DSC - LCM help with errors


I was hoping I could turn here for some help. I am new to DSC as of a month ago. Since then I have thrown myself into researching it for the benefits DSC can provide. I have also bought The DSC Book by Don Jones and Missy Januszko to further my research into this area of DevOps.

There have been starts, stops, and times I have circled back around to make my progress. I am nearly there, I believe, but I have some questions and need some help.

First off, between SMB, HTTP, and HTTPS I have decided to implement DSC with HTTPS due to security concerns. The previous 2 are not an option. With HTTPS, I tried a self-signed certificate generated with Active Directory Certificate Services on my server.

With the self-signed certificate, the client’s LCM could not connect and generated an error. My research on that error basically led me to a blog post that Microsoft is phasing out self-signed certificates for websites on the Internet. First question, is that a correct assessment? Could I not use a self-signed certificate in this case?

Moving on, I made the determination that the self-signed certificate would not work. I used https://secure.qualityssl.com to issue my website a 30 day cert to test my theory. After following the directions of installing the certificates (due to their being Intermediate Root Certificates I had to install) it worked successfully. I could bring up my website on HTTPS through a browser, whereas before, I could not.

Where I am at now is an error on the client with the LCM. Below is the configuration that I am running on the client to set the LCM, as I understand it from my research. The Certificate ID is the Thumbprint from the certificate I received from secure.qualityssl.com. Long story short, I have tried with and without the RegistrationKey to no avail.

configuration DSC
Node localhost
ConfigurationMode = ‘ApplyAndAutoCorrect’
RefreshMode = ‘Pull’
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $false

ConfigurationRepositoryWeb DSChost
ServerURL = ‘https://host.domain.com:1701/PSDSCPullServer.svc
CertificateID = ‘Thumbprint from cert from secure.qualityssl.com
#RegistrationKey = ‘Key from RegistrationKeys.txt’


This generates the local.meta.mof on the client. I then run:

Set-DSCLocalConfigurationManager –Computer localhost -Path ./DSC –Verbose

This generates an error of:

Registration of the Dsc Agent with the server https://host.domain.com:1701/PSDSCPullServer.svc
failed. The underlying error is: The input object cannot be bound because it did not contain the information
required to bind all mandatory parameters: RegistrationKey .

  • CategoryInfo : InvalidArgument: (@{CertificateID…PullServer.svc}:String) , CimException
  • FullyQualifiedErrorId : InputObjectMissingMandatory,Microsoft.PowerShell.DesiredStateConfiguration.Com
  • PSComputerName : localhost

So moving on from here, I have tried it with the same DSCLocalConfigurationManager as about with the RegistrationKey.

Registration of the Dsc Agent with the server https://host.domain.com:1701/PSDSCPullServer.svc
failed. The underlying error is: The attempt to register Dsc Agent with AgentId
89A38BE2-35A2-11E9-A279-00155D006407 with the server https://host.domain.com:1701/PSDSCPullServ
er.svc/Nodes(AgentId=‘89A38BE2-35A2-11E9-A279-00155D006407’) returned unexpected response code Unauthorized.

  • CategoryInfo : InvalidResult: (root/Microsoft/…gurationManager:String) , CimException
  • FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Co
  • PSComputerName : localhost

This is where I am stuck at. Could anyone provide some insight to point me in a direction? Just to give you some information, port 1701 is open through my firewall. I can access https://host.domain.com:1701/PSDSCPullServer.svc through a browser and see the correct information, indicating DSC is working correctly through HTTPS. I could provide the full host and domain offline, but I did not want to post it online. I have been looking at this so long, so it is starting to get less and less clear as time goes on.

Any help is appreciated.

As a general rule, you should only use self-signed certificates in testing type scenarios. For production use, you are recommended to use either your internal CA, or use a cert from a Public CA.

With that said, the issue with self-signed certificates is easy to resolve. A given node, pulling from a pull server over HTTPS does not, by default trust your self-signed certificate. But if you simply import that certificate into each systems local system Root certificate store, it all works great. I just finished writing a PowerShell book and used Self-Signed certificates just fine.

It’s not clear whether you really can ban self signed certs for web sites, but that’s a sepearate matter.

Thank you for the reply.

I’m still searching for answers for my errors. For my 30 day cert, I did get get a root and intermediate cert, which I installed on my client just as a test, but it didn’t change anything. So I am contemplating starting over so I have a clean server and client, and buying a cert. So again, if anyone has some insights, I’ll take them. Would your book help me with this problem? I could read another one.

Hiya, so many questions…
You said:

With HTTPS, I tried a self-signed certificate generated with Active Directory Certificate Services on my server.
I am not too sure what you really tried here, but Self-signed certs works. As Thomas Lee pointed out, you need to your managed node to trust 'em (at a machine level). You also need to make sure that the LCM is accessing the node using the right name as per the cert, or the SAN are correctly set in your cert (iirc). If the Cert says mymachine.domain.local and LCM just tries mymachine (or the other way around), it won't work... Same with IP and all...

Definitely, you don’t require a 3rd party certificate… and same principle applies (trust, certificate capabilities).

Don’t buy a cert!


Make sure you follow the doc here:

And to trust the Self Signed cert in your managed node, follow something like this: Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista | Microsoft Docs