New Question

Revision history [back]

click to hide/show revision 1
initial version

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-passwords-in-openstack/

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-passwords-in-openstack/

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Cloudbase-init configuration:

[DEFAULT] username=Administrator groups=Administrators injectuserpassword=true firstlogonbehaviour=no configdriverawhhd=true configdrivecdrom=true configdrivevfat=true bsdtarpath=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe mtoolspath=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\ verbose=true debug=true logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\ logfile=cloudbase-init-unattend.log defaultloglevels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN loggingserialportsettings=COM1,115200,N,8 mtuusedhcpconfig=true ntpusedhcpconfig=true localscriptspath=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\ metadataservices=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cl oudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin allowreboot=false stopserviceonexit=false checklatest_version=false

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-passwords-in-openstack/

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Cloudbase-init configuration:

[DEFAULT]
username=Administrator
groups=Administrators
injectuserpassword=true
firstlogonbehaviour=no
configdriverawhhd=true
configdrivecdrom=true
configdrivevfat=true
bsdtarpath=C:\Program inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtoolspath=C:\Program mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
defaultloglevels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
loggingserialportsettings=COM1,115200,N,8
mtuusedhcpconfig=true
ntpusedhcpconfig=true
localscriptspath=C:\Program default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadataservices=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cl
oudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin
allowreboot=false
stopserviceonexit=false
checklatest_version=false

allow_reboot=false stop_service_on_exit=false check_latest_version=false

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-passwords-in-openstack/

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Cloudbase-init configuration:

[DEFAULT]
username=Administrator
groups=Administrators
inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin
allow_reboot=false
stop_service_on_exit=false
check_latest_version=false

-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJAOkAohQD8bfgMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1MDAeFw0xNzAyMTAxNjI1MTNaFw0y
NzAyMDgxNjI1MTNaMCMxITAfBgNVBAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1
MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKlXjqDHz26MJZmui7S/
HhEStuMwzMUAsr9rZX33n4l+NjRf4xoLxzm/EH5nrLvA+zCWCbLCw/mXALxxP0QS
CUYe7Y7B8WWBiBOyibglq2Kd6KA33GvvrZSsrYEtX5kui2Yf8FxFKivTXW5TvZuw
1vCUs0SjlH1Npz0W4+9/4SL+67qUQAzOMWzn+uHdTzg4YHTlJUESOqeyKdTIG9Ft
OovaAa82kvObBeYRDD0hszAGnbBAIsUOyhOTrOPAT737NjumvhUfmUMNroRax4Bo
Qxb7X0HRTVBYgFrYnnJSOrWyYKiLb+HJTRHEvpQoJ89MJmrYoAarLL/HI6WFowhA
kk0CAwEAAaNWMFQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwPQYDVR0RBDYwNKAyBgor
BgEEAYI3FAIDoCQMImNsb3VkYmFzZS1pbml0LXVzZXItNDM1MEBsb2NhbGhvc3Qw
DQYJKoZIhvcNAQELBQADggEBAJrNbAN2DdZPt3rHJmh61BEBE2R/6jrVeRyzXWCg
iW0drgGo6ch1dRCVB3bLPdvsiOlUbRhHTUaWS5158wzauMuvPSo71aU/JHVJx0mJ
xshUuaSpnrV5z46w2qSgqCuwh0jLT3JCPwgGsIPH5+7GFPXneeNZ9M2F4ulMJEzZ
yM458dvkfH2rVMURuWEa6jzXIFlbfXBtSvqI3WidzJUHCa7dmuv/zLRzpJSpv+Zn
m5lPSZWnl0ArhGbRFUWuBwl4tUWO18ukLZzWPpBHmwY46IQELH8/Mr+lBBCNfQ4M
82IQYfsKr3VYNCB7EYDe21O+LzwAKgbVqFgrYn0qKNkEyww=
-----END CERTIFICATE-----

Openstack ConfigWinRMCertificateAuthPlugin CryptoAPI error

Hi,

I would like to add a X509 auth certificate to the Windows server running on Openstack so I can execute WinRM commands using a cert rather than a password.

When bringing up a server instance, I'm passing the x509 cert as meta data as we use the user data to execute PS commands. I construct the metadata as shown in this post: https://cloudbase.it/windows-without-passwords-in-openstack/

The Windows image used is derived from Windows 2012R2 eval images from Cloudbase, and the ConfigWinRMCertificateAuthPlugin appears to pick up the passed cert. The only difference is that we generate our own pem cert. However, I see the following error in the console log:

2017-02-07 09:07:56.735 1984 ERROR cloudbaseinit.init [-] plugin 'ConfigWinRMCertificateAuthPlugin' failed with error 'CryptoAPI error: 0xd' 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init [-] CryptoAPI error: 0xd 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init Traceback (most recent call last): 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\init.py", line 75, in execplugin 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init shareddata) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\plugins\windows\winrmcertificateauth.py", line 92, in execute 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init certdata, storename=x509.STORENAMEROOT) 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init File "c:\program files\cloudbase solutions\cloudbase-init\python\lib\site-packages\cloudbaseinit\utils\windows\x509.py", line 236, in importcert 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init raise cryptoapi.CryptoAPIException() 2017-02-07 09:07:56.750 1984 ERROR cloudbaseinit.init cloudbaseinit.utils.windows.cryptoapi.CryptoAPIException: CryptoAPI error: 0xd

Appreciate any pointers on what the root cause of the error might be.

Thanks,

-- Kiran

Cloudbase-init configuration:

[DEFAULT]
username=Administrator
groups=Administrators
inject_user_password=true
first_logon_behaviour=no
config_drive_raw_hhd=true
config_drive_cdrom=true
config_drive_vfat=true
bsdtar_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\bsdtar.exe
mtools_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\bin\
verbose=true
debug=true
logdir=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\
logfile=cloudbase-init-unattend.log
default_log_levels=comtypes=INFO,suds=INFO,iso8601=WARN,requests=WARN
logging_serial_port_settings=COM1,115200,N,8
mtu_use_dhcp_config=true
ntp_use_dhcp_config=true
local_scripts_path=C:\Program Files\Cloudbase Solutions\Cloudbase-Init\LocalScripts\
metadata_services=cloudbaseinit.metadata.services.httpservice.HttpService,cloudbaseinit.metadata.services.configdrive.ConfigDriveService,cloudbaseinit.metadata.services.ec2service.EC2Service,cloudbaseinit.metadata.services.maasservice.MaaSHttpService
plugins=cloudbaseinit.plugins.common.mtu.MTUPlugin,cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin
allow_reboot=false
stop_service_on_exit=false
check_latest_version=false
 

Sample pem cert:

-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJAOkAohQD8bfgMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1MDAeFw0xNzAyMTAxNjI1MTNaFw0y
NzAyMDgxNjI1MTNaMCMxITAfBgNVBAMTGGNsb3VkYmFzZS1pbml0LXVzZXItNDM1
MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKlXjqDHz26MJZmui7S/
HhEStuMwzMUAsr9rZX33n4l+NjRf4xoLxzm/EH5nrLvA+zCWCbLCw/mXALxxP0QS
CUYe7Y7B8WWBiBOyibglq2Kd6KA33GvvrZSsrYEtX5kui2Yf8FxFKivTXW5TvZuw
1vCUs0SjlH1Npz0W4+9/4SL+67qUQAzOMWzn+uHdTzg4YHTlJUESOqeyKdTIG9Ft
OovaAa82kvObBeYRDD0hszAGnbBAIsUOyhOTrOPAT737NjumvhUfmUMNroRax4Bo
Qxb7X0HRTVBYgFrYnnJSOrWyYKiLb+HJTRHEvpQoJ89MJmrYoAarLL/HI6WFowhA
kk0CAwEAAaNWMFQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwPQYDVR0RBDYwNKAyBgor
BgEEAYI3FAIDoCQMImNsb3VkYmFzZS1pbml0LXVzZXItNDM1MEBsb2NhbGhvc3Qw
DQYJKoZIhvcNAQELBQADggEBAJrNbAN2DdZPt3rHJmh61BEBE2R/6jrVeRyzXWCg
iW0drgGo6ch1dRCVB3bLPdvsiOlUbRhHTUaWS5158wzauMuvPSo71aU/JHVJx0mJ
xshUuaSpnrV5z46w2qSgqCuwh0jLT3JCPwgGsIPH5+7GFPXneeNZ9M2F4ulMJEzZ
yM458dvkfH2rVMURuWEa6jzXIFlbfXBtSvqI3WidzJUHCa7dmuv/zLRzpJSpv+Zn
m5lPSZWnl0ArhGbRFUWuBwl4tUWO18ukLZzWPpBHmwY46IQELH8/Mr+lBBCNfQ4M
82IQYfsKr3VYNCB7EYDe21O+LzwAKgbVqFgrYn0qKNkEyww=
-----END CERTIFICATE-----