Merge pull request #1939 from alan-turing-institute/1938-ssl-certificate-error

Fix SSL certificate error

Author: jemrobinson

SECURITY.md

@@ -7,8 +7,8 @@ All organisations using an earlier version in production should update to the la
 
 | Version                                                                                 | Supported          |
 | --------------------------------------------------------------------------------------- | ------------------ |
-| [4.2.1](https://github.com/alan-turing-institute/data-safe-haven/releases/tag/v4.2.1)   | :white_check_mark: |
-| < 4.2.1                                                                                 | :x:                |
+| [4.2.2](https://github.com/alan-turing-institute/data-safe-haven/releases/tag/v4.2.2)   | :white_check_mark: |
+| < 4.2.2                                                                                 | :x:                |
 
 ## Reporting a Vulnerability
 

deployment/CheckRequirements.ps1

@@ -28,6 +28,7 @@ $ModuleVersionRequired = @{
     "Microsoft.Graph.Applications"                 = @("ge", "1.21.0")
     "Microsoft.Graph.Identity.DirectoryManagement" = @("ge", "1.21.0")
     "Microsoft.Graph.Users"                        = @("ge", "1.21.0")
+    "Posh-ACME"                                    = @("ge", "4.23.0")
     "Poshstache"                                   = @("ge", "0.1.10")
     "Powershell-Yaml"                              = @("ge", "0.4.2")
 }

deployment/common/Configuration.psm1

@@ -431,7 +431,7 @@ function Get-ShmConfig {
         hostname                   = $hostname
         hostnameLower              = $hostname.ToLower()
         hostnameUpper              = $hostname.ToUpper()
-        fqdn                       = "${hostname}.$($shm.domain.fqdn)"
+        fqdn                       = "${hostname}.$($shm.domain.fqdn)".ToLower()
         ip                         = Get-NextAvailableIpInRange -IpRangeCidr $shm.network.vnet.subnets.identity.cidr -Offset 4
         external_dns_resolver      = "168.63.129.16"  # https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
         installationDirectory      = "C:\Installation"
@@ -451,7 +451,7 @@ function Get-ShmConfig {
     $shm.dcb = [ordered]@{
         vmName   = $hostname
         hostname = $hostname
-        fqdn     = "${hostname}.$($shm.domain.fqdn)"
+        fqdn     = "${hostname}.$($shm.domain.fqdn)".ToLower()
         ip       = Get-NextAvailableIpInRange -IpRangeCidr $shm.network.vnet.subnets.identity.cidr -Offset 5
     }
 
@@ -613,10 +613,12 @@ function Get-SreConfig {
     $sreConfigBase = Get-CoreConfig -shmId $shmId -sreId $sreId
 
     # Support for "MicrosoftRDS" has been removed. The "remotedDesktopProvider" field now defaults to "ApacheGuacamole"
-    if ($sreConfigBase.remoteDesktopProvider -ne "ApacheGuacamole") {
-        Add-LogMessage -Level Fatal "Support for remote desktops other than ApacheGuacamole has been removed"
-    } elseif ($sreConfigBase.remoteDesktopProvider -eq "ApacheGuacamole") {
-        Add-LogMessage -Level Warning "The remoteDesktopProvider configuration option has been deprecated and will be removed in the future"
+    if ($null -ne $sreConfigBase.remoteDesktopProvider) {
+        if ($sreConfigBase.remoteDesktopProvider -eq "ApacheGuacamole") {
+            Add-LogMessage -Level Warning "The remoteDesktopProvider configuration option has been deprecated and will be removed in the future"
+        } else {
+            Add-LogMessage -Level Fatal "Support for remote desktops other than ApacheGuacamole has been removed"
+        }
     }
     $sreConfigBase.remoteDesktopProvider = "ApacheGuacamole"
 
@@ -661,7 +663,7 @@ function Get-SreConfig {
     $sreDomain = $sreConfigBase.domain ? $sreConfigBase.domain : "$($config.sre.id).$($config.shm.domain.fqdn)".ToLower()
     $config.sre.domain = [ordered]@{
         dn          = "DC=$($sreDomain.Replace('.',',DC='))"
-        fqdn        = $sreDomain
+        fqdn        = "$sreDomain".ToLower()
         netbiosName = $($config.sre.id).ToUpper() | Limit-StringLength -MaximumLength 15 -FailureIsFatal
     }
     $config.sre.domain.securityGroups = [ordered]@{
@@ -892,7 +894,7 @@ function Get-SreConfig {
     foreach ($server in $config.sre.remoteDesktop.Keys) {
         if (-not $config.sre.remoteDesktop[$server].vmName) { continue }
         $config.sre.remoteDesktop[$server].hostname = $config.sre.remoteDesktop[$server].vmName
-        $config.sre.remoteDesktop[$server].fqdn = "$($config.sre.remoteDesktop[$server].vmName).$($config.shm.domain.fqdn)"
+        $config.sre.remoteDesktop[$server].fqdn = "$($config.sre.remoteDesktop[$server].vmName).$($config.shm.domain.fqdn)".ToLower()
     }
 
     # Set the appropriate tier-dependent network rules for the remote desktop server
@@ -980,7 +982,7 @@ function Get-SreConfig {
     # Construct the hostname and FQDN for each VM
     foreach ($server in $config.sre.webapps.Keys) {
         if ($config.sre.webapps[$server] -IsNot [System.Collections.Specialized.OrderedDictionary]) { continue }
-        $config.sre.webapps[$server].fqdn = "$($config.sre.webapps[$server].hostname).$($config.sre.domain.fqdn)"
+        $config.sre.webapps[$server].fqdn = "$($config.sre.webapps[$server].hostname).$($config.sre.domain.fqdn)".ToLower()
         $config.sre.webapps[$server].vmName = "$($config.sre.webapps[$server].hostname)-SRE-$($config.sre.id)".ToUpper()
     }
 

deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1

@@ -16,8 +16,8 @@ Import-Module Az.Compute
 Import-Module Az.KeyVault
 Import-Module $PSScriptRoot/../../common/AzureCompute -Force -ErrorAction Stop
 Import-Module $PSScriptRoot/../../common/AzureKeyVault -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Configuration -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Logging -ErrorAction Stop
+Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
+Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop
 
 
 # Check that we are authenticated in Azure

environment_configs/sre_bluet1guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.253"],
     "databases": ["MSSQL", "PostgreSQL"]
 }

environment_configs/sre_bluet2guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.253"],
     "databases": ["MSSQL", "PostgreSQL"]
 }

environment_configs/sre_bluet3guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.240"],
     "databases": ["MSSQL", "PostgreSQL"]
 }

environment_configs/sre_greent1guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.253"],
     "databases": ["MSSQL", "PostgreSQL"]
 }

environment_configs/sre_greent2guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.253"],
     "databases": ["MSSQL", "PostgreSQL"]
 }

environment_configs/sre_greent3guac_core_config.json

@@ -10,7 +10,6 @@
         "type": "Ubuntu",
         "version": "20.04.2024032600"
     },
-    "remoteDesktopProvider": "ApacheGuacamole",
     "dataAdminIpAddresses": ["193.60.220.240"],
     "databases": ["MSSQL", "PostgreSQL"]
 }