Renewing (or enabling) Windows Remote Management (WinRM) over HTTPS

This post became possible due to the work done by these 2 persons:
Laurie Rhodes and of course Vadims Podans
So don’t thank me for the “hard work” thank me only for the little adjustments that needed to be done to make this working…

So, the problem: Set up WinRM over HTTPs, so that you can securely remote manage a window server with WinRM and Powershell. Since we are sometimes cheap, we like to use a self signed certificate and work with firewalled servers so that not every1 can connect to the WinRM if they like to.
We once have set up WinRM on our remote server with a self signed certificate, but that worked for only 1 year and a few weeks/months. I say AND a few weeks/month because of the Spooky Certificate issue.
So today we ran into the issue that when trying to connect to our remote server we get this error:
WinRM testing failed with the following error:

Trying to renew this certificate is not easy, to I search together with my friend Google for a #HowToFixThis 🙂

Firstly, you need to remove the WinRM listener using the expired certificate :

  • Open an elevated command prompt or PowerShell prompt.
  • View the currently existing listener with the following command:
  • The CertificateThumbprint will match what is seen on the certificate.
  • To remove the listener use the following command:

    Secondly: Remove the expired certificate with MMC
  • Click Run, then type MMC.
  • Go to File > Add/Remote Snap-in.
  • Select Certificates then click Add.
  • Select the Computer Account option.
  • In the left-hand pane, expand Certificates > Personal > Certificates.
  • Right-click the certificate and click Delete.

Now, creating the certificate: I need to use the Enhanced version of the, due to limitations in the Windows 2012 New-SelfSignedCertificate Powershell Module.
Download New-SelfSignedCertificateEx.zip
Extract in to a folder somewhere (eg: D:\Tools)
Open and run in an Admin PS console:

Create a 2nd file D:\Tools\CreateWinRMCert.ps1 with the following content:
Note: change 2 things in this script if wanted:
* On line that start with: New-SelfSignedCertificateEx
-NotAfter (Get-Date).AddMonths(60)
to a value that you like. By default, not adding this variable, yournew certificate wil be valid for 12 months only.
* At the end of the script, change your export password
-ExportPassword "S3cr3tP4ssw0rd"

Run the script in Powershell:

So that your Certificate will be created.
Powershell output should be something like:

Use the PFX generated in C:\Users\Administrator\AppData\Local\Temp\2 to import in your Client Server, using the Password provided above.
After Generating this Certificate, you need to configure the WinRM to use this certificate:

Test and enjoy WinRM again 🙂

SimpleSAMLphp and Apache2.4 with PHP-FPM

When trying to use SimpleSamlPHP in an Apache 2.4 environment with PHP-FPM, you might get the error

After digging into this, it seems that it has to do with the fact that PATH_INFO is not used in in apache 2.4.11+’s mod_proxy_fcgi: see Apache mod_proxy_fcgi
where you can read:

To make sure that simplesaml works, without breaking anything else that “fixes paths”, I configured mod_proxy_fcgi by creating a /etc/apache2/mods-enabled/proxy_fcgi.conf file containing:

And afterwards re-enable the module + apache restart.

This fixes this problem.

Running multiple Redis instances on the same server.

Setting up multiple Redis instances on the same server is pretty easy, but if you want to be able to easily start/stop and restart instances, you’ll need to play with the init scripts of redis-server.

I needed this to be able to offer Redis buckets to different customers on a shared platform.

This is how I managed to set up multiple instances on the same server.
Since installing redis-server is out of the scope of this article, I’ll only explain what I did to manage multiple Redis Servers.

* Setting up a new INIT script:

* Paste this into the new redis-server init script:

Once that is done, we need to add multiple config files for our different buckets:

And enter some config settings looking like this:

Creating new instances is easily done by copying this initial conf file and adjusting the params (port, name, pid, savefilename, password,…)

Now, if you want to start/stop or restart all redis instances at the same time, this can be done with the normal service command:

The new init script we create above, will simply index all config instances from /etc/redis/servers and manage those 1 at a time.

Or, if you only want to manage 1 instance at a time, just do something like this for example:

which will restart only the instance running for website www.nicovs.be

Since we use this on a shared environment, we have a provisioning system in place, where our customers can change some settings

This article is based on: Robofirm: Setting up multiple redis instances, but I had to change some configuration to make it work. Anyway, a big thanks to Kirk Madera for pointing me in the right direction!