dsccommunity
[xDscWebService] not in desired state when AcceptSelfSignedCertificates Parameter is not used
Problem description
If you create a Pullserver and do not set the AcceptSelfSignedCertificates Parameter the Set-TargetResource will set it to $true
[Parameter()]
[System.Boolean]
$AcceptSelfSignedCertificates = $true,
But the Test-TargetRessource will set it to $false
[Parameter()]
[System.Boolean]
$AcceptSelfSignedCertificates,
Because of that the Test-DscConfiguration command will report the Ressource not in desired state.
Verbose logs
Invoke-DscResource -Name xDscWebService -Method test -Property @{
Ensure = 'Present'
EndpointName = 'PSDSCPullServer'
ApplicationPoolName = 'PSDSCPullServer'
Port = 443
PhysicalPath = "E:\inetpub\wwwroot\PSDSCPullServer"
CertificateThumbPrint = 'CertificateThumbprint'
ModulePath = "E:\PSDSCPullServer\Modules"
ConfigurationPath = "E:\PSDSCPullServer\Configuration"
State = 'Started'
RegistrationKeyPath = "E:\PSDSCPullServer\"
DatabasePath = "E:\PSDSCPullServer\Database"
UseSecurityBestPractices = $false
ConfigureFirewall = $false
} -Verbose -ModuleName xPSDesiredStateConfiguration
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = Resourcetest,'className' = MSFT_DSCLocalConf
igurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer COMPUTERNAME with user sid S-MY-SID.
VERBOSE: [COMPUTERNAME]: LCM: [ Start Test ] [[xDSCWebService]DirectResourceAccess]
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check Ensure.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check Port.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check Application Pool.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check Binding.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Checking firewall rule settings.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check Physical Path property.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check State.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Get Full Path for Web.config file.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check DatabasePath.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check ModulePath.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check ConfigurationPath.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check RegistrationKeyPath.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Check AcceptSelfSignedCertificates.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] AcceptSelfSignedCertificates is disabled. Ch
ecking if module Selfsigned IIS module is NOT configured for web site at 'E:\inetpub\wwwroot\PSDSCPullServer\web.config'.
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Test-IISSelfSignedModuleEnabled: EndpointNam
e 'PSDSCPullServer'
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Test-IISSelfSignedModuleEnabled: web.confg p
ath 'E:\inetpub\wwwroot\PSDSCPullServer\web.config'
VERBOSE: [COMPUTERNAME]: [[xDSCWebService]DirectResourceAccess] Module present in web site. Current configur
ation does not match the desired state.
VERBOSE: [COMPUTERNAME]: LCM: [ End Test ] [[xDSCWebService]DirectResourceAccess] False in 0.3150 seconds.
VERBOSE: [COMPUTERNAME]: LCM: [ End Set ] in 0.8740 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
InDesiredState
--------------
False
VERBOSE: Time taken for configuration job to complete is 0.96 seconds
DSC configuration
xDscWebService PSDSCPullServer {
Ensure = 'Present'
EndpointName = 'PSDSCPullServer'
ApplicationPoolName = 'PSDSCPullServer'
Port = 443
PhysicalPath = "E:\inetpub\wwwroot\PSDSCPullServer"
CertificateThumbPrint = 'CertificateThumbprint'
ModulePath = "E:\PSDSCPullServer\Modules"
ConfigurationPath = "E:\PSDSCPullServer\Configuration"
State = 'Started'
RegistrationKeyPath = "E:\PSDSCPullServer\"
DatabasePath = "E:\PSDSCPullServer\Database"
AcceptSelfSignedCertificates = $true
UseSecurityBestPractices = $false
ConfigureFirewall = $false
}
Suggested solution
Set the Parameter default value to the same value.
Operating system the target node is running
OsName : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage : en-US
OsMuiLanguages : {en-US}
PowerShell version and build the target node is running
Name Value
---- -----
PSVersion 5.1.20348.2227
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.20348.2227
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
xPSDesiredStateConfiguration version
Name Version Path
---- ------- ----
xPSDesiredStateConfiguration 9.1.0 C:\Program Files\WindowsPowerShell\Modules\xPSDesiredStateConfiguration\9.1.0\xPSDesiredStat...
I think this need to be changed.
$true should be removed from this line
https://github.com/dsccommunity/xPSDesiredStateConfiguration/blob/1d48c47898f748d11b097de7b6addaaf146e5f19/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1#L332
Then this code should only run if $PSBoundParameters.ContainsKey('AcceptSelfSignedCertificates'):
https://github.com/dsccommunity/xPSDesiredStateConfiguration/blob/1d48c47898f748d11b097de7b6addaaf146e5f19/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1#L597-L606
Same here, this code should only run if $PSBoundParameters.ContainsKey('AcceptSelfSignedCertificates'):
https://github.com/dsccommunity/xPSDesiredStateConfiguration/blob/1d48c47898f748d11b097de7b6addaaf146e5f19/source/DSCResources/DSC_xDSCWebService/DSC_xDSCWebService.psm1#L1001-L1045
