Merge pull request #39507 from joe-niland/iis-7-cert-binding

Detect IIS version and vary certificate association command depending on version
2025-04-17 10:10:20 +00:00 · 2017-02-23 12:15:39 -07:00 · 2017-02-23 12:15:39 -07:00 · c0d4357f46
commit c0d4357f46
parent e6f5e8a474 c94f0b8c62
1 changed files with 32 additions and 2 deletions
--- a/salt/modules/win_iis.py
+++ b/salt/modules/win_iis.py
@ -13,6 +13,7 @@ from __future__ import absolute_import
 import json
 import logging
 import os
+import decimal

 # Import salt libs
 from salt.ext.six.moves import range
@ -77,6 +78,22 @@ def _list_certs(certificatestore='My'):
    return ret


+def _iisVersion():
+    pscmd = []
+    pscmd.append(r"Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\InetStp\\")
+    pscmd.append(' | Select-Object MajorVersion, MinorVersion')
+
+    cmd_ret = _srvmgr(func=str().join(pscmd), as_json=True)
+
+    try:
+        items = json.loads(cmd_ret['stdout'], strict=False)
+    except ValueError:
+        _LOG.error('Unable to parse return data as Json.')
+        return -1
+
+    return decimal.Decimal("{0}.{1}".format(items[0]['MajorVersion'], items[0]['MinorVersion']))
+
+
 def _srvmgr(func, as_json=False):
    '''
    Execute a function from the WebAdministration PS module.
@ -457,6 +474,11 @@ def create_cert_binding(name, site, hostheader='', ipaddress='*', port=443, sslf
    pscmd = list()
    name = str(name).upper()
    binding_info = _get_binding_info(hostheader, ipaddress, port)
+
+    if _iisVersion() < 8:
+        # IIS 7.5 and earlier don't support SNI for HTTPS, therefore cert bindings don't contain the host header
+        binding_info = binding_info.rpartition(':')[0] + ':'
+
    binding_path = r"IIS:\SslBindings\{0}".format(binding_info.replace(':', '!'))

    if sslflags not in _VALID_SSL_FLAGS:
@ -492,8 +514,15 @@ def create_cert_binding(name, site, hostheader='', ipaddress='*', port=443, sslf
        _LOG.error('Certificate not present: %s', name)
        return False

-    pscmd.append("New-Item -Path '{0}' -Thumbprint '{1}'".format(binding_path, name))
-    pscmd.append(" -SSLFlags {0}".format(sslflags))
+    if _iisVersion() < 8:
+        # IIS 7.5 and earlier have different syntax for associating a certificate with a site
+        # Modify IP spec to IIS 7.5 format
+        iis7path = binding_path.replace(r"\*!", "\\0.0.0.0!")
+
+        pscmd.append("New-Item -Path '{0}' -Thumbprint '{1}'".format(iis7path, name))
+    else:
+        pscmd.append("New-Item -Path '{0}' -Thumbprint '{1}'".format(binding_path, name))
+        pscmd.append(" -SSLFlags {0}".format(sslflags))

    cmd_ret = _srvmgr(str().join(pscmd))

@ -507,6 +536,7 @@ def create_cert_binding(name, site, hostheader='', ipaddress='*', port=443, sslf
        if name == new_cert_bindings[binding_info]['certificatehash']:
            _LOG.debug('Certificate binding created successfully: %s', name)
            return True
+
    _LOG.error('Unable to create certificate binding: %s', name)
    return False