Greetings,
I was hoping I could turn here for some help. I am new to DSC as of a month ago. Since then I have thrown myself into researching it for the benefits DSC can provide. I have also bought The DSC Book by Don Jones and Missy Januszko to further my research into this area of DevOps.
There have been starts, stops, and times I have circled back around to make my progress. I am nearly there, I believe, but I have some questions and need some help.
First off, between SMB, HTTP, and HTTPS I have decided to implement DSC with HTTPS due to security concerns. The previous 2 are not an option. With HTTPS, I tried a self-signed certificate generated with Active Directory Certificate Services on my server.
With the self-signed certificate, the client’s LCM could not connect and generated an error. My research on that error basically led me to a blog post that Microsoft is phasing out self-signed certificates for websites on the Internet. First question, is that a correct assessment? Could I not use a self-signed certificate in this case?
Moving on, I made the determination that the self-signed certificate would not work. I used https://secure.qualityssl.com to issue my website a 30 day cert to test my theory. After following the directions of installing the certificates (due to their being Intermediate Root Certificates I had to install) it worked successfully. I could bring up my website on HTTPS through a browser, whereas before, I could not.
Where I am at now is an error on the client with the LCM. Below is the configuration that I am running on the client to set the LCM, as I understand it from my research. The Certificate ID is the Thumbprint from the certificate I received from secure.qualityssl.com. Long story short, I have tried with and without the RegistrationKey to no avail.
[DSCLocalConfigurationManager()]
configuration DSC
{
Node localhost
{
Settings
{
ConfigurationMode = ‘ApplyAndAutoCorrect’
RefreshMode = ‘Pull’
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $false
}
ConfigurationRepositoryWeb DSChost
{
ServerURL = ‘https://host.domain.com:1701/PSDSCPullServer.svc’
CertificateID = ‘Thumbprint from cert from secure.qualityssl.com’
#RegistrationKey = ‘Key from RegistrationKeys.txt’
}
}
}
DSC
This generates the local.meta.mof on the client. I then run:
Set-DSCLocalConfigurationManager –Computer localhost -Path ./DSC –Verbose
This generates an error of:
Registration of the Dsc Agent with the server https://host.domain.com:1701/PSDSCPullServer.svc
failed. The underlying error is: The input object cannot be bound because it did not contain the information
required to bind all mandatory parameters: RegistrationKey .
- CategoryInfo : InvalidArgument: (@{CertificateID…PullServer.svc}:String) , CimException
- FullyQualifiedErrorId : InputObjectMissingMandatory,Microsoft.PowerShell.DesiredStateConfiguration.Com
mands.RegisterDscAgentCommand - PSComputerName : localhost
So moving on from here, I have tried it with the same DSCLocalConfigurationManager as about with the RegistrationKey.
Registration of the Dsc Agent with the server https://host.domain.com:1701/PSDSCPullServer.svc
failed. The underlying error is: The attempt to register Dsc Agent with AgentId
89A38BE2-35A2-11E9-A279-00155D006407 with the server https://host.domain.com:1701/PSDSCPullServ
er.svc/Nodes(AgentId=‘89A38BE2-35A2-11E9-A279-00155D006407’) returned unexpected response code Unauthorized.
.
- CategoryInfo : InvalidResult: (root/Microsoft/…gurationManager:String) , CimException
- FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Co
mmands.RegisterDscAgentCommand - PSComputerName : localhost
This is where I am stuck at. Could anyone provide some insight to point me in a direction? Just to give you some information, port 1701 is open through my firewall. I can access https://host.domain.com:1701/PSDSCPullServer.svc through a browser and see the correct information, indicating DSC is working correctly through HTTPS. I could provide the full host and domain offline, but I did not want to post it online. I have been looking at this so long, so it is starting to get less and less clear as time goes on.
Any help is appreciated.