Forum Discussion

mnagel's avatar
mnagel
Icon for Professor rankProfessor
5 years ago

windows certificate store scan

I have written a DS that uses PowerShell to discover any SSL Certificate within the Windows certificate stores and generates alerts for those expiring soon and for those that have already expired.  The alert messages are still generic as I am fighting a weird timeout issue with the data collection code against remote devices.  The AD code works fine and the data collection code is virtually identical, simpler in fact as we have the serial number on hand.  If I run it from the collector itself in a PS console, it also works fine.  Just seems to go to lunch when run from within LM itself.  If anyone wants to take a look and see if they can find the problem, that would be much appreciated -- my intent is to polish it up and release it publicly.  It is in code review, not clear how long that will take with the new LMExchange feature.

2YPMLN

  • 4 minutes ago, Barb said:

    Hi 

    I am using this DS and getting a situation where in the AD script is picking up the instances but in the collector attributes script it no longer finds the instances. Thou other servers in same environment it works perfectly. Any assistance to help debug, work this out is much appreciated. I cant find any difference in the instances collected in the AD script

    More than likely it is a permissions problem on the server either for calling PowerShell remotely, or for actual script block (below).

    $ScriptBlock = {
        param (
            [bool]$Debug,
            [String]$SerialNumber
        )
        
        if ($Cert = Get-ChildItem -Path cert:LocalMachine -Recurse | Where-Object { $_.SerialNumber -eq $SerialNumber }) {
            # NotAfter can return multiple values, we'll just take the first (zeroth) one using [0]
            $TimeSpan = New-TimeSpan -Start (Get-Date) -End $Cert.NotAfter[0]
            $DaysLeft = $TimeSpan.Days
            Write-Host "DaysLeft=$DaysLeft"
        }
    }

    You might find more detail in the wrapper.log on your collector as far as what errors are happening (or possibly via Poll Now).  NOTE: this code may have changed a bit since the last publication -- I think we did some work to skip replaced certificates at some point.  I just pushed out the latest iteration (ZZKW9P), but it will need to be reviewed again.

  • Thanks for the tip ill look into it - thou if AD script can pull instances is it still possible to be a ps perms issue ?