Utilizing win_iis_webbinding to update IIS certs

Hello,

I’m new to Ansible and have been giving it some attention in my test environment to see how feasible it is to utilize in production… Mainly to provision/configure/manage 30 or so Windows web-servers.

I was able to copy and install my cert and bind it to my site with win_iis_webbinding; however, testing if I need to update the cert for whatever reason, I upload a new cert, change the certificate_hash, and nothing happens. The old cert is still in play. It’s my understanding from looking around on other sites that the certificate_hash isn’t inspected when reviewing pending changes on a playbook play regarding this module, so I’m curious if there’s a way to accomplish updating the cert if the certificate_hash is different.

I attempted to run a play in the playbook to mark the port binding as absent before setting the new thumbprint in the certificate_hash, but received an error stating that it “Cannot create a file when that file already exists.”
Digging deeper I found that if I remove the play below that adds SSL Binding for new site, and only set state of the binding to absent, then the SSL binding is removed. If I try to add the play below in with the new thumbprint, I get the error that the file already exists and the binding reappears with the original cert, not the new updated one. So regardless of what I define the certificate_hash, the original hash always gets added.

Portion of Playbook:

#- name: Remove SSL Binding for newSite

win_iis_webbinding:

name: newSite

protocol: https

port: 443

state: absent

  • name: Add SSL Binding for newSite
    win_iis_webbinding:
    name: newSite
    protocol: https
    port: 443
    certificate_hash: thumbprint (when changed, it gets skipped and never updates on IIS sites)
    state: present

Does anyone know of a way to update the cert on a site? Or would it just be best to explore options outside of the module to accomplish this task, such as running a win_shell command with an args, or something else along those lines…?

Thanks,

John

The win_iis_* modules are fairly old and have a few bugs associated with them. I started to rewrite them but haven’t really been able to continue due to time commitments and the fact that DSC is probably better suited towards this task. My recommendation is to;

The only requirements is that PS v5 is installed and that you are using the devel version of win_dsc, 2.4 does have that module but to be able to supply a dict value the devel one has to be used. If you aren’t using devel and are on a released version, you can create a new file from https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_dsc.ps1 and add that to the library path for Ansible so it is available to your roles. It is recommended to rename the file from win_dsc so you don’t get confused when using a custom module vs an inbuilt one.

Thanks

Jordan

This is great information. Thank you for your help. I will read into the links provided and see if I can work out a resolution with DSC.

I was able to successfully import the module, naming it win_dsc_devel. I verified it with an adhoc call, passing no parameters, confirming that Ansible sees the module. The problem I’m having, using the win_dsc example of the module to create an IIS website is that I get errors when attempting to parse the information regarding binding to my machine.
`

That’s weird I was able to get this task working in an optional integration test when developing these changes here https://github.com/ansible/ansible/blob/devel/test/integration/targets/win_dsc/tasks/destructive.yml#L62. Are you able to open a GitHub issue about this and I’ll try and look into it.

Hello,

Sorry for replying for very old thread, but
I see exactly the same issue with xWebsite.

Did you find the cause for it?

Thank you,

  • Igor