":true
      }
    }
  }
1 Like