RE: ssl certificate does not work

For those that are still interested, I did finally manage to get this to work on Proget 2025.8. This is what I had to do. First, you need to create your own certificate template based off the default Web Server template, and make sure you can export the private keys, and most importantly add Client Authentication to the template as it will not work if you don't. I also added the computer name account on the security tab to be able to "Enroll" the certificate. On my issuing certificate authority, I went into Certification Authority MMC, and under "Certificate Templates" right click and under New- Certificate template to issue. After adding the template you just created, go to the windows server you are running this under and open up certlm.msc. Under Personal- Certificates right click "Request New Certificate". Find your certificate you created under the AD Enrollment Policy. Add subject name, and make sure to add the netbios name and fqdn under dns. Give it a subject name like Proget or something else to make it stand out. You should be able to accept the rest of the defaults. Make sure the "Client Authentication" is with "Server Authentication" or it won't work. After that is done, right click your new certificate All Tasks-Manage Private Keys and add "Network Service" and give it full control. After that, your certificate is ready. In ProGet, add the certificate from the computer personal store under "My" and after that, you should be able to access it under https://server.domain.local:8625. You should be in and should have a secure connection at that point.

@apxltd Lol, fair enough. I know MS is busy trying to get everyone on the cloud and destroying on prem. Not sure how well that's going for them. Well, let's watch and see what winget does. Maybe it will take off.

My fix unfortunately was to fall back to 2024.39 and use IIS with SQL 2022. I wish I could of used postgres, but I really don't have time to geek out on this; I need it to just work and be secured with ssl. The URL rewrite made some weird things happen, something to do with compression. Once proget was installed, I deleted the default site, added a binding on the proget site for 443, removed the http and it just worked. Getting ssl to me is more valuable than whatever benefits that IWS provide, which to me don't appear to be any. IWS is like a black box, with no logs and no management. So until ssl works with a "Web Server" certificate template issued from our Active Directory Certificate Service on IWS, this is a hard no-go for me.

@steviecoaster Thanks for providing those links, but I am not sure they are up to date for for IWS and/or proget 2025? Also, the Set-CertPermissions.ps1, are you doing that to a certificate that's already in the store, or exporting it and applying acl's to it and then point the IWS certificate to use that while not imported into the store? I am figuring the latter as one get the location based on just the thumbprint alone. Also, some examples and filling out the help would be great too. Thank you for this work, it is appreciated.

I do believe they have code available for the private repo:
https://github.com/microsoft/winget-cli-restsource

and there are a few products out there that have also built something for it as well. But I would rather use an Inedo product for it if I could. Choco is dandy, but it is not a tool built right into the OS. Also, getting certificates to work with the IWS has proven to be time consuming especially when I can setup IIS and get a cert that works in 30 seconds and have to use IIS as a reverse proxy to get ssl to work. I am going to explore a script that another individual has made regarding certs for IWS, but I have to free up some time to do that, never seems to be enough time in the day :)

"except you it run from the Commandline and has a ton of shady, unvetted packages from internet randos"

Aren't those the best kind?!

@dean-houston Thanks Dean, looks like it worked.

I guess I am still a new user too!

@apxltd I would like to see this get added. Winget seems to work out of the box and is a windows native tool vs. choco. I get hesitation bringing in a 3rd party versus something that is there right out of the box.

Hello Alana, how are you? I have logged back in to see that my old account at my previous work was not merged with this one. Can we do that or? Thanks!

PS I got this :
Error
As a new user, you can only post once every 240 second(s) until you have earned 3 reputation - please wait before posting again

Is that what I am, a new user?

@udi-moshe_0021 Hello, did you have any luck getting this to work? I am trying to get the certificate to work as well for testing. I would appreciate any feedback. I will probably try @steviecoaster scripts as well to see if that works. I am running 2025.5 and I am using IIS as a reverse proxy to get SSL to work. Less than desirable but we need to get this secured. Thanks!

I see the hub.exe has help, but I cannot seem to be able to list out the --args to see what options I have:

Usage: hub.exe install <product>[:version] [--arg=value]...

what possible values can I use here? Thanks!

@atripp After spending hours trying to create a folder, I gave up, uninstalled, and installed 2.2.12 and my PSEnsure seems to be working fine. I can't get anything to work in 3.0.2, anything powershell agentless. I have had problems getting an Ensure Server $servername to work on localhost, so not sure what to do there.

@atripp said in Otter 3.0.2. PSEnsure operations broken:

A couple customers will have a lot of OtterScript Configurations to migrate, but it's just a search/replace of PSEnsure to PSEnsureScripts for them...

Oh my! Shots fired!!!

@atripp said in Otter 3.0.2. PSEnsure operations broken:

Otter 3.0.3 scheduled for Friday, so please check it out then :)

I have a demo to a customer that I need stuff to just work right now, but I will try to understand what you guys are trying to do. It has taken a lot of my time already, and I haven't gotten anywhere, so I will have to table this for now. It was hard enough to get people on my previous team to use the old PSEnsure, and the new version does not seem very user friendly and is not straightforward at all. My target customers are not developers, and these new concepts will definitely help kill my sales. I may have to stay in 2.2 for the foreseeable future.