Fix: add SSL-bypass fallback for Server 2016 cert chain issue

2026-05-04 12:22:35 +02:00
parent 13e7ccf6db
commit fefc975880
1 changed files with 43 additions and 31 deletions
--- a/setup-windows.ps1
+++ b/setup-windows.ps1
@ -1,4 +1,4 @@
-# TLS 1.2 + alle Varianten aktivieren (Windows Server 2016 Kompatibilitaet)
+# TLS 1.2 + Fallback-Versionen aktivieren (Windows Server 2016)
 [Net.ServicePointManager]::SecurityProtocol = `
    [Net.SecurityProtocolType]::Tls12 -bor `
    [Net.SecurityProtocolType]::Tls11 -bor `
@ -33,7 +33,7 @@ if ($policy -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
    } catch {
        $effective = Get-ExecutionPolicy
        if ($effective -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
-            Write-Host "      GPO-Override - aktuelle Policy '$effective' ist ausreichend"
+            Write-Host "      GPO-Override - Policy '$effective' ist ausreichend"
        } else {
            Write-Host "FEHLER: Execution Policy '$effective' blockiert Ausfuehrung."
            Read-Host "Enter zum Beenden"; exit 1
@ -41,6 +41,43 @@ if ($policy -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
    }
 }

+# Hilfsfunktion: Scoop-Installer herunterladen und ausfuehren
+function Install-Scoop {
+    $url = 'https://get.scoop.sh'
+    $tmp = "$env:TEMP\scoop-install.ps1"
+
+    # Versuch 1: Invoke-RestMethod
+    try {
+        Invoke-RestMethod -Uri $url | Invoke-Expression
+        return $true
+    } catch {}
+
+    # Versuch 2: WebClient
+    try {
+        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
+        return $true
+    } catch {}
+
+    # Versuch 3: WebClient mit SSL-Bypass (Windows Server 2016 fehlende Zertifikatskette)
+    Write-Host "      Versuche SSL-Bypass fuer Scoop-Download (Server 2016)..."
+    $prevCb = [Net.ServicePointManager]::ServerCertificateValidationCallback
+    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
+    try {
+        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
+        return $true
+    } catch {
+        Write-Host "FEHLER: Scoop-Download fehlgeschlagen: $_"
+        Write-Host ""
+        Write-Host "Moegliche Ursachen auf Windows Server 2016:"
+        Write-Host "  - Fehlende Root-Zertifikate (Windows Update ausfuehren)"
+        Write-Host "  - Proxy blockiert HTTPS"
+        Write-Host "  - get.scoop.sh nicht erreichbar"
+        return $false
+    } finally {
+        [Net.ServicePointManager]::ServerCertificateValidationCallback = $prevCb
+    }
+}
+
 # 2. Scoop pruefen / installieren
 Write-Host "[2/4] Pruefe Scoop..."
 $scoopShims = "$env:USERPROFILE\scoop\shims"
@ -48,28 +85,9 @@ $scoopInstalled = (Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShim

 if (-not $scoopInstalled) {
    Write-Host "      Scoop nicht gefunden - wird installiert..."
-
-    $installed = $false
-    # Versuch 1: Invoke-RestMethod
-    try {
-        Invoke-RestMethod -Uri https://get.scoop.sh | Invoke-Expression
-        $installed = $true
-    } catch {
-        Write-Host "      Invoke-RestMethod fehlgeschlagen ($_), versuche WebClient..."
+    if (-not (Install-Scoop)) {
+        Read-Host "Enter zum Beenden"; exit 1
    }
-    # Versuch 2: WebClient (anderer TLS-Stack)
-    if (-not $installed) {
-        try {
-            (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') | Invoke-Expression
-            $installed = $true
-        } catch {
-            Write-Host "FEHLER: Scoop-Download fehlgeschlagen: $_"
-            Write-Host "Netzwerk oder SSL/TLS pruefen."
-            Read-Host "Enter zum Beenden"; exit 1
-        }
-    }
-
-    # Pruefen ob Scoop wirklich da ist
    if (-not ((Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShims\scoop.cmd"))) {
        Write-Host "FEHLER: Scoop-Installation fehlgeschlagen (Verzeichnis fehlt)."
        Read-Host "Enter zum Beenden"; exit 1
@ -88,20 +106,14 @@ if ($env:PATH -notlike "*$scoopShims*") {
 Write-Host "[3/4] Installiere 7zip via lessmsi..."
 scoop config use_lessmsi true
 $7zipOk = $false
-try {
-    scoop install 7zip 2>&1 | Out-Null
-    $7zipOk = $true
-} catch {}
+try { scoop install 7zip 2>&1 | Out-Null; $7zipOk = $true } catch {}

 if (-not $7zipOk) {
    Write-Host "      7zip fehlgeschlagen - bereinige und versuche erneut..."
    try { scoop uninstall 7zip } catch {}
    try { scoop cache rm 7zip } catch {}
    Remove-Item -Recurse -Force "$env:USERPROFILE\scoop\apps\7zip" -ErrorAction SilentlyContinue
-    try {
-        scoop install 7zip
-        $7zipOk = $true
-    } catch {
+    try { scoop install 7zip; $7zipOk = $true } catch {
        Write-Host "FEHLER: 7zip konnte nicht installiert werden: $_"
        Read-Host "Enter zum Beenden"; exit 1
    }