diff --git a/Set-SslSecurity.ps1 b/Set-SslSecurity.ps1 index 407ece2..d40b5c0 100644 --- a/Set-SslSecurity.ps1 +++ b/Set-SslSecurity.ps1 @@ -103,15 +103,15 @@ process { } } + # Put certificate in TrustedPeople + Copy-CertToStore -Certificate $Certificate + <# Nexus #> # Stop Services/Processes/Websites required Stop-Service nexus - # Put certificate in TrustedPeople - Copy-CertToStore -Certificate $Certificate - # Generate Nexus keystore - New-NexusCert -Thumbprint $Certificate.Thumbprint + Set-NexusCert -Thumbprint $Certificate.Thumbprint # Add firewall rule for Nexus netsh advfirewall firewall add rule name="Nexus-8443" dir=in action=allow protocol=tcp localport=8443 @@ -144,7 +144,7 @@ process { (Get-Content -Path $ClientScript) -replace "{{hostname}}", $SubjectWithoutCn | Set-Content -Path $ClientScript New-NexusRawComponent -RepositoryName 'choco-install' -File $ClientScript - if ($Hardened) { + if ($Hardened) { # Disable anonymous authentication Set-NexusAnonymousAuth -Disabled diff --git a/scripts/Get-Helpers.ps1 b/scripts/Get-Helpers.ps1 index 7170a15..8ef2998 100644 --- a/scripts/Get-Helpers.ps1 +++ b/scripts/Get-Helpers.ps1 @@ -1458,11 +1458,15 @@ function Get-RemoteCertificate { } } -function New-NexusCert { +function Set-NexusCert { [CmdletBinding()] param( - [Parameter()] - $Thumbprint + # The thumbprint of the certificate to configure Nexus to use, from the LocalMachine\TrustedPeople store. + [Parameter(Mandatory)] + $Thumbprint, + + # The port to set Nexus to use for https. + $Port = 8443 ) if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) { @@ -1497,13 +1501,18 @@ function New-NexusCert { $nexusPath = 'C:\ProgramData\sonatype-work\nexus3' $configPath = "$nexusPath\etc\nexus.properties" - $configStrings = @('jetty.https.stsMaxAge=-1', 'application-port-ssl=8443', 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') + (Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath + + $configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$Port", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') $configStrings | ForEach-Object { if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) { $_ | Add-Content -Path $configPath } } + if ((Get-Service Nexus).Status -eq 'Running') { + Restart-Service Nexus + } } function Test-SelfSignedCertificate { diff --git a/scripts/Set-NexusCert.ps1 b/scripts/Set-NexusCert.ps1 index cc27dd2..4a00397 100644 --- a/scripts/Set-NexusCert.ps1 +++ b/scripts/Set-NexusCert.ps1 @@ -20,66 +20,22 @@ param( [Parameter(Mandatory)] [string] $Thumbprint, + [string]$Thumbprint, [Parameter()] - [string] - $NexusPort = '8443' + [uint16]$Port = 8443 ) -begin { - if($host.name -ne 'ConsoleHost') { - Write-Warning "This script cannot be ran from within PowerShell ISE" - Write-Warning "Please launch powershell.exe as an administrator, and run this script again" - break - } +if ($host.name -ne 'ConsoleHost') { + Write-Warning "This script cannot be ran from within PowerShell ISE" + Write-Warning "Please launch powershell.exe as an administrator, and run this script again" + break } -process { - $ErrorActionPreference = 'Stop' -if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) { - Remove-Item C:\ProgramData\nexus\etc\ssl\keystore.jks -Force -} - -$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe" -$password = "chocolatey" | ConvertTo-SecureString -AsPlainText -Force -$certificate = Get-ChildItem Cert:\LocalMachine\TrustedPeople\ | Where-Object { $_.Thumbprint -eq $Thumbprint } | Sort-Object | Select-Object -First 1 - -Write-Host "Exporting .pfx file to C:\, will remove when finished" -ForegroundColor Green -$certificate | Export-PfxCertificate -FilePath C:\cert.pfx -Password $password -Get-ChildItem -Path c:\cert.pfx | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $password -Write-Warning -Message "You'll now see prompts and other outputs, things are working as expected, don't do anything" -$string = ("chocolatey" | & $KeyTool -list -v -keystore C:\cert.pfx) -match '^Alias.*' -$currentAlias = ($string -split ':')[1].Trim() - -$passkey = '9hPRGDmfYE3bGyBZCer6AUsh4RTZXbkw' -& $KeyTool -importkeystore -srckeystore C:\cert.pfx -srcstoretype PKCS12 -srcstorepass chocolatey -destkeystore C:\ProgramData\nexus\etc\ssl\keystore.jks -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey -& $KeyTool -keypasswd -keystore C:\ProgramData\nexus\etc\ssl\keystore.jks -alias jetty -storepass $passkey -keypass chocolatey -new $passkey - -$xmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml' -[xml]$xml = Get-Content -Path 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml' -foreach ($entry in $xml.Configure.New.Where{ $_.id -match 'ssl' }.Set.Where{ $_.name -match 'password' }) { - $entry.InnerText = $passkey -} - -$xml.OuterXml | Set-Content -Path $xmlPath - -Remove-Item C:\cert.pfx - -$nexusPath = 'C:\ProgramData\sonatype-work\nexus3' -$configPath = "$nexusPath\etc\nexus.properties" - -(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath - -$configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$NexusPort", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml') -$configStrings | ForEach-Object { - if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) { - $_ | Add-Content -Path $configPath - } -} +. $PSScriptRoot\Get-Helpers.ps1 -Restart-Service nexus +Set-NexusCert -Thumbprint $Thumbprint -Port $Port -Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect." -} \ No newline at end of file +Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect." \ No newline at end of file