This post is part of the Learning GUI Toolmaking Series, here on FoxDeploy. Click the banner to return to the series jump page!
Where we left off
Thanks for joining us again! Previously in this series, we learned all about writing fully-fledged applications, in Posts 1, 2and 3. Then, we learned some techniques to keeping our apps responsive in Post 4.
In this post, I’ll walk you through my GUI design process, and share how that actually worked as I sought to create my newest tool.
Along the way, I’ll call out a few really confusing bugs that I worked through in creating this tool, and explain what went wrong. In particular, I ran into quite a snag when trying to programmatically create event handlers in code when trying to use $psitem or $_. This lead to many conversations which introduced me to a powerful solution: the $this variable.
Think something sort of like the Group Policy Management Console, for your DSC Configurations. But we’ll get back to this in a few minutes.
My GUI Design Process
Here’s my general process for designing a front-end:
Create the elevator pitch (Why does this need to exist?)
Draw out a rough design
Make it work in code
Add feature by feature to the front end
Release
Iterate
It all started with me taking a trip to Microsoft last year for the MVP Summit. I’d been kicking around my elevator pitch idea for a while now, and was waiting to spring it on an unwary Microsoft Employee, hoping to con them into making it for me:
Here’s my elevator pitch
To drive adoption of DSC, we need some tooling. First, we need a GUI which lists all the DSC resources on a machine and provides a Group Policy Management Console like experience for making DSC configs.
We want to make DSC easier to work with, so its not all native text.
I decided to spring this on Hemanth Manawar of the PowerShell team, since I had him captive in a room. He listened, looked at my sketches, and then said basically this:
‘You’re right, someone should make this…why not you?’
Thanks guys. thanks
So I got started doing it on my own. With step one of the design process –elevator pitch– out of the way, I moved on to the next phase.
This post is part of the Learning DSC Series here on FoxDeploy.com. To see the other articles, click the banner above!
For years now, people have been asking for a DSC GUI tool. Most prominently me, I’ve been asking for it for a longggg time!
My main problem with DSC today is that there is no tooling out there to help me easily click through creating my DSC Configurations, other than a text editor. For a while there, I was hoping that one of the tools like Chef or Puppet would provide the UX I wanted, to click my way through making a DSC Configuration for my machines…but after checking them out, I didn’t find anything to do what I wanted.
In the previous post, we found that in a WinRM & HTTPs deployment, if a certificate is allowed to expire WinRM will not notice a new certificate for the purposes of allowing connections using Enter-PsSession -UseSSL.
However, in the comments of that post, Sandeep of Hakabo.com mentioned that he’d actually observed WinRM continuing to work after a cert renewal takes place, even though Microsoft best practice / recommendations state that the end-user needs to script around updating the listener. Check out his post on PowerShell Remoting over SSL for more on his findings.
Clearly, a test was in order.
Setting the stage
First, we needed a good way to test cert renewal. According to this article from Microsoft, the average Windows workstation will attempt to look for new certs and renew eligible certs once every eight hours.
To accurately test for what happens when a cert renews, I needed to worry about either lining up a cert renewal to the automatic period, or find a way to trigger a renewal manually.
I found that you can use the certutil -pulse command to manually trigger a renewal attempt, which uses the same mechanism which the Windows Certificate Services Agent uses.
For this test, I modified my previous template and now set an eight hour lifespan, with a two hour renewal period.
To handle cert renewal and make sure one happened successfully, I wrote this PowerShell one-liner to sit and wait and then try to pulse for certs once an hour.
while ($true){
"$(get-date | select -expand DateTime) pulsing the cert store"|
tee -append C:\temp\Winrm.log
start-sleep (60*60)
}
Now, I wanted a good way to capture certificate changes, so first I set about capturing the thumbprint of the currently valid cert, since this would be changing while my test ran. Since I only had one cert, I simply grabbed the ThumbPrint value from the only cert issued to this machine. I embedded this also within my log file output.
And finally, I also needed to see which cert thumbprint WinRM was presenting, or thought it was presenting. These kinds of settings are stored within the wsman: PSDrive, under listener the HTTPS listener. I parsed out this value (your listener name will be different, so remember to change this if you use this code).
</pre>
<pre>get-item WSMan:\localhost\Listener\Listener_1305953032\CertificateThumbprint |</pre>
<pre> select -expand Value
Combing all of these diagnostics, I got this as the result, which echoes out to a file like this.
while ($true){
"$(get-date | select -expand DateTime) pulsing the cert store"| tee -append C:\temp\Winrm.log ;
"--current valid thumbprint $(get-childitem Cert:\LocalMachine\My | ? Notafter -ne '9/8/2017 4:48:40 PM' | select -ExpandProperty ThumbPrint)"| tee -append C:\temp\Winrm.log ;
"--current WSman thumbprint $((get-item WSMan:\localhost\Listener\Listener_1305953032\CertificateThumbprint | select -expand Value) -replace ' ')" | tee -append C:\temp\Winrm.log ;
"---pausing for one hour"
start-sleep (60*60)
}
Finally, I launched a PsSession from a remote PC, and had that session also echoing out to a log file twice an hour.
while ($true){"currently connected at $(get-date | select -expand DateTime)">>c:\temp\winrm.log;
start-sleep (60*60)}
So the log file looks like this when both channels are dumping into the same file.
What happened?
When I came back the next morning, my whole desk was covered in ectoplasm!! Eww! No, not really. But I will still stunned!
The PSSessions were still open. Even though the certificate renewed overnight! I could validate this by checking the output in the log files.
This is kind of a complex graphic. At the top, you’ll see a snippet from my Certificate Authority, showing that a new cert was issued at 6:56 PM.
On the left, you see the log file from that time, echoing out to the screen with no interruption. Then, on the right, you’ll see the actual output from the console which was connected…no disruption.
If there were a disruption, we would see the above Warning text, stating that the connection was broken and will be retried for the next four minutes
So, that was all pretty interesting and conclusive proof that WinRM somehow is able to handle a cert renewing, and also not drop any current connections.
This is where things get weird
the clinging mist issuing forth from the derelict disk drive wrapped around the intrepid nerd’s fingertips, threatening to chill his hands and adversely impact his APM, causing a huge drop in his DKP for this raid
-Unknown author, from the Nerdinomicon
The reports we saw from Sandeep and one other person said that WinRM would either still list the old cert in the UI, or even still USE the old cert. Previous tests showed that if an invalid cert is presented, WinRM will not work. So now we took a look at the log file output.
This was puzzling! I can see that a new cert was issued based on the changed thumbprint, but if my log could be tested, it looked like WinRM was still referencing the old cert!
Now I opened the cert itself in the MMC and compared it to the results within the WSMan settings.
So, the cert renewed and the PSSession remained open, but WSMan still stubbornly reported that it was using the previous thumbprint!
But did you reboot it / restart WinRm/ etc?
Yes. I tried everything, and no matter what, WinRM continued to reference the old certificate thumbprint. However, WinRM SSL connections still worked, so clearly some mechanism was correctly finding the new Cert and using that! The only way to get WinRM to reflect the new cert was to delete the old listener and recreate it, using winrm qc -transport:https all over again.
How is it even working?
I’m not sure, guys, but I did open an issue with Microsoft on the matter, here on Github.
Tests have been conducted from Server 2012 R2 machines running WMF 5.0 to other machines of the same configuration. I’m conducting tests now with 2008 R2 machines ot see if we find the same behaviour.
For one of my largest customers, a burning question has been keeping us all awake at night:
Where does the soul go when an SSL Certificate expires?
Er, I may be getting too caught up in this ghost hunting theme (I blame the Halloween decorations which have been appearing in stores since the second week of July! Spooky!). Let me try again.
If we enable WinRM with HTTPS, what happens when the certificate expires?
Common knowledge states that WinRM will stop working when a certificate dies, but I wanted to prove beyond all doubt, so I decided to conduct a little experiment.
What’s a WinRM listener?
Before you can run commands on remote systems, including anything like PSexec and especially remote PowerShell sessions, you have to run the following command. Continue reading →
Ever since the beginning of the Monad project, in which Microsoft attempted to bring the same rich toolbox of Piped commands that Linux has enjoyed for ages, Microsoft enthusiasts have been clamoring for confirmation of PowerShell on Linux. But it forever seemed a pipedream.
Then, in February of 2015, Microsoft announced that the CORE CLR (Common Language Runtime) was made open source and available on Linux. As the Core CLR is the “the .NET execution engine in .NET Core, performing functions such as garbage collection and compilation to machine code”, this seemed to imply that PowerShell might be possible on Linux someday.
To further fan the fires of everyone’s excitement, the creator of PowerShell, Jeffrey Snover–a self-proclaimed fan of the Bash shell experience in Linux– has been dropping hints of a unified management experience ALL OVER THE PLACE in the last year too.
Available now on OSX, Debian and Ubuntu, PowerShell on Linux is here and it is awesome!
Get it here if you can’t wait, or read ahead to see why I’m so excited about this!
Why is this great news for us Windows folks?
For we PowerShell experts, our management capabilities have just greatly expanded. Update those resumes, folks.
This means that the majority of our scripts? They’ll just work in a Linux environment. Have to hop on Linux machines from time-to-time? PowerShell already used Linux aliases, which limited the friction of hopping between OSes but now we can write a script once and generally be able to assume that it will work anywhere. Continue reading →
