RE: ssl certificate does not work

For those that are still interested, I did finally manage to get this to work on Proget 2025.8. This is what I had to do. First, you need to create your own certificate template based off the default Web Server template, and make sure you can export the private keys, and most importantly add Client Authentication to the template as it will not work if you don't. I also added the computer name account on the security tab to be able to "Enroll" the certificate. On my issuing certificate authority, I went into Certification Authority MMC, and under "Certificate Templates" right click and under New- Certificate template to issue. After adding the template you just created, go to the windows server you are running this under and open up certlm.msc. Under Personal- Certificates right click "Request New Certificate". Find your certificate you created under the AD Enrollment Policy. Add subject name, and make sure to add the netbios name and fqdn under dns. Give it a subject name like Proget or something else to make it stand out. You should be able to accept the rest of the defaults. Make sure the "Client Authentication" is with "Server Authentication" or it won't work. After that is done, right click your new certificate All Tasks-Manage Private Keys and add "Network Service" and give it full control. After that, your certificate is ready. In ProGet, add the certificate from the computer personal store under "My" and after that, you should be able to access it under https://server.domain.local:8625. You should be in and should have a secure connection at that point.

@apxltd Lol, fair enough. I know MS is busy trying to get everyone on the cloud and destroying on prem. Not sure how well that's going for them. Well, let's watch and see what winget does. Maybe it will take off.

My fix unfortunately was to fall back to 2024.39 and use IIS with SQL 2022. I wish I could of used postgres, but I really don't have time to geek out on this; I need it to just work and be secured with ssl. The URL rewrite made some weird things happen, something to do with compression. Once proget was installed, I deleted the default site, added a binding on the proget site for 443, removed the http and it just worked. Getting ssl to me is more valuable than whatever benefits that IWS provide, which to me don't appear to be any. IWS is like a black box, with no logs and no management. So until ssl works with a "Web Server" certificate template issued from our Active Directory Certificate Service on IWS, this is a hard no-go for me.

@steviecoaster Thanks for providing those links, but I am not sure they are up to date for for IWS and/or proget 2025? Also, the Set-CertPermissions.ps1, are you doing that to a certificate that's already in the store, or exporting it and applying acl's to it and then point the IWS certificate to use that while not imported into the store? I am figuring the latter as one get the location based on just the thumbprint alone. Also, some examples and filling out the help would be great too. Thank you for this work, it is appreciated.

I do believe they have code available for the private repo:
https://github.com/microsoft/winget-cli-restsource

and there are a few products out there that have also built something for it as well. But I would rather use an Inedo product for it if I could. Choco is dandy, but it is not a tool built right into the OS. Also, getting certificates to work with the IWS has proven to be time consuming especially when I can setup IIS and get a cert that works in 30 seconds and have to use IIS as a reverse proxy to get ssl to work. I am going to explore a script that another individual has made regarding certs for IWS, but I have to free up some time to do that, never seems to be enough time in the day :)

"except you it run from the Commandline and has a ton of shady, unvetted packages from internet randos"

Aren't those the best kind?!

@dean-houston Thanks Dean, looks like it worked.

I guess I am still a new user too!

@apxltd I would like to see this get added. Winget seems to work out of the box and is a windows native tool vs. choco. I get hesitation bringing in a 3rd party versus something that is there right out of the box.

Hello Alana, how are you? I have logged back in to see that my old account at my previous work was not merged with this one. Can we do that or? Thanks!

PS I got this :
Error
As a new user, you can only post once every 240 second(s) until you have earned 3 reputation - please wait before posting again

Is that what I am, a new user?

@udi-moshe_0021 Hello, did you have any luck getting this to work? I am trying to get the certificate to work as well for testing. I would appreciate any feedback. I will probably try @steviecoaster scripts as well to see if that works. I am running 2025.5 and I am using IIS as a reverse proxy to get SSL to work. Less than desirable but we need to get this secured. Thanks!

I see the hub.exe has help, but I cannot seem to be able to list out the --args to see what options I have:

Usage: hub.exe install <product>[:version] [--arg=value]...

what possible values can I use here? Thanks!

@atripp After spending hours trying to create a folder, I gave up, uninstalled, and installed 2.2.12 and my PSEnsure seems to be working fine. I can't get anything to work in 3.0.2, anything powershell agentless. I have had problems getting an Ensure Server $servername to work on localhost, so not sure what to do there.

@atripp said in Otter 3.0.2. PSEnsure operations broken:

A couple customers will have a lot of OtterScript Configurations to migrate, but it's just a search/replace of PSEnsure to PSEnsureScripts for them...

Oh my! Shots fired!!!

@atripp said in Otter 3.0.2. PSEnsure operations broken:

Otter 3.0.3 scheduled for Friday, so please check it out then :)

I have a demo to a customer that I need stuff to just work right now, but I will try to understand what you guys are trying to do. It has taken a lot of my time already, and I haven't gotten anywhere, so I will have to table this for now. It was hard enough to get people on my previous team to use the old PSEnsure, and the new version does not seem very user friendly and is not straightforward at all. My target customers are not developers, and these new concepts will definitely help kill my sales. I may have to stay in 2.2 for the foreseeable future.

@atripp Is 3.0.3 out? It wasn't as of yesterday? Is it a beta? You know I am always happy to try a new version.

I didn't know you guys were unhappy with PSEnsure; I was pleased with it. If I was still at my previous position, I would not have been happy that my 80 some odd configurations broke because someone didn't like the way it worked. This someone was happy enough, but I will give the new way a go. Since PSEnsureScripts has a new name, why not just leave the PSEnsure there and operational? You could of also added a warning and said "Hey, we see you are using the old PSEnsure, why not check out the new shiny PSEnsureScripts? See? OOOooohhhh, shiny!! :) Just a thought.

Thanks @JonathanEngstrom!

Could not resolve variable $ErrorActionPreference.

There could be a regression with Variable resolution? Can you let us know how/where this is configured, so we can try a repro?

PSEnsure that I test with and has always worked

This was a big change. We really liked the name PSEnsure but hated how it worked, and we don't want people to use it anymore. So we decided to rename it to PSEnsureScripts and redefine the behavior.

Quick Fix - Rename the Operation

PSEnsureScripts
(
    Key: Simple Test,
    Value: True,
    Collect: >>
if (Test-Path C:\Temp2){$true}else {$false}
        
    >>,
    Configure: >>
    New-Item -Path C:\ -Name Temp2 -ItemType Directory -Verbose
    Write-Output "Make C:\Temp directory"
    >>
);

Recommended Fix - Rewrite your Verify / Ensure Scripts

<# 
.DESCRIPTION
Verifies that the specified HotFix is installed

.AHCONFIGKEY
Simple Test

.AHEXECMODE
$ExecMode

#>

if $ExecMode -eq "Configure" {
    New-Item -Path C:\ -Name Temp2 -ItemType Directory -Verbose
    Write-Output "Make C:\Temp directory"
} else { 
if (Test-Path C:\Temp2) { return $true} else { return $false }
}

PS Love the new look of Otter 3 :D

Thanks! And it's too bad you didn't try out Otter 3.0.3 (shipping this week, Friday); we now have cute character/artwork in the onboarding steps

---

For reference, here are the descriptions of the Additional Help values

.AHDESIREDVALUE
This is what you wish the configuration value to be. When not specified, $true is used

.AHCURRENTVALUE
This is the actual value of the configuration. When not specified, the script's return (output) is used.

.AHCONFIGKEY
This is the "configuration key" used by the script, which is a string that uniquely identifies configuration on a server. It's like a file on disk (a file is uniquely identified by its name), or the name of an IIS Application pool (an application pool is unqiuely identified by its name). Optional. When not specified, the name of the script is used.

.AHVALUEDRIFTED
This is an indicator as to whether the value is considered drifted. When not specified, it's a basic comparison of the desired and current values.

.AHEXECMODE
This is either "Collect" or "Configure", and is only used on PSEnsure operations; it will be ignored (or set to Collect, depending on what's easier to code) on PSVerify. Using a PSEnsure without a .AHEXECMODE will cause an error.

The Additional Help items can be specified as a value or a variable; variables will simply start with a $.

I have installed Otter on several brand new Windows 10 and Server 2019 with nothing else installed. I am testing a deployment framework. I cannot get anything PowerShell related to work at all. I have even gone back several versions, and it is still broken. I used some known good working ones that I have developed over time that are in use today, but cannot get them to work:

DEBUG: 2021-03-02 21:10:57Z - Building OtterScript configuration for server "LOCALHOST" to target 2 roles...
DEBUG: 2021-03-02 21:10:57Z - Beginning collection run...
ERROR: 2021-03-02 21:10:57Z - Could not resolve variable $ErrorActionPreference.
ERROR: 2021-03-02 21:10:57Z - No Collect or Ensure operations were executed during the collection phase.
DEBUG: 2021-03-02 21:10:57Z - Cleaning up temporary files on Local Server...

Don't even get me started with trying with PowerShell Agentless. Help! :)

PS Love the new look of Otter 3 :D

That's fine, try that. I just logged on and saw I don't have my posts :)

@atripp So it appears to have created a new profile and removed all of my post history. Good times! :)

I do not see that option.

Self explanatory; I don't see a place to change it in my profile. Thanks!

So I able to make a copy of it, and it has the files but none of the configurations in the roles. I will try copying the git repository and see if that works.

I am migrating to a new server, as my old one is dying. I was able to install otter on the new server and restore the otter DB from a backup, but I am not having much luck getting my git server (On Prem Bitbucket) back up and running. Can I grab everything out of the git raft and transfer it to a new file based raft that just works?

Yes, same user. Like I said, I have taken great care to eliminate variables trying to understand what is going on.

It's a 2016 Server, so it comes preinstalled with 5.1. 5.1.14393.3471 is the specific version.

That's a good idea, but I actually started off using the $env:computername and switched to $servername thinking that maybe somehow Otter wasn't using the $env:computername variable, but it didn't make any difference.

Strange. I am running the code locally on the target server in powershell, and it is working flawlessly. The FindOne and FindAll work to limit the machine. Intellisense also auto completes these, so they are present and working.

([adsisearcher]"samaccountname=$($env:computername)$").FindOne()

works fine and returns the result on the sql machine I am targeting the psensure configuration on. I am not changing the code or machine I am testing on; changing anything or introducing variables would not constitute a very scientific observation. Same code, same machine. When run locally, works fine. When run in Otter, it does not work. I am guessing it is how Otter formats things sometimes; that would be my guess. But Otter is not handling this line of code. and it would help to understand why.

Looking at your example, I am not sure how it could work. Your TargetOU is not in distinguished name format. Should be something like "'CN='Users',DN='Domain',DN='Test'". Did you move the computer object from one OU to another? I am curious about the results there.

Here is the code for the PSEnsure:

##AH:UseTextMode

#Assembled Jonathan Engstrom 20200219

PSEnsure
(
Key: $KeyName,
Value: True,
Collect: >>

$ErrorActionPreference = 'SilentlyContinue'
$Value = (Get-ADComputer -Identity $env:COMPUTERNAME).DistinguishedName -match $TargetOU
$CurrentValue = (Get-ADComputer -Identity $env:COMPUTERNAME).DistinguishedName
((($Value -eq $true) -and (($env:COMPUTERNAME) -match 'sql')) -or ($env:COMPUTERNAME -notmatch 'sql'))

,
Configure: >>

$samAccountName = $ServerName
$newOU =  [adsi]"LDAP://$TargetOU"
$comp= ([adsisearcher]"samaccountname=$($ServerName)$").FindOne()
$comp.GetDirectoryEntry().MoveTo($newOU)

);

KeyName and TargetOU variables are set. I am not running an agent, I am doing everything agentless.

I am not having a problem running the code locally, I am having a problem running it in Otter. The code I have works fine when run in PowerShell by itself; hence why I am wondering what is going on here.

That code does not work in Otter for me btw, I did not test outside of Otter.

@rhessinger said in $PSCredential- round two:

$samAccountName = $ServerName
$newOU = [adsi]"LDAP://$TargetOU"
$test = ([adsisearcher]"samaccountname=$($samAccountName)$").FindOne()

Good morning, I made this this change, and there was no change. I had the same error.

I have a variable that specifies the TargetOU, it's just the path of the OU of where I want to move the computer account to. This is what is in the configure block of my PSEnsure:

$newOU =  [adsi]"LDAP://$TargetOU"
$test = ([adsisearcher]"samaccountname=$($ServerName)$").FindOne
$comp.GetDirectoryEntry.MoveTo($newOU)

There is no errors in the Diagnostic Center pertaining to this error.

Here is the output. I also tested trying to use the method Findall instead of FindOne, it didn't make a difference.

Configuration job is targeting 1 servers by name.
Building configuration plan for server server.domain.test to target 1 roles.
Finished processing role configuration plans.
server.domain.test does not have a configuration plan in raft Default.
Finished processing 2 scripts.
Beginning collection run...
Collecting configuration...
Importing Name...
Importing ModuleName...
Invoke-DscResource -Name $Name -Method Get -Property $Property -ModuleName $ModuleName
Importing Name...
Importing Property...
Importing ModuleName...
Invoke-DscResource -Name $Name -Method Test -Property $Property -ModuleName $ModuleName
Importing Name...
Importing Property...
Importing ModuleName...
Comparing configuration...
Configuration matches template.
Collecting configuration...
Importing TargetOU...
Comparing configuration...
Difference: Value
=Template=> True
= Actual => , False
Configuration drift detected.
Adding to execution plan.
Collection run complete.
Collection run succeeded.
Beginning execution run...
Importing TargetOU...
Importing ServerName...
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
You cannot call a method on a null-valued expression.
Storing configuration template...
Execution run failed.
Recording configuration for server (ID=#2050)...
Configuration for server (ID=#2050) recorded.
Cleaning up temporary files on PowerShell...

Alright, fair enough. As I use Otter almost exclusively for checking for compliance, I will look forward to this. Nontrivial asks are always the best ones, right? :D

These are some of them I found:

https://forums.inedo.com/topic/2661/can-two-otter-servers-share-a-raft-or-what-would-be-an-easy-way-to-copy-all-my-code-between-each-otter-instance

https://forums.inedo.com/topic/2633/otter-feature-request-set-up-a-collector-of-sorts-to-use-in-a-multi-tenant-datacenter

https://forums.inedo.com/topic/2568/bug-execution-dispatcher-timer-shows-for-each-machine-at-30-second-increments-it-jumps-to-the-next-minute

https://forums.inedo.com/topic/2567/service-won-t-start-after-2-1-1-upgrade

https://forums.inedo.com/topic/2531/update-either-server-or-role-variables

OK, thank you for the example, that makes much more sense with context around it. However, I am still not able to get this to work. I am not able to get the Move-ADObject cmdlet to work in Otter regardless even though I can get them to work every time outside of Otter. OK, so tried to do something different just in case. Same issue again, I can't get this line of code to work in an PSEnsure either:

([adsisearcher]"samaccountname=$($env:computername)$").FindOne()

This should return some simple AD attributes for the computer and runs fine outside of Otter. This does not work either when put inside of Otter. Wondering if there is something that is not allowing this code to work?

Has there been any update to this?

Why does this have me listed as a guest who posted it instead of me? Was this something strange with the migration of the forums last year?

Well, my question is not being answered I feel. That example lacks any context of use, so I can't really articulate what I can do with that. It's like if I called you and said some random thing like "rock" and hung up. OK, what is a person supposed to do with that information? I want to be able to do something like this in my configure portion of a psensure:

Move-ADObject -Identity (Get-ADComputer -Identity $env:COMPUTERNAME).ObjectGuid -Server $pdc -TargetPath $TargetOU -Credential "$PSCredential"

Is that all I need to do? If so, this is not working. The line of code works fine without the credential line in PowerShell, but does not work in Otter. I am having authentication issues, and need to be able to pass stored credentials I would like these questions answered:

1. Is the $PSCredential being populated from the resource credentials stored in Otter for each server?
2. Are the Username and Password sections populated from a plain text entry or manual intervention to populate the $PSCredential?
3. If 1 and 2 have the answer of no, where are they coming from?

A Get-Asset operation always changes configuration

I am suprised that a "Get-Asset" " always changes configuration in stark contrast to powershell where the verb "get" is a read-only or gathering action only. This action, imho, is very poorly named.

So with that said, even if a collect is read only, I still don't understand why I can't load a script asset and gather/report data? Can a script asset be loaded to be made available for both collect and configure stages? That would be fantastic.

So, I am still struggling to pass the windows credentials stored in the resource credentials stored in the DB. I don't want to enter credentials manually or via in plain text, so unless I can get that stored password value, I fail to see the value in this for Windows Domain authentication. I found the documentation here:

https://docs.inedo.com/docs/otter/reference/functions/powershell/pscredential

But that does nothing to explain it. Does this have the username and password stored from the resource credentials so they can be used like a get-credential variable for domain authentication? I really need to pass the credentials stored in the DB to authenticate, thanks!

To add to this, I need the script assets to work in both the collect and configure passes, and I have not been able to get the module to work in both passes. I am not sure why they are so different, or would be designed in such a manner to disallow this to work. I have a great need to be able to call scripts and or modules to simplify my code and processes. Mostly as I need to keep extensive logging, I need to be able to during both collect and configure stages, I need to gather the existing settings in PowerShell for logging/ retention reasons. I then write that data to the computer's event log to be captured by logging systems.

I am not sure what you mean with the "call PSExecWithMods" example.

Also, I have one module I can run, Test-Module,ps1, but I have another script asset called TestOtter.ps1, and it won't load that PowerShell Asset. The actual content is the same; which makes it strange.

Hello, Just wanted to ask if there has been anyone who has migrated their Otter instance to a new server? Is it just as simple as detaching the DB and reattach to a SQL instance on the new server? Any ideas for my Git based raft? I am using Bitbucket on prem server.

Thanks!

I have been struggling calling PowerShell Script assets when running PSEnsure Configurations. I have used an example that someone sent to me with some success. I am not able to call multiple script assets, and they refuse to load as PowerShell Modules sometimes for no apparent reasons. I would like to ask for a feature to be added that when you call a PowerShell script asset, to allow it to import for you. I also want to verify I can load multiple Script Assets, as I have tried and not succeeded. I have a great need to reuse code across multiple roles as I have nearly ~100 roles currently.

Example:

##AH:UseTextMode

set $ModuleName = Test-Function;
Get-Asset $ModuleName.ps1
(
    Type: Script    
);
set $ModuleNamePath = $PathCombine($WorkingDirectory, $ModuleName.ps1);

PSEnsure
(
    Key: Test-Function,
    Value: True,
    Collect: "$false",
    Configure: >>
    Import-Module -Name "$ModuleNamePath" -Verbose
    
    &$ModuleName

    >>
);

I would like to see as an option for calling the script asset to load the module automatically. I also want to be able to import Powershell modules in the Collect Phase as well.

So, now that I have time to work on this again, to recap, I can create my PSEnsure as I usually do. I can create all of my shared functions as a PowerShell module, and store them as a PowerShell script asset be able to call them as needed in my various roles as needed, and more than just one? I will also not need to copy and manage each PowerShell Module/ Function as a traditional PowerShell module and copy them over to the file system of each server and manage that? If I can create a separate module for each function, store them as a PowerShell Script asset, and call them as needed, then I believe this will work for my PSEnsure roles, and I will be able to standardize the function by calling them from a separate location instead of including them each time with each PSEnsure, which is very cumbersome and costing me a great deal of time.

Is this something that is possible to do? It would help greatly with nailing down witch servers need work and which ones don't.

So I looked over OT-331, and while close, I am looking for each role to report the status of each server that has that role assigned to it, and whether it has drifted or is current. Thanks!

Please add in the roles which servers have Drifted and which ones are Current. One needs to be able to see this information broke down. Possible add something in the API as well for each role to have drifted, current, and the other statuses?

Product: Otter
Version: 2.2.2

Is it possible to have the Inedo Hub roll back to previous versions for you? Thanks!

Product: Otter
Version: 2.2.3

Hello, I am wondering if it would be possible to add support for BITS to be used to distribute Universal Packages instead of using Inedo agent? Every supported version of Windows has BITS, and is allowed through most firewalls, especially since System Center Configuration Manager (SCCM) uses BITS as well.

Product: ProGet
Version: 5.1.23

I have seen this added in the past few beta builds, and this works nice. As a cherry on top, can we get a filter to be added similar to the status filters, etc? Great work and thanks; your work is appreciated!

Alright, I have my one token agent I had to update. Thanks!

Hello, I would like to be able to have provided in a role or list of nested roles, the servers that have drifted or not drifted from each specific role. I want to do this for change control so I have a list of server I can include that need xyz done to them. I don't want to have to click on each server or role to determine this. A PowerShell module would greatly aid in this.

Product: Otter
Version: 2.2.0-beta.15

Hello, my servers are located behind a firewall that blocks access from the internet with a few sites as exceptions. Is there a way to have the agent updates from the Otter server instead of looking at a public cloud? Public clouds will not be granted access to the servers per our security policy. I can update from my Otter server as I have a specific need. Thanks!

Product: Otter
Version: 2.2.0-beta.15