Certificate Problems on Linux with PowerShell

So we have a Nimble Storage PowerShell Toolkit that can be used to fully manage a Nimble Storage Array. The toolkit exposes the entire API as individual atomic commands, which really is the right way to convert a RestAPI to a PowerShell Toolkit. There are a few really nice features that we designed in from the inception of the project. The first is that we didn’t want ANY compiled code, since raw PowerShell is portable while compiled code has to be refactored for each platform. The second item was to limit the interaction with any external dependencies, in fact the entire toolkit uses almost exclusively the Invoke-RestMethod process.

A single problem occurs however in regards to Invoke-RestMethod. The version of Invoke-RestMethod deployed with PowerShell up to version 5 allows for you to ignore an untrusted/unknown certificate and communicate regardless. We added an option on the toolkit connection command called ‘IgnoreServerCertificate’ which lets you take advantage of this. We also added an option to allow the user to grab the certificate from the Nimble Array and add it to the known/trusted certificate store on a windows machine, this option is called ‘ImportServerCertificate’.

On PowerShell 6 however is a radical change and and some of the default behaviors have changed to become both portable as well as more secure. One example is that on PowerShell 6+ the Invoke-RestMethod command no longer allows you to ignore an untrusted certificate.

PowerShell 6 is also the first version of PowerShell that works on Mac and Linux machines (portability). The problem arises that the certificate store that exists in a windows machine doesn’t translate to how Mac and Linux work, so the ImportServerCertificate command also fails.

So as you can see we are in a quandary;

PowerShell 1-5.x; Both the Ignore and Import Certificate options work

PowerShell 6.x+ on Windows; Only the Import Certificate option works

PowerShell 6.x+ on Linux/Mac; Neither the Ignore or Import Certificate options work

So the only option is to manually import the Nimble Array certificate to my Linux Machine. I have the process layed out below in steps;

Step 1.

Lets ensure that we have the most recent version of PowerShell 6.1.3 from the GitHub repository;

wget https://github/PowerShell/PowerShell/releases/download/v6/1/3/powershell_6.1.3-1.ubuntu.1.8.04_amd64.deb

sudo dpkg -i powershell_6.1.3-1.ubuntu.18.04_amd64.deb

sudo apt-get update

sudo apt-get install -y powershell

Step 2.

We will want to download the PowerShell Module to a server if your environment and place it on a share in a folder in unzipped format. Once the folder is shared out use the following command to copy it to a modules directory on your Linux Server.

I have found that its easier to install an SMBClient and just grab the files that it is to actually mount the share, for that I need to install the SBMClient software

sudo apt-get smbclient

cd /opt/microsoft/powershell/6/Modules

sudo mkdir HPENimblePowerShellToolkit

sudo mkdir HPENimblePowerShellToolkit/en-us

sudo mkdir HPENimblePowerShellToolkit/scripts

smbclient ‘//servername/sharename’ -c ‘lcd HPENimblePowerShellToolkit; cd HPENimblePowerShellToolkit;mget * ‘ -U username=domain/username%password

You will be prompted to give your hit yes to accept the copy operation a number of times on all three SMBClient Commands.

smbclient ‘//servername/sharename’ -c ‘lcd HPENimblePowerShellToolkit; cd HPENimblePowerShellToolkit/en-US;mget * ‘ -U username=domain/username%password

smbclient ‘//servername/sharename’ -c ‘lcd HPENimblePowerShellToolkit; cd HPENimblePowerShellToolkit/scripts;mget * ‘ -U username=domain/username%password

Step 3

To verify they are all in place, you can now open powershell, and should be able to import the module without errors.

sudo pwsh

import-module HPENimblePowerShell


Step 4

Ok, now we need to manually import the certificate from the array and insert it on the Linux machine, the following command does this using the Gnutls library.

sudo apt-get install gnutls

sudo gnutls-cli –printcerts ArrayIP \ < /dev/null \ > ArrayIP.crt

sudo mkdir /usr/local/share/ca-certificates/NimbleArray -m 755

sudo chmod ArrayIP.crt 644

sudo cp ArrayIP.crt /usr/local/share/ca-certificates/NimbleArray/ArrayIP.crt

sudo update-ca-certificates

Step 5

Now that the certificates are in place, we need to modify a single line in the PowerShell module to make this work, You can do this using vi, and the line you want to modify is in the file /HPENimbleToolkit/scripts/helpers.ps1

The individual line is inside the ‘Connect-NSGroup’ function and is around line #85 and the line currently reads ‘ValidateServerCertificate $group’

We need to change this line to read ‘ if ($IsLinux -ne $true) { ValidateServerCertificate $group}’

Once this is saved, you should be able to use the powershell command as follows;

Sudo pwsh

import-module HPENimbleToolkit -force

connect-nsGroup -group NimbleArrayIP -cred admin

You will be prompted for your password, but no longer have to worry about either importing or ignoring the certificate to properly connect. All other commands now work like expected.

I should note that if you make changes to the network configuration of the Nimble array, the Certificate may change, at which point you will need to re-run.

I have come up with modifications for the module to detect that Linux is the base OS, and to allow the ImportServerCertificate argument to work by modifying the behaviour of the command, but you will have to wait for the next release of the toolkit for that to be tested. I also need to test and possibly modify this procedure for other variants of Linux/Unix as well as test against Macs. Next on my list is CentOS.