iis.py - get_data_from_pfx and cert_import_pfx fail on empty password #138

m03 · 2015-09-01T16:32:43Z

get_data_from_pfx and cert_import_pfx in the iis execution module, and pfx_present from the state module all fail when attempting to act against a PFX file that was encrypted with an empty password.

When testing the example PFX from the local machine:

C:\Users\Administrator\Downloads>certutil -p "" -dump C:\Company\Certs\mvcforum.pfx
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: d3edc3c61359a9fe
Issuer: CN=mvcforum, O=TestDomain, L=Los Angeles, S=California, C=US
 NotBefore: 8/14/2015 7:38 PM
 NotAfter: 8/11/2025 7:38 PM
Subject: CN=mvcforum, O=TestDomain, L=Los Angeles, S=California, C=US
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 9b bb 0e 37 ff ad ba 0d 79 53 9f c0 ae b5 1a 3d 59 63 bd b4
----------------  End Nesting Level 1  ----------------
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.

A test of iis.get_data_from_pfx:

m03@salt01:/salt/state/web$ sudo salt 'win2012r2' file.file_exists 'C:\Company\Certs\mvcforum.pfx'
win2012r2:
    True
m03@salt01:/salt/state/web$ sudo salt 'win2012r2' iis.get_data_from_pfx 'C:\Company\Certs\mvcforum.pfx' None
win2012r2:
    False
m03@salt01:/salt/state/web$ sudo salt 'win2012r2' iis.get_data_from_pfx 'C:\Company\Certs\mvcforum.pfx' ''
win2012r2:
    False

Relevant entries from the debug log:

[DEBUG   ] Command details {'tgt_type': 'glob', 'jid': '20150831095631497642', 'tgt': 'win2012r2', 'ret': '', 'user': '
sudo_m03', 'arg': ['C:\\Company\\Certs\\mvcforum.pfx', None], 'fun': 'iis.get_data_from_pfx'}
[INFO    ] Starting a new job with PID 2728
[INFO    ] Executing command 'certutil -p None -dump C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -p None -dump C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -2147024810
[ERROR   ] stdout: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could get data from pfx bundle "C:\Company\Certs\mvcforum.pfx", password: "None"
[INFO    ] Returning information for job: 20150831095631497642
[DEBUG   ] Re-using SAuth for ('c:\\salt\\conf\\pki\\minion', 'win2012r2', 'tcp://192.168.1.104:4506')
[INFO    ] User sudo_m03 Executing command iis.get_data_from_pfx with jid 20150831095636444156
[DEBUG   ] Command details {'tgt_type': 'glob', 'jid': '20150831095636444156', 'tgt': 'win2012r2', 'ret': '', 'user': '
sudo_m03', 'arg': ['C:\\Company\\Certs\\mvcforum.pfx', ''], 'fun': 'iis.get_data_from_pfx'}
[INFO    ] Starting a new job with PID 2728
[INFO    ] Executing command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -2147024810
[ERROR   ] stdout: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could get data from pfx bundle "C:\Company\Certs\mvcforum.pfx", password: ""

A test of iis.cert_import_pfx:

m03@salt01:/salt/state/winrepo$ sudo salt 'win2012r2' iis.cert_import_pfx 'C:\Company\Certs\mvcforum.pfx' None
win2012r2:
    False
m03@salt01:/salt/state/winrepo$ sudo salt 'win2012r2' iis.cert_import_pfx 'C:\Company\Certs\mvcforum.pfx' ''
win2012r2:
    False

Relevant entries from the debug log:

[DEBUG   ] Command details {'tgt_type': 'glob', 'jid': '20150831094816671972', 'tgt': 'win2012r2', 'ret': '', 'user': '
sudo_m03', 'arg': ['C:\\Company\\Certs\\mvcforum.pfx', None], 'fun': 'iis.cert_import_pfx'}
[INFO    ] Starting a new job with PID 2728
[INFO    ] Executing command 'certutil -f -p None -importpfx C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -f -p None -importpfx C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -214702481
0
[ERROR   ] stdout: CertUtil: -importPFX command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could not import pfx bundle "C:\Company\Certs\mvcforum.pfx"
[INFO    ] Returning information for job: 20150831094816671972
[DEBUG   ] Re-using SAuth for ('c:\\salt\\conf\\pki\\minion', 'win2012r2', 'tcp://192.168.1.104:4506')
[INFO    ] User sudo_m03 Executing command iis.cert_import_pfx with jid 20150831094820116728
[DEBUG   ] Command details {'tgt_type': 'glob', 'jid': '20150831094820116728', 'tgt': 'win2012r2', 'ret': '', 'user': '
sudo_m03', 'arg': ['C:\\Company\\Certs\\mvcforum.pfx', ''], 'fun': 'iis.cert_import_pfx'}
[INFO    ] Starting a new job with PID 2728
[INFO    ] Executing command 'certutil -f -p  -importpfx C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -f -p  -importpfx C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -2147024810
[ERROR   ] stdout: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could not import pfx bundle "C:\Company\Certs\mvcforum.pfx"

State file:

import-cert-mvcforum-test1:
  iis.pfx_present:
    - name: 'C:\Company\Certs\mvcforum.pfx'

import-cert-mvcforum-test2:
  iis.pfx_present:
    - name: 'C:\Company\Certs\mvcforum.pfx'
    - password: ''

Results:

m03@salt01:/salt/state/web$ sudo salt 'win2012r2' state.sls web.windows.iis.cert_test
win2012r2:
----------
          ID: import-cert-mvcforum-test1
    Function: iis.pfx_present
        Name: C:\Company\Certs\mvcforum.pfx
      Result: False
     Comment: can't get the meta data from the PFX certificate, pass:"", pfx_data: False
     Started: 10:06:58.422000
    Duration: 31.0 ms
     Changes:
----------
          ID: import-cert-mvcforum-test2
    Function: iis.pfx_present
        Name: C:\Company\Certs\mvcforum.pfx
      Result: False
     Comment: can't get the meta data from the PFX certificate, pass:"", pfx_data: False
     Started: 10:06:58.453000
    Duration: 47.0 ms
     Changes:

Summary
------------
Succeeded: 0
Failed:    2
------------
Total states run:     2

Relevant entries from the debug log:

[INFO    ] Executing state iis.pfx_present for C:\Company\Certs\mvcforum.pfx
[INFO    ] Executing command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -2147024810
[ERROR   ] stdout: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could get data from pfx bundle "C:\Company\Certs\mvcforum.pfx", password: ""
[DEBUG   ] False
[ERROR   ] can't get the meta data from the PFX certificate, pass:"", pfx_data: False
[INFO    ] Completed state [C:\Company\Certs\mvcforum.pfx] at time 10:06:58.453000
[DEBUG   ] Could not LazyLoad iis.mod_init
[INFO    ] Running state [C:\Company\Certs\mvcforum.pfx] at time 10:06:58.453000
[INFO    ] Executing state iis.pfx_present for C:\Company\Certs\mvcforum.pfx
[INFO    ] Executing command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' in directory 'C:\\Users\\Administrator'
[ERROR   ] Command 'certutil -p  -dump C:\\Company\\Certs\\mvcforum.pfx' failed with return code: -2147024810
[ERROR   ] stdout: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD)
CertUtil: The specified network password is not correct.
[ERROR   ] retcode: -2147024810
[ERROR   ] could get data from pfx bundle "C:\Company\Certs\mvcforum.pfx", password: ""
[DEBUG   ] False
[ERROR   ] can't get the meta data from the PFX certificate, pass:"", pfx_data: False
[INFO    ] Completed state [C:\Company\Certs\mvcforum.pfx] at time 10:06:58.500000
[DEBUG   ] File c:\salt\var\cache\salt\minion\accumulator\130177904 does not exist, no need to cleanup.
[INFO    ] Executing command ['attrib', '-R', 'c:\\salt\\var\\cache\\salt\\minion\\sls.p'] in directory 'C:\\Users\\Administrator'
[DEBUG   ] output:

The text was updated successfully, but these errors were encountered:

m03 mentioned this issue Sep 5, 2015

Fixed empty password issue with PFX import in IIS #139

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

iis.py - get_data_from_pfx and cert_import_pfx fail on empty password #138

iis.py - get_data_from_pfx and cert_import_pfx fail on empty password #138

m03 commented Sep 1, 2015

iis.py - get_data_from_pfx and cert_import_pfx fail on empty password #138

iis.py - get_data_from_pfx and cert_import_pfx fail on empty password #138

Comments

m03 commented Sep 1, 2015