Merge branch 'Fix-creating-new-cert' of https://git.totalservice.cz/public/ZBXWinRMConfig into Fix-creating-new-cert

version 1.02
Upload files to "/"
2025-08-25 09:32:11 +02:00 · 2025-08-25 09:31:56 +02:00 · 2025-07-23 09:03:32 +00:00 · 2025-07-23 10:56:29 +02:00
3 changed files with 77 additions and 4 deletions
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "PowerShell: Launch Current File",
+            "type": "PowerShell",
+            "request": "launch",
+            "script": "${file}",
+            "args": []
+        }
+    ]
+}
--- a/ConfigWinRM.ps1
+++ b/ConfigWinRM.ps1
@@ -3,7 +3,7 @@

 <#PSScriptInfo

-.VERSION 1.06
+.VERSION 1.02

 .GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa

@@ -39,6 +39,10 @@
        Updated by Jordan Borean <jborean93@gmail.com>
        Updated by Erwan Quélin <erwan.quelin@gmail.com>
        Updated by David Norman <david@dkn.email>
+  Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store
+        Updated by Michal Horák
+  Verison 1.02 - Fixed issue when script fails on removing listeners if only HTTP listener exists (no HTTPS listener exists)
+        Updated by Michal Horák
 #> 

 <#
@@ -595,7 +599,31 @@ Function Run
    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.")
  }
 #--------------------------------------------------------------------------------------------------
-  if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" )
+# Get WinRM HTTPS listener thumbprint
+
+$winrmOutput = winrm e winrm/config/listener
+$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', ''
+
+
+# Get local self-signed certificate thumbprint (adjust subject name as needed)
+$DN = $env:COMPUTERNAME
+$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
+    $_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject
+}
+$localThumbprint = $cert.Thumbprint
+
+# Compare the thumbprints
+  if ($localThumbprint -contains $winrmThumbprint) 
+  {
+    $certisinwinrm = "yes"
+    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.")
+  } 
+   else 
+    {$certisinwinrm = "no"
+    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.")
+  }
+
+if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" )
  {
    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.")
    try 
@@ -621,8 +649,13 @@ Function Run
      Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener")
      try 
      {
-        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
-        Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.")        
+        $existingHttpsListener = $RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" }
+        if ($existingHttpsListener) {
+          Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
+          Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.")        
+        } else {
+          Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS listener exists, nothing to remove.")
+        }
      } catch 
      {
        Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!")
@@ -648,6 +681,9 @@ Function Run
 #--------------------------------------------------------------------------------------------------
  if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable")
  {
+    # Check for existing HTTPS listener before creating certificate
+  $existingHttpsListener = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate | Where-Object { $_.Transport -eq "HTTPS" }
+  if (-not $existingHttpsListener) {
    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.")
    try 
    {
@@ -681,6 +717,9 @@ Function Run
        $MyError = $true        
      }
    }
+  } else {
+    Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener already exists, skipping creation and certificate issuance.")
+  }
  }
 #--------------------------------------------------------------------------------------------------
  if (-not $MyError -and $RunningConfig.WinRMListeners)
--- a/ConfigWinRM.xml
+++ b/ConfigWinRM.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ConfigWinRM>
+	<Options>
+		<LocalAccountTokenFilterPolicy>Enable</LocalAccountTokenFilterPolicy> 	<!-- Enable / Disable / Leave ( do nothing ) -->
+		<WinRMHTTP>Leave</WinRMHTTP>											<!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTP Listener -->
+		<WinRMHTTPS>Enable</WinRMHTTPS>											<!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTPS Listener -->
+		<FWWinRMHTTP>Leave</FWWinRMHTTP>										<!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTP firewall rule -->
+		<FWWinRMHTTPS>Enable</FWWinRMHTTPS>										<!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTPS firewall rule -->
+		<FWWinRMTrustedHosts>192.168.10.254</FWWinRMTrustedHosts>							<!-- Host(s) that are allowed in local firewall configuration - Any / X.X.X.X - WinRM-(HTTPS-In) / Windows Remote Management (HTTPS-In)  -->
+		<SelfCertForce>False</SelfCertForce>									<!-- (Enable or False) Force issuing new self-signed certificate when old one exists and use for WinRM-HTTPS  -->
+		<SelfCertValidityDays>1460</SelfCertValidityDays>						<!-- Self-certificate validity for XX Days. 1460 - 4  years. -->
+		<BasicAuth>Disable</BasicAuth>											<!-- Enable / Disable / Leave ( as ist ) -->
+		<KerberosAuth>Enable</KerberosAuth>										<!-- Enable / Disable / Leave ( as ist ) -->
+		<CredSSPAuth>Enable</CredSSPAuth>										<!-- Enable / Disable / Leave ( as ist ) -->
+		<DigestAuth>Leave</DigestAuth>											<!-- Enable / Disable / Leave ( as ist ) -->
+		<NegotiateAuth>Leave</NegotiateAuth>									<!-- Enable / Disable / Leave ( as ist ) Do NOT use, do NOT disable !!! :-) -->
+		<CertificateAuth>Leave</CertificateAuth>								<!-- Enable / Disable / Leave ( as ist ) -->
+	</Options>
+</ConfigWinRM>
Author	SHA1	Message	Date
mhorak@totalservice.cz	f0002afb38	Merge branch 'Fix-creating-new-cert' of https://git.totalservice.cz/public/ZBXWinRMConfig into Fix-creating-new-cert	2025-08-25 09:32:11 +02:00
mhorak@totalservice.cz	2958a3f82e	version 1.02	2025-08-25 09:31:56 +02:00
mhorak	7b982b34c9	Upload files to "/"	2025-07-23 09:03:32 +00:00
Horák Michal	2e64fb124f	First version of the fix	2025-07-23 10:56:29 +02:00