Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Powershell 5.1 workaround (can't install chocolatey using chocolatey-chocolatey 1.2.6) #163

Open
alexberry opened this issue Feb 7, 2020 · 1 comment
Open

Powershell 5.1 workaround (can't install chocolatey using chocolatey-chocolatey 1.2.6) #163

alexberry opened this issue Feb 7, 2020 · 1 comment

Comments

@alexberry
Copy link

alexberry commented Feb 7, 2020
edited
Loading

Older versions of powershell 5.1 do not negotiate tls versions, chocolatey.org recently disabled tls 1 and this broke their install script. Your puppet run will produce an error something like:

2020/02/07 10:11:57Z: Message: The errors from user scripts: puppet : Error: '# ========================================
======================================
At C:\Windows\TEMP\UserScript.ps1:15 char:1
+ puppet agent -vt --server=blahblahblah --certn ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Error: '...===============:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

The right way to fix this is to patch your servers, the wrong way to do it is to borrow my fix in the interim:

https://github.com/alexberry/puppet-chocolatey/releases/tag/1.2.6-pwsh-workaround

Forked from this module, based on latest tag, a two line patch that upgrades the tls version used by powershell ahead of the request. The setting is transient and only good for that shell, so should have no further ill effect.

You can include it in your Puppetfile as follows, first remove the chocolatey-chocolatey module from your Puppetfile:

-mod 'chocolatey-chocolatey', '1.2.6'

Then add in this module:

+mod 'chocolatey',
+    :git => 'git://github.com/alexberry/puppet-chocolatey',
+    :ref => '1.2.6-pwsh-workaround'

Or, better yet, fork this module yourself, then save the following patch as workaround.patch:

diff --git a/templates/InstallChocolatey.ps1.erb b/templates/InstallChocolatey.ps1.erb
index 2dba364..8698faa 100644
--- a/templates/InstallChocolatey.ps1.erb
+++ b/templates/InstallChocolatey.ps1.erb
@@ -68,6 +68,8 @@ param (
   [string]$url,
   [string]$file
  )
+  Write-Output "Bodging tls"
+  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
   Write-Output "Downloading $url to $file"
   $downloader = new-object System.Net.WebClient
   $downloader.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;

Patch it as follows:

git clone https://github.com/<pathtoyourforkedrepo>
cd puppet-chocolatey
git checkout 1.2.6
git switch -c oldpwsh-workaround
git apply ../workaround.patch
git commit -a
git tag 1.2.6-pwsh-workaround
git push origin oldpwsh-workaround 1.2.6-pwsh-workaround

And then make the same Puppetfile changes as above, substituting in the url to your fork.

Not adding a pull request as this is an archived module, should really use puppetlabs-chocolatey instead, although a similar workaround may be needed there too.
@alexberry alexberry changed the title Powershell 5.1 workaround Powershell 5.1 workaround (can't install chocolatey using chocolatey-chocolatey 1.2.6) Feb 7, 2020
@alexberry
Copy link
Author

alexberry commented Feb 7, 2020
edited
Loading

Looks like the puppetlabs-managed version of this module manages this already: https://github.com/puppetlabs/puppetlabs-chocolatey/blob/master/templates/InstallChocolatey.ps1.erb#L70-L78

TLDR switch to puppetlabs' module at your earliest convenience!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexberry