Ah, legacy project setup. I’ve had to do it. You’ve had to do it. We’ve all had to do it.
It sucks.
Fighting against an immovable wall, I was put to task. How should I go about this?
Raw SIF? No.
SIF-less? No, that jerk didn’t update it to 9.3.
SIA? I guess, but…SIA is rough. Like…really rough. But it’s our best option, so YOLO I guess…
Ok, so I won’t lie. It took me a long time to get things installed. First it was solr. Then it was SQL. Then it was some base features. Then Mars was in retrograde. Then I typo’d and couldn’t go back to edit a failed install. It was at that point I remembered why I loved Docker so much… anyway, it was what it was. I finally got things running, though…mostly! Ok…SIA said it completed. Which was at least positive. What was not positive? Browsing the site gave this error:
A little google-fu and I came to a bunch of links. Some of them said to purge your cert db. Others said it was fixed in FF 121. I was on version 128, so that wasn’t it… Others said I needed to trust the certificate explicitly. I don’t remember doing that in the past, but I tried. No dice.
I finally came across this Stack Overflow which noted that it could be because the certificate had the wrong usage flag associated with it. Usage Flags are basically a “what’s the cert good for” check. The answer here says that the key generated by SIF is used for “Data Encipherment” which means the key can be used to encrypt data. In reality, TLS needs “Digital Signature” to prove the origin of the request. It’s a subtle, yet significant, difference.
How do you go about and check this? Open Cert Manager, and double click the cert. Click the Details tab and scroll down to the “Key Usage” line. What did I see?
Well how the hell did that happen? I opened up the SIF modules into the latest (2.3 on my machine) version of Certificates.ps1 to take peek under the hood. Looking at the code, it was pretty clear that it was using “DigitalSignature” (the value of $BasicKeyUsage)
So why was I getting this error? It turns out SIA has a config key (SifModuleRequiredVersion) in setup.exe.config that lets you set what version of SIF to run. It was set to… 2.2.0. What’s the above code look like in 2.2?
Oh boy.
I updated the config key, removed the entire installation and re-ran SIA. This time..it worked!