Merge pull request #1060 from vexx32/ccm-connnection-strings

(#1057) Add connection string info and update dependency information for CCM 0.13.0

Author: gep13

src/components/docs/CentralManagementSecureConnectionStrings.mdx

@@ -0,0 +1,14 @@
+---
+
+---
+
+import Callout from '@choco/components/Callout.astro';
+
+<Callout type="warning">
+    As of Chocolatey Central Management v0.13.0, the SQL connection mode has changed to secure-by-default. By default, all connection strings will assume `Encrypt=true;` and attempt a connection to the SQL Server over SSL. If you wish to disable this, you must pass a complete connection string to the `/ConnectionString` package parameter that contains an explicit `Encrypt=false;` parameter.
+
+    To accommodate this new default, the package installation will automatically add the `TrustServerCertificate=True` parameter to the connection string it constructs or receives if the initial connection to the SQL server fails without it.
+
+    If you would like to ensure a completely secure SQL connection, you must [install a trusted SSL Certificate on the SQL Server instance](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/manage-certificates?view=sql-server-ver16) before installing, upgrading, or reinstalling Chocolatey Central Management packages.
+    If you have already installed v0.13.0 or later versions of Chocolatey Central Management, you will need to explicitly pass the SQL connection package parameters when upgrading or reinstalling in order to ensure the connection is established in a fully secure mode.
+</Callout>

src/content/docs/en-us/central-management/index.mdx

@@ -46,17 +46,9 @@ Chocolatey Central Management has specific needs that are mostly handled by pack
 
 |Chocolatey Central Management|Chocolatey Agent|Chocolatey Licensed Extension|Chocolatey|
 |-----------------------------|----------------|-----------------------------|----------|
-|0.10.0                       |1.1.0+          | 4.2.0+                      | 1.1.0+   |
-|0.9.0                        |1.0.0+          | 4.1.1+                      | 1.1.0+   |
-|0.8.0                        |0.13.0+         | 3.2.0+                      | 0.12.0+  |
-|0.7.0                        |0.11.0+         | 2.1.0+                      | 0.10.15+ |
-|0.6.x                        |0.11.0+         | 2.1.0+                      | 0.10.15+ |
-|0.5.x                        |0.11.0+         | 2.1.0+                      | 0.10.15+ |
-|0.4.0                        |0.11.0+         | 2.1.0+                      | 0.10.15+ |
-|0.3.x                        |0.11.0+         | 2.1.0+                      | 0.10.15+ |
-|0.2.x                        |0.10.x          | 2.1.0+                      | 0.10.15+ |
-|0.1.1                        |0.9.x           | 2.0.3+                      | 0.10.15+ |
-|0.1.0                        |0.9.x           | 2.0.0+                      | 0.10.12+ |
+|0.13.0                       |1.1.0+          | 4.2.0+                      | 1.1.0+   |
+|0.12.1                       |1.1.0+          | 4.2.0+                      | 1.1.0+   |
+|0.12.0                       |1.1.0+          | 4.2.0+                      | 1.1.0+   |
 
 ## Getting Chocolatey Central Management
 

src/content/docs/en-us/central-management/setup/database.mdx

@@ -10,6 +10,7 @@ import Xref from '@components/Xref.astro';
 import TabsPane from '@choco/components/tabs/TabsPane.astro';
 import TabsPaneContainer from '@choco/components/tabs/TabsPaneContainer.astro';
 import TabsTabContainer from '@choco/components/tabs/TabsTabContainer.astro';
+import CentralManagementSecureConnectionStrings from '@components/docs/CentralManagementSecureConnectionStrings.mdx';
 
 At the end of this, we should have a fully ready to go SQL Server:
 
@@ -25,7 +26,7 @@ At the end of this, we should have a fully ready to go SQL Server:
 ## Step 1: Complete Prerequisites
 
 * <Xref title="High-level Requirements" value="ccm-setup" anchor="high-level-requirements" />
-* SQL Server 2012 or later.
+* SQL Server 2016 or later.
 
 <Callout type="info">
     While we'd like to support different database engines at some point in the distant future, currently only SQL Server is supported.
@@ -165,7 +166,7 @@ The Chocolatey Central Management database package will add or update a database
 
 ### Package Parameters
 
-* `/ConnectionString:` - The SQL Server database connection string to be used to connect to the Chocolatey Central Management database. Defaults to default or explicit values for `/SqlServiceInstance` and `/Database`, along with Integrated Security (`Server=<LOCAL COMPUTER FQDN NAME>; Database=ChocolateyManagement; Trusted_Connection=True;`). The account should have `db_owner` access to the database ([database owner](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles#fixed-database-roles)).
+* `/ConnectionString:` - The SQL Server database connection string to be used to connect to the Chocolatey Central Management database. By default, this value is constructed from the default or explicit values for `/SqlServiceInstance` and `/Database`, and uses Integrated Security (with all default values, this value will look like the following: `Server=<LOCAL COMPUTER FQDN NAME>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;`). The account should have [`db_owner`](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles#fixed-database-roles) access to the database.
 * `/SqlServerInstance:` - Instance name of the SQL Server database to connect to. Alternative to passing full connection string with `/ConnectionString`. Uses `/Database` (below) to build a connection string. Defaults to `<LOCAL COMPUTER FQDN NAME>`.
 * `/Database:` - Name of the SQL Server database to use. Alternative to passing full connection string with `/ConnectionString`. Uses `/SqlServerInstance` (above) to build a connection string. Defaults to `ChocolateyManagement`.
 * `/SkipDatabasePermissionCheck` - By default, a check will be completed to ensure that the installing user has access to create a new database, based on the provided/computed connection string. If this check isn't required, for example, the database has already been created or permissions will error, this step can be skipped using this parameter. Available with CCM v0.2.0+.
@@ -176,6 +177,8 @@ The Chocolatey Central Management database package will add or update a database
 
 ### Database Authentication Scenarios
 
+<CentralManagementSecureConnectionStrings />
+
 * <Xref title="Scenario 1 - Windows Authentication to Local SQL Server" value="ccm-database" anchor="scenario-one" />
 * <Xref title="Scenario 2 - Active Directory Authentication to Remote SQL Server" value="ccm-database" anchor="scenario-two" />
 * <Xref title="Scenario 3 - SQL Server Authentication to Local SQL Server" value="ccm-database" anchor="scenario-three" />
@@ -241,9 +244,9 @@ export const tabs1 = [
         </Callout>
 
         <Callout type="warning">
-            **Installs**: Please ensure the user running the package installation is able to create databases unless you also pass `/SkipDatabasePermissionCheck` (in that case you simply need `db_owner` to the database being managed if it was pre-created).
-        
-            **Upgrades**: Please ensure the user running the package installation has been granted `db_owner` access to an existing database.
+            **Installation**: Please either ensure the user running the package installation is able to create databases or pass `/SkipDatabasePermissionCheck`, if you have `db_owner` permission to the pre-created database.
+
+            **Upgrade**: Please ensure the user running the package installation has been granted `db_owner` access to the existing database.
         </Callout>
     </TabsPane>
     <TabsPane content={tabs1[2]}>
@@ -291,9 +294,9 @@ export const tabs1 = [
         </Callout>
 
         <Callout type="warning">
-            **Installs**: Please ensure the login credentials provided are able to create databases unless you also pass `/SkipDatabasePermissionCheck` (in that case you simply need `db_owner` to the database being managed if it was pre-created).
-        
-            **Upgrades**: Please ensure the login credentials provided have been given `db_owner` access to an existing database.
+            **Installation**: Please either ensure the user running the package installation is able to create databases or pass `/SkipDatabasePermissionCheck`, if you have `db_owner` permission to the pre-created database.
+
+            **Upgrade**: Please ensure the user running the package installation has been granted `db_owner` access to the existing database.
         </Callout>
     </TabsPane>
 </TabsPaneContainer>
@@ -419,12 +422,12 @@ Chocolatey Central Management has specific compatibility requirements with quite
 
 ### What is the minimum required configuration for the appsettings.json file?
 
-As of Chocolatey Central Management v0.6.2, the default settings in the `appsettings.json` for the database package are:
+As of Chocolatey Central Management v0.13.0, the default settings in the `appsettings.json` for the database package are:
 
 ```json
 {
   "ConnectionStrings": {
-    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True;"
+    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;"
   }
 }
 ```

src/content/docs/en-us/central-management/setup/index.mdx

@@ -68,13 +68,13 @@ choco download dotnet4.5.2 dotnetfx --force --internalize --internalize-all-urls
   choco download $_ --force --internalize --internalize-all-urls --append-use-original-location --source="'https://community.chocolatey.org/api/v2/'" --output-directory="'C:\packages'"
 }
 
-# We must use the 6.x.x versions of these packages, so we need to download/internalize these specific items.  At the time of publishing, the most recent version of this package is 6.0.5, but later package versions (within the 6.x.x release) are expected to work.
-@('dotnet-6.0-runtime', 'dotnet-6.0-aspnetruntime') | Foreach-Object {
-  choco download $_ --version 6.0.5 --force --internalize --internalize-all-urls --append-use-original-location --source="'https://community.chocolatey.org/api/v2/'" --output-directory="'C:\packages'"
+# We must use the 8.x.x versions of these packages, so we need to download/internalize these specific items.  At the time of publishing, the most recent version of this package is 8.0.8, but later package versions (within the 8.x.x release) are expected to work.
+@('dotnet-8.0-runtime', 'dotnet-8.0-aspnetruntime') | Foreach-Object {
+  choco download $_ --version 8.0.8 --force --internalize --internalize-all-urls --append-use-original-location --source="'https://community.chocolatey.org/api/v2/'" --output-directory="'C:\packages'"
 }
 
-# Starting with v0.9.0 of the CCM Website package, it uses dotnet-aspnetcoremodule-v2. At the time of publishing, the most recent version of this package 16.0.22108, but later package versions (within the 17.x.x release) are expected to work
-choco download dotnet-aspnetcoremodule-v2 --version 16.0.22108 --force --internalize --internalize-all-urls --append-use-original-location --source="'https://community.chocolatey.org/api/v2/'" --output-directory="'C:\packages'"
+# Starting with v0.9.0 of the CCM Website package, it uses dotnet-aspnetcoremodule-v2. At the time of publishing, the most recent version of this package 18.0.24201, but later package versions (within the 18.x.x release) are expected to work
+choco download dotnet-aspnetcoremodule-v2 --version 18.0.24201 --force --internalize --internalize-all-urls --append-use-original-location --source="'https://community.chocolatey.org/api/v2/'" --output-directory="'C:\packages'"
 
 # Download Licensed Packages
 ## DO NOT RUN WITH `--internalize` and `--internalize-all-urls` - see https://github.com/chocolatey/chocolatey-licensed-issues/issues/155

src/content/docs/en-us/central-management/setup/service.mdx

@@ -10,6 +10,7 @@ import Xref from '@components/Xref.astro';
 import TabsPane from '@choco/components/tabs/TabsPane.astro';
 import TabsPaneContainer from '@choco/components/tabs/TabsPaneContainer.astro';
 import TabsTabContainer from '@choco/components/tabs/TabsTabContainer.astro';
+import CentralManagementSecureConnectionStrings from '@components/docs/CentralManagementSecureConnectionStrings.mdx';
 
 This is the service that the agents (`chocolatey-agent`) communicates with. You could install one or more of these depending on the size of your environment (not multiple on one machine though). The FQDN and certificate used determine what the URL will be for the agents to check into Chocolatey Central Management.
 
@@ -72,7 +73,7 @@ Note items with "`:`" mean a value should be provided. Items without are simply
 * `/PortNumber:` - The port the Chocolatey Management Service will listen on. This will automatically create a rule to open the firewall on the port specified. Defaults to `24020`.
 * `/CertificateDnsName:` - The DNS name of the self-signed certificate that is generated if no existing certificate thumbprint is provided using the `/CertificateThumbprint` parameter (below). Defaults to `<LOCAL COMPUTER FQDN NAME>`.
 * `/CertificateThumbprint:` - Provide the thumbprint of an existing certificate (already installed in `LocalMachine\TrustedPeople` certificate store) to use for secure communication with clients. Defaults to a new self-signed SSL certificate on first installation / reuses existing on upgrades.
-* `/ConnectionString:` - The SQL Server database connection string to be used to connect to the Chocolatey Central Management database. Defaults to default or explicit values for `/SqlServiceInstance` and `/Database`, along with Integrated Security (`Server=<LOCAL COMPUTER FQDN NAME>; Database=ChocolateyManagement; Trusted_Connection=True;`). The account should have `db_datareader`/`db_datawriter` access to the database ([data reader / data writer](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles#fixed-database-roles)).
+* `/ConnectionString:` - The SQL Server database connection string to be used to connect to the Chocolatey Central Management database. By default, this value is constructed from the default or explicit values for `/SqlServiceInstance` and `/Database`, and uses Integrated Security (with all default values, this value will look like the following: `Server=<LOCAL COMPUTER FQDN NAME>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;`). The account should have [`db_datareader`/`db_datawriter`](https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles#fixed-database-roles) access to the database.
 * `/SqlServerInstance:` - Instance name of the SQL Server database to connect to. Alternative to passing full connection string with `/ConnectionString`. Uses `/Database` (below) to build a connection string. Defaults to `<LOCAL COMPUTER FQDN NAME>`.
 * `/Database:` - Name of the SQL Server database to use. Alternative to passing full connection string with `/ConnectionString`. Uses `/SqlServerInstance` (above) to build a connection string. Defaults to `ChocolateyManagement`.
 
@@ -128,6 +129,8 @@ When Chocolatey manages the password for a local Administrator, it creates a ver
 
 ### Database Authentication Scenarios
 
+<CentralManagementSecureConnectionStrings />
+
 * <Xref title="Scenario 1 - Windows Authentication to Local SQL Server" value="ccm-service" anchor="scenario-one" />
 * <Xref title="Scenario 2 - Active Directory Authentication to Remote SQL Server" value="ccm-service" anchor="scenario-two" />
 * <Xref title="Scenario 3 - SQL Server Authentication to Local SQL Server" value="ccm-service" anchor="scenario-three" />
@@ -252,12 +255,12 @@ This situation can occur with any version of Chocolatey Central Management up to
 
 ### What is the minimum required configuration for the `appsettings.json` file?
 
-As of Chocolatey Central Management v0.6.2, the default configuration values in the `appsettings.json` for the Chocolatey Central Management service are:
+As of Chocolatey Central Management v0.13.0, the default configuration values in the `appsettings.json` for the Chocolatey Central Management service are:
 
 ```json
 {
   "ConnectionStrings": {
-    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True;"
+    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;"
   },
   "CertificateThumbprint": "<THUMBPRINT_OF_CERTIFICATE_FOUND_DURING_INSTALLATION>"
 }
@@ -412,7 +415,7 @@ It depends. You can simply go to the `appsettings.json` file and adjust the conn
 ```json
 {
   "ConnectionStrings": {
-        "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True;"
+        "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;"
   }
 }
 ```
@@ -468,12 +471,13 @@ You may also receive a differently-worded error if the certificate used by the C
 Starting in Chocolatey Central Management v0.6.2, the Chocolatey Central Management Service package will attempt to select an appropriate certificate during installation, and store the thumbprint in the `appsettings.json` file.
 You can also specify the thumbprint for the certificate to use as the `/CertificateThumbprint` package parameter during installation or upgrade.
 
-If you need to change the certificate you're using after installation, you can modify the entry in the `appsettings.json` file for the Chocolatey Central Management service, shown below.
+If you need to change the certificate you're using after installation, you can modify the entry in the `appsettings.json` file for the Chocolatey Central Management service.
+Below is a sample of what the `appsettings.json` file looks like by default as of Chocolatey Central Management v0.13.0.
 
 ```json
 {
   "ConnectionStrings": {
-    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True;"
+    "Default": "Server=<HOST_NAME_OF_MACHINE_BEING_INSTALLED_ONTO>; Database=ChocolateyManagement; Trusted_Connection=True; TrustServerCertificate=True;"
   },
   "CertificateThumbprint": "<THUMBPRINT_OF_CERTIFICATE_FOUND_DURING_INSTALLATION>"
 }
@@ -602,11 +606,3 @@ You are attempting to set up a user that is not in the local Administrators grou
 Please refer to the <Xref title="Chocolatey Central Management Service Windows Account Considerations" value="ccm-service" anchor="chocolatey-central-management-service-windows-account-considerations" /> and select an option that works best for your organization.
 
 <Xref title="Central Management Setup" value="ccm-setup" /> | <Xref title="Chocolatey Central Management" value="central-management" />
-
-### Error 1053: The service did not respond to the start or control request in a timely fashion.
-
-If the Chocolatey Central Management Service is not able to be started due to "Error 1053: The service did not respond to the start or control request in a timely fashion.", it is likely caused due to no compatible versions of dotnet aspnetruntime not being installed. 
-
-The installed runtimes can be listed with `dotnet --list-runtimes`. Ensure that a 6.x.x version of Microsoft.AspNetCore.App is listed. If there is not a version listed, reinstall `dotnet-6.0-aspnetruntime`. 
-
-There is a known issue with the aspnetcoremodule-v2 installer that will uninstall the aspnetruntime on upgrade, which may be the root cause for this missing runtime. https://github.com/dotnetcore-chocolatey/dotnetcore-chocolateypackages/issues/64