See https://github.com/chocolatey/choco for further development
Apache 2.0 - see docs/legal (just LEGAL in the zip folder)
##Please see the wiki
- .NET Framework 4.0
- PowerShell 2.0+
See docs/legal/CREDITS (just LEGAL/Credits in the zip folder)
See https://github.com/chocolatey/choco for further development
Apache 2.0 - see docs/legal (just LEGAL in the zip folder)
##Please see the wiki
See docs/legal/CREDITS (just LEGAL/Credits in the zip folder)
Tasks that provide a password as a parameter should have no_log: true
added to the task. Failing to do so means the password will be part of the module invocation and potentially embedded script output that tools like AWX always capture. These tasks should always have no_log: true
set so that the output is not captured or displayed when run with a higher verbosity.
The sensitive info is not shown.
Ran the tasks, first one as an example
Lines 28 to 94 in 5c48718
CertificatePassword
is a verbosity of -vvv
or higher is specified. Running in AWX will always capture this output.
N/A
N/A
N/A
No response
Using a self signed certificate has problems as a few steps expect Windows to trust the certificate for the server. While this is a great default it would be nice if there was an option to ignore certificate errors for tasks that are connecting to the Nexus endpoint.
For example this is the first task that fails when using a self signed certificate
TASK [Set Nexus Password using Default Password] *************************************************************************************************************************************
task path: /home/jborean/dev/c4b-ansible/setup-nexus.yml:128
fatal: [ccm_server]: FAILED! =>
changed: false
elapsed: 0.1874127
msg: 'Unhandled exception occurred when sending web request. Exception: The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel.'
status_code: null
url: https://server.chocolatey.test:8443/service/rest/v1/security/users/admin/change-password
This is more for testing when someone cannot get an actual trusted certificate. By exposing an option to have tasks ignore the cert checks things can work just as if a signed certificate was used.
N/A
No response
There are two tasks that create a Java keystore which need a bit more TLC around error handling. I had to spend some time trying to figure out why the web service was failing as the task thought it was successful but in reality it failed running some keytool commands.
My recommendation is to wrap each keytool invocation like
$keytool = '...'
$keytoolArgs = @('-list', '-v', '-storetype', 'PKCS12', 'keystore', $CertificatePath)
$stdout = $null
$stderr = . { $dataToPipe | & $keytool @keytoolArgs | Set-Variable stdout } 2>&1 | ForEach-Object ToString
if ($LASTEXITCODE) {
$Ansible.Result = @{
stdout = $stdout -join "`n"
stderr = $stderr -join "`n"
rc = $LASTEXITCODE
msg = "Keytool failed to do ..., see stdout/stderr/rc for more detail"
}
$Ansible.Failed = $true
return
}
# Repeat for the remaining keytool invocations
This avoids the stderr lines being reported as error records and you are now explicitly checking that keytool works and emitting the output if it failed. You could also look at just running it through separate win_command
calls which might be a bit slower but it add automatic rc validation and captures the output for you explicitly.
The tasks fail if any of the keytool.exe command failed.
I used #8 to generate a self signed certificate with the AES encryption algorithm. This is unsupported by keytool that ships with Nexus but the task ignored any errors and continued on.
N/A
N/A
The task contains a lot of ErrorRecords due to stderr lines being written as an error record. While this doesn't contain the failure it shows how many error records are generated.
TASK [Install Jenkins Certificate] ***************************************************************************************************************************************************
task path: /home/jborean/dev/c4b-ansible/setup-jenkins.yml:112
changed: [ccm_server] =>
changed: true
debug: []
error:
- category_info:
activity: ''
category: NotSpecified
category_id: 0
reason: RemoteException
target_name: 'Enter keystore password: '
target_type: String
error_details: null
exception: null
fully_qualified_error_id: NativeCommandError
output: |-
keytool.exe : Enter keystore password:
At line:12 char:42
+ ... ePassword | & $KeyTool -list -v -storetype PKCS12 -keystore $Certific ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Enter keystore password: :String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
pipeline_iteration_info:
- 1
- 0
script_stack_trace: 'at <ScriptBlock>, <No file>: line 12'
target_object: 'Enter keystore password: '
- category_info:
activity: ''
category: NotSpecified
category_id: 0
reason: RemoteException
target_name: Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
target_type: String
error_details: null
exception: null
fully_qualified_error_id: NativeCommandError
output: |-
keytool.exe : Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
At line:14 char:1
+ & $KeyTool -importkeystore -srckeystore $CertificatePath -srcstoretyp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Importing keyst...keystore.jks...:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
pipeline_iteration_info:
- 0
- 0
script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
target_object: Importing keystore C:\choco-setup\jenkins.pfx to C:\ProgramData\Jenkins\.jenkins\keystore.jks...
- category_info:
activity: ''
category: NotSpecified
category_id: 0
reason: RemoteException
target_name: ''
target_type: String
error_details: null
exception: null
fully_qualified_error_id: NativeCommandErrorMessage
output: ""
pipeline_iteration_info:
- 0
- 0
script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
target_object: ''
- category_info:
activity: ''
category: NotSpecified
category_id: 0
reason: RemoteException
target_name: 'Warning:'
target_type: String
error_details: null
exception: null
fully_qualified_error_id: NativeCommandErrorMessage
output: |-
Warning:
pipeline_iteration_info:
- 0
- 0
script_stack_trace: 'at <ScriptBlock>, <No file>: line 14'
target_object: 'Warning:'
- category_info:
activity: ''
category: NotSpecified
category_id: 0
reason: RemoteException
target_name: The JKS keystore uses a proprietary format. It is recommended
to migrate to PKCS12 which is an industry standard format using "keytool
-importkeystore -srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks
-destkeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -deststoretype
pkcs12".
target_type: String
error_details: null
exception: null
fully_qualified_error_id: NativeCommandErrorMessage
output: |-
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format
using "keytool -importkeystore -srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -destkeystore
C:\ProgramData\Jenkins\.jenkins\keystore.jks -deststoretype pkcs12".
pipeline_iteration_info:
- 0
- 0
script_stack_trace: 'at <ScriptBlock>, <No file>: line 15'
target_object: The JKS keystore uses a proprietary format. It is recommended to
migrate to PKCS12 which is an industry standard format using "keytool -importkeystore
-srckeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks -destkeystore C:\ProgramData\Jenkins\.jenkins\keystore.jks
-deststoretype pkcs12".
host_err: ''
host_out: ''
information: []
output: []
result: {}
verbose: []
warning: []
No response
Windows has supported AES256-SHA256 enveloped pfx files since Server 2019 and OpenSSL has defaulted to creating them since OpenSSL 3.0.0. Attempting to have keytool that ships with Nexus read a pfx with AES256-SHA256 will fail with
PS C:\Users\vagrant> C:\ProgramData\nexus\jre\bin\keytool.exe -list -v -storetype PKCS12 -keystore C:\choco-setup\nexus.pfx
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:937)
at sun.security.tools.keytool.Main.run(Main.java:377)
at sun.security.tools.keytool.Main.main(Main.java:370)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
The password is definitely correct it's just that this version is unable to use this "newer" encryption method. By generating a 3DES pfx (what Windows does by default still) then things work just fine.
Unfortunately I don't know the solution. It might be that the keystore is created locally or with a newer version of keytool than the one that Nexus ships with. It could be that Nexus also needs to run with a newer JRE. In either case JRE 8 is quite old and probably should be looked into even if it doesn't fix the problem.
To generate some certs with OpenSSL you can run the following with OpenSSL v3.0.0+:
openssl ecparam \
-name secp384r1 \
-genkey \
-noout \
-out cert.key
openssl req \
-new \
-x509 \
-out cert.pem \
-key cert.key \
-days 365 \
-subj "/CN=server.chocolatey.test" \
-addext "subjectAltName = DNS:server.chocolatey.test"
openssl pkcs12 \
-export \
-out aes256.pfx \
-inkey cert.key \
-in cert.pem
openssl pkcs12 \
-export \
-certpbe PBE-SHA1-3DES \
-keypbe PBE-SHA1-3DES \
-macalg SHA1 \
-out 3des.pfx \
-inkey cert.key \
-in cert.pem
This will generate 2 pfx files aes256.pfx
and 3des.pfx
. The latter works fine with keytool that Nexus ships with but the former will fail saying the password is incorrect.
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.