azure-pipelines-tasks: AzureFileCopy@4 to VM with WinRM prerequisites is creating invalid Expired Certificate (1/1/2022)

Note

Issues in this repo are for tracking bugs, feature requests and questions for the tasks in this repo

For a list:
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks

If you have an issue or request for the Azure Pipelines service, use developer community instead:

https://developercommunity.visualstudio.com/spaces/21/index.html )

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzureFileCopy@4

list here (V# not needed):
https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks

Environment

Server - Azure Pipelines
- If using Azure Pipelines, provide the account name: sword-grc,
- team project name: ARM
- build definition name: BranchTestPrototype
- build number: 60300

Build Link

Agent - Hosted:
- If using Hosted agent, provide agent queue name: Azure Pipelines

Issue Description

Self-Certified Certificate created on VM by FileCopy prerequisites has expiry date of 1/1/2022, hence is invalid and so WinRM copy fails with message:

"The remote session query failed for 13.87.91.35 with the following error message: The server certificate on the destination computer (13.87.91.35:5986) has the following errors:      
The SSL certificate is expired."

Explanation: ConfigureWinRM.ps1 has code which erroneously hardwires the expiry date of the certificate as follows:

$serial = Get-Random
    .\makecert -r -pe -n CN=$hostname -b 01/01/2012 -e **01/01/2022** -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -# $serial 2>&1 | Out-Null

ConfigureWinRM

Task logs

[Enable debug logging and please provide the zip file containing all the logs for a speedy resolution] 2022-01-04T17:51:34.2640866Z ##[section]Starting: Copy Files 2022-01-04T17:51:34.2762104Z ============================================================================== 2022-01-04T17:51:34.2762469Z Task : Azure file copy 2022-01-04T17:51:34.2762789Z Description : Copy files to Azure Blob Storage or virtual machines 2022-01-04T17:51:34.2763069Z Version : 4.195.0 2022-01-04T17:51:34.2763324Z Author : Microsoft Corporation 2022-01-04T17:51:34.2763679Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-file-copy 2022-01-04T17:51:34.2764090Z ============================================================================== 2022-01-04T17:51:35.6812335Z ##[command]Import-Module -Name C:\Modules\az_6.5.0\Az.Accounts\2.7.0\Az.Accounts.psd1 -Global 2022-01-04T17:51:36.9280390Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue 2022-01-04T17:51:37.9678495Z ##[command]Clear-AzContext -Scope Process 2022-01-04T17:51:38.6841511Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope 2022-01-04T17:51:40.3167982Z ##[command] Set-AzContext -SubscriptionId 61e25dca-a55a-45ee-9a73-80b5b16e99a2 -TenantId *** 2022-01-04T17:51:41.7602777Z ##[command]Import-Module -Name C:\Modules\az_6.5.0\Az.Resources\4.4.0\Az.Resources.psd1 -Global 2022-01-04T17:51:42.8948128Z ##[command]Import-Module -Name C:\Modules\az_6.5.0\Az.Storage\3.12.0\Az.Storage.psd1 -Global 2022-01-04T17:51:43.3003941Z ##[command]Import-Module -Name C:\Modules\az_6.5.0\Az.Compute\4.17.1\Az.Compute.psd1 -Global 2022-01-04T17:51:44.8576897Z ##[command]Import-Module -Name C:\Modules\az_6.5.0\Az.Network\4.12.0\Az.Network.psd1 -Global 2022-01-04T17:51:52.3485872Z ##[command] & “AzCopy\AzCopy.exe” login --service-principal --application-id “" --tenant-id="” --aad-endpoint “https://login.windows.net/” 2022-01-04T17:51:52.3877133Z INFO: If you set an environment variable by using the command line, that variable will be readable in your command line history. Consider clearing variables that contain credentials from your command line history. To keep variables from appearing in your history, you can use a script to prompt the user for their credentials, and to set the environment variable. 2022-01-04T17:51:52.5378968Z INFO: AzCopy.exe: A newer version 10.13.0 is available to download 2022-01-04T17:51:52.5379412Z 2022-01-04T17:51:52.6670910Z INFO: SPN Auth via secret succeeded. 2022-01-04T17:51:52.7774150Z INFO: AzCopy.exe: A newer version 10.13.0 is available to download 2022-01-04T17:51:52.7776936Z 2022-01-04T17:51:52.7859690Z Uploading files from source path: ‘D:\a\1\s’ to storage account: ‘armdeployfilestorage’ in container: ‘30fbf4d0-2a75-4e2f-a8a7-a77aa4a9d9c7’ with blob prefix: ‘’ 2022-01-04T17:51:52.7957640Z ##[command] & “AzCopy\AzCopy.exe” copy “D:\a\1\s” “https://armdeployfilestorage.blob.core.windows.net/30fbf4d0-2a75-4e2f-a8a7-a77aa4a9d9c7” --log-level=INFO --recursive 2022-01-04T17:51:52.8357960Z INFO: Scanning… 2022-01-04T17:51:52.8359470Z INFO: Authenticating to destination using Azure AD 2022-01-04T17:51:53.0512443Z INFO: AzCopy.exe: A newer version 10.13.0 is available to download 2022-01-04T17:51:53.0513192Z 2022-01-04T17:51:53.0880420Z INFO: Any empty folders will not be processed, because source and/or destination doesn’t have full folder support 2022-01-04T17:51:53.0948435Z 2022-01-04T17:51:53.0974649Z Job 392de216-ebd4-8b4b-67a2-c3ce235da969 has started 2022-01-04T17:51:53.0976731Z Log file is located at: C:\Users\VssAdministrator.azcopy\392de216-ebd4-8b4b-67a2-c3ce235da969.log 2022-01-04T17:51:53.0978594Z 2022-01-04T17:51:53.1011154Z 2022-01-04T17:51:55.0931441Z 0.0 %, 0 Done, 0 Failed, 83 Pending, 0 Skipped, 83 Total, 2022-01-04T17:51:57.0933617Z 7.5 %, 81 Done, 0 Failed, 2 Pending, 0 Skipped, 83 Total, 2-sec Throughput (Mb/s): 793.5969 2022-01-04T17:51:59.0936567Z 51.1 %, 82 Done, 0 Failed, 1 Pending, 0 Skipped, 83 Total, 2-sec Throughput (Mb/s): 1444.9781 2022-01-04T17:52:01.0946692Z 97.8 %, 82 Done, 0 Failed, 1 Pending, 0 Skipped, 83 Total, 2-sec Throughput (Mb/s): 840.9941 2022-01-04T17:52:01.0950890Z 2022-01-04T17:52:01.0951510Z 2022-01-04T17:52:01.0952232Z Job 392de216-ebd4-8b4b-67a2-c3ce235da969 summary 2022-01-04T17:52:01.0952754Z Elapsed Time (Minutes): 0.1334 2022-01-04T17:52:01.0953213Z Number of File Transfers: 83 2022-01-04T17:52:01.0953703Z Number of Folder Property Transfers: 0 2022-01-04T17:52:01.0954185Z Total Number of Transfers: 83 2022-01-04T17:52:01.0954661Z Number of Transfers Completed: 83 2022-01-04T17:52:01.0955134Z Number of Transfers Failed: 0 2022-01-04T17:52:01.0955574Z Number of Transfers Skipped: 0 2022-01-04T17:52:01.0956543Z TotalBytesTransferred: 770165203 2022-01-04T17:52:01.0958237Z Final Job Status: Completed 2022-01-04T17:52:01.0960772Z 2022-01-04T17:52:01.2398620Z Uploaded files successfully from source path: ‘D:\a\1\s’ to storage account: ‘armdeployfilestorage’ in container: ‘30fbf4d0-2a75-4e2f-a8a7-a77aa4a9d9c7’ with blob prefix: ‘’ 2022-01-04T17:52:01.2411793Z ##[command] & “AzCopy\AzCopy.exe” logout 2022-01-04T17:52:01.2708972Z INFO: Logout succeeded. 2022-01-04T17:52:01.4340413Z INFO: AzCopy.exe: A newer version 10.13.0 is available to download 2022-01-04T17:52:01.4343249Z 2022-01-04T17:52:01.4344082Z INFO: AzCopy.exe: A newer version 10.13.0 is available to download 2022-01-04T17:52:01.4345093Z 2022-01-04T17:52:08.1438358Z [Azure Call]Getting the custom script extension ‘WinRMCustomScriptExtension’ for vm ‘swordvmcertific’ 2022-01-04T17:52:09.1974444Z [Azure Call]Setting the custom script extension ‘WinRMCustomScriptExtension’ for vm ‘swordvmcertific’ 2022-01-04T17:53:11.6823169Z [Azure Call]Set the custom script extension ‘WinRMCustomScriptExtension’ for vm ‘swordvmcertific’ 2022-01-04T17:53:11.9397238Z [Azure Call]Getting the status for vm ‘swordvmcertific’ 2022-01-04T17:53:12.8578801Z [Azure Call]Got the status for vm ‘swordvmcertific’ 2022-01-04T17:54:52.1830507Z ##[warning]A parameter cannot be found that matches parameter name ‘and’. 2022-01-04T17:54:52.2781308Z ##[error]The remote session query failed for 13.87.91.35 with the following error message: The server certificate on the destination computer (13.87.91.35:5986) has the following errors:
The SSL certificate is expired.
2022-01-04T17:54:52.3372826Z ##[section]Finishing: Copy Files

Troubleshooting

Checkout how to troubleshoot failures and collect debug logs: https://docs.microsoft.com/en-us/vsts/build-release/actions/troubleshooting

Error logs

2022-01-04T17:54:52.2781308Z ##[error]The remote session query failed for 13.87.91.35 with the following error message: The server certificate on the destination computer (13.87.91.35:5986) has the following errors:
The SSL certificate is expired. ConfigureWinRM

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 31 (6 by maintainers)

Commits related to this issue

Update SSL Expiration by 10 years - bug fix - ConfigureWinRM.ps1 https://github.com/microsoft/azure-pipelines-tasks/issues/15656 Fix for issue 15656 Co-Authored-By: Marcus Richards <34490856+marcus... — committed to meyemh30/azure-pipelines-extensions by meyemh30 2 years ago
Expiration for make-cert SSL certificate sliding window Added Sliding window for issue: https://github.com/microsoft/azure-pipelines-tasks/issues/15656 Co-Authored-By: Mantvydas <82828938+mantvas@us... — committed to meyemh30/azure-pipelines-extensions by meyemh30 2 years ago
Update to ConfigureWinRM.ps1 - formatting for makecert Added Sliding window for issue: microsoft/azure-pipelines-tasks#15656 Co-Authored-By: Mantvydas <82828938+mantvas@users.noreply.github.com> Co-... — committed to meyemh30/azure-pipelines-extensions by meyemh30 2 years ago
Expiration for make-cert SSL certificate sliding window updated to makecert logic Added Sliding window for issue: microsoft/azure-pipelines-tasks#15656 Co-Authored-By: Mantvydas <82828938+mantvas@u... — committed to meyemh30/azure-pipelines-extensions by meyemh30 2 years ago

Most upvoted comments

I was able to test this and confirmed it worked @v-ibshaik . Here is the updated powershell script and instructions, make sure to use this on the target VM. This is a workaround, I’ve also created a Severity A support ticket with Microsoft and their Product Team is pushing a patch into place. Until then, use this:

# 1: download makecert put in same directory as powershell script: https://aka.ms/vstsmakecertexe
# 2: copy paste script into ADMIN powershell ISE
# 3: Change the below variable
# 4: Open up certificates.msc and delete your personal store, expired certificate on the TARGET VM
# 5: Run script

$hostname = '<USE IP or FQDN hostname>'

$thumbprint = (Get-ChildItem cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=" + $hostname } | Select-Object -Last 1).Thumbprint

if(-not $thumbprint)
{
    if(-not (Test-Path -Path .\makecert.exe))
    {
        throw "File not found: makecert.exe"
    }
    .\makecert -r -pe -n CN=$hostname -b (Get-Date).ToString('MM/dd/yyyy') -e (Get-Date).Addyears(10).ToString('MM/dd/yyyy') -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
    $thumbprint=(Get-ChildItem cert:\Localmachine\my | Where-Object { $_.Subject -eq "CN=" + $hostname } | Select-Object -Last 1).Thumbprint

    if(-not $thumbprint)
    {
        throw "Failed to create the test certificate."
    }
} 

# Delete all existing win rm listener
function Delete-WinRMListener
{
    $config = winrm enumerate winrm/config/listener
    foreach($conf in $config)
    {
        if($conf.Contains("HTTPS"))
        {
            Write-Verbose -Verbose "HTTPS is already configured. Deleting the exisiting configuration."
            winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
            break
        }
    }
}

Delete-WinRMListener 



# Recreate WinRM listener with new certificate created above
$WinrmCreate= "winrm create --% winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"$hostName`";CertificateThumbprint=`"$thumbPrint`"}"
    invoke-expression $WinrmCreate
    winrm set winrm/config/service/auth '@{Basic="true"}'

meyemh30 on Jan 14, 2022

We are also encountering the same issue with AzureFileCopy version 3. This has a high impact as we are currently unable to use our DevOps pipelines to deploy.

Is anyone able to suggest any temporary work arounds?

aaroncoderepo on Jan 5, 2022

@richRubie This issue is not closed, it can only be fixed by running the script I posted on Jan 14.

meyemh30 on Mar 30, 2022

great news thanks. Has it been deployed to the production environment?

Get Outlook for iOShttps://aka.ms/o0ukef

From: v-ibshaik @.> Sent: Tuesday, January 18, 2022 8:56:36 AM To: microsoft/azure-pipelines-tasks @.> Cc: Marcus Richards @.>; Author @.> Subject: Re: [microsoft/azure-pipelines-tasks] @.*** to VM with WinRM prerequisites is creating invalid Expired Certificate (1/1/2022) (Issue #15656)

Hi All,

We have fixed the issue.

Thanks.

— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fazure-pipelines-tasks%2Fissues%2F15656%23issuecomment-1015197035&data=04|01||5ba52a16d07e467fb1d908d9da606f69|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|637780929989326113|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000&sdata=NU4%2F95FxgA4Ty6455KZBkJNYTsC2ex4T7GKHDN8Hdu4%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIHET2ENGN7MRSABY3TIKN3UWUTMJANCNFSM5LIWPPNA&data=04|01||5ba52a16d07e467fb1d908d9da606f69|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|637780929989326113|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000&sdata=4e9BUuVjo95OYk6fxJhxzs2wGxEkriw9uvQgBVEzwIc%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04|01||5ba52a16d07e467fb1d908d9da606f69|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|637780929989326113|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000&sdata=%2F4GJs9ZznXQxxt5NBotI%2Fr8nZIL2%2BgcTJyfobj%2BxkuY%3D&reserved=0 or Androidhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04|01||5ba52a16d07e467fb1d908d9da606f69|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|637780929989326113|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000&sdata=7dpOKNbNE4f1UnC20NMMA3dYzi0DF8%2Byza9lLBNFb68%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

marcusrichards on Jan 18, 2022

Hi All,

We have fixed the issue.

Thanks.

v-ibshaik on Jan 18, 2022

We are able to Repro issue in our local machine .Now we are updating code changes.

v-ibshaik on Jan 13, 2022