New Question
0

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

asked 2017-02-09 04:01:18 +0300

nkiran gravatar image

updated 2017-02-10 23:30:35 +0300

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-...

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Cloudbase-init configuration:

[DEFAULT]
username=Administrator
groups=Administrators
inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin
allow_reboot=false
stop_service_on_exit=false
check_latest_version=false

Sample pem cert:

-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJAOkAohQD8bfgMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1MDAeFw0xNzAyMTAxNjI1MTNaFw0y
NzAyMDgxNjI1MTNaMCMxITAfBgNVBAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1
MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKlXjqDHz26MJZmui7S/
HhEStuMwzMUAsr9rZX33n4l+NjRf4xoLxzm/EH5nrLvA+zCWCbLCw/mXALxxP0QS
CUYe7Y7B8WWBiBOyibglq2Kd6KA33GvvrZSsrYEtX5kui2Yf8FxFKivTXW5TvZuw
1vCUs0SjlH1Npz0W4+9/4SL+67qUQAzOMWzn+uHdTzg4YHTlJUESOqeyKdTIG9Ft
OovaAa82kvObBeYRDD0hszAGnbBAIsUOyhOTrOPAT737NjumvhUfmUMNroRax4Bo
Qxb7X0HRTVBYgFrYnnJSOrWyYKiLb+HJTRHEvpQoJ89MJmrYoAarLL/HI6WFowhA
kk0CAwEAAaNWMFQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwPQYDVR0RBDYwNKAyBgor
BgEEAYI3FAIDoCQMImNsb3VkYmFzZS1pbml0LXVzZXItNDM1MEBsb2NhbGhvc3Qw
DQYJKoZIhvcNAQELBQADggEBAJrNbAN2DdZPt3rHJmh61BEBE2R/6jrVeRyzXWCg
iW0drgGo6ch1dRCVB3bLPdvsiOlUbRhHTUaWS5158wzauMuvPSo71aU/JHVJx0mJ
xshUuaSpnrV5z46w2qSgqCuwh0jLT3JCPwgGsIPH5+7GFPXneeNZ9M2F4ulMJEzZ
yM458dvkfH2rVMURuWEa6jzXIFlbfXBtSvqI3WidzJUHCa7dmuv/zLRzpJSpv+Zn
m5lPSZWnl0ArhGbRFUWuBwl4tUWO18ukLZzWPpBHmwY46IQELH8/Mr+lBBCNfQ4M
82IQYfsKr3VYNCB7EYDe21O+LzwAKgbVqFgrYn0qKNkEyww=
-----END CERTIFICATE-----
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2017-02-10 14:21:26 +0300

avladu gravatar image

Hello,

In order to debug the issue, can you post (if possible) the cloudbase-init configuration that you are using and an example certificate that does not work for you?

Thank you, Adrian Vladu

edit flag offensive delete link more

Comments

Hi Adrian, thanks for response. I've added the details to the original post. Though I don't have the configwinrmcertificateauthplugin listed in the configuration, it does appear to trigger it, as seen from the log file

nkiran gravatar imagenkiran ( 2017-02-10 23:29:16 +0300 )edit

I'm also wondering why in the blog post in https://cloudbase.it/windows-without-passwords-in-openstack/ it is suggested to convert the PEM to a DER and base 64 encode it, since windows recognizes both PEM and DER.

nkiran gravatar imagenkiran ( 2017-02-11 01:13:53 +0300 )edit

Hi, any pointers on what could be the issue?

nkiran gravatar imagenkiran ( 2017-02-19 05:27:20 +0300 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

1 follower

Stats

Asked: 2017-02-09 04:01:18 +0300

Seen: 59 times

Last updated: Feb 10