From fefc9758803a071460281d5980ee4fc5a255b82a Mon Sep 17 00:00:00 2001
From: Ralf-Peter Wolff <info@rp-wolff.de>
Date: Mon, 4 May 2026 12:22:35 +0200
Subject: [PATCH] Fix: add SSL-bypass fallback for Server 2016 cert chain issue

---
 setup-windows.ps1 | 74 +++++++++++++++++++++++++++--------------------
 1 file changed, 43 insertions(+), 31 deletions(-)

diff --git a/setup-windows.ps1 b/setup-windows.ps1
index 800e135..18891a3 100644
--- a/setup-windows.ps1
+++ b/setup-windows.ps1
@@ -1,4 +1,4 @@
-# TLS 1.2 + alle Varianten aktivieren (Windows Server 2016 Kompatibilitaet)
+# TLS 1.2 + Fallback-Versionen aktivieren (Windows Server 2016)
 [Net.ServicePointManager]::SecurityProtocol = `
     [Net.SecurityProtocolType]::Tls12 -bor `
     [Net.SecurityProtocolType]::Tls11 -bor `
@@ -33,7 +33,7 @@ if ($policy -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
     } catch {
         $effective = Get-ExecutionPolicy
         if ($effective -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
-            Write-Host "      GPO-Override - aktuelle Policy '$effective' ist ausreichend"
+            Write-Host "      GPO-Override - Policy '$effective' ist ausreichend"
         } else {
             Write-Host "FEHLER: Execution Policy '$effective' blockiert Ausfuehrung."
             Read-Host "Enter zum Beenden"; exit 1
@@ -41,6 +41,43 @@ if ($policy -in @('Bypass', 'Unrestricted', 'RemoteSigned')) {
     }
 }
 
+# Hilfsfunktion: Scoop-Installer herunterladen und ausfuehren
+function Install-Scoop {
+    $url = 'https://get.scoop.sh'
+    $tmp = "$env:TEMP\scoop-install.ps1"
+
+    # Versuch 1: Invoke-RestMethod
+    try {
+        Invoke-RestMethod -Uri $url | Invoke-Expression
+        return $true
+    } catch {}
+
+    # Versuch 2: WebClient
+    try {
+        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
+        return $true
+    } catch {}
+
+    # Versuch 3: WebClient mit SSL-Bypass (Windows Server 2016 fehlende Zertifikatskette)
+    Write-Host "      Versuche SSL-Bypass fuer Scoop-Download (Server 2016)..."
+    $prevCb = [Net.ServicePointManager]::ServerCertificateValidationCallback
+    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
+    try {
+        (New-Object System.Net.WebClient).DownloadString($url) | Invoke-Expression
+        return $true
+    } catch {
+        Write-Host "FEHLER: Scoop-Download fehlgeschlagen: $_"
+        Write-Host ""
+        Write-Host "Moegliche Ursachen auf Windows Server 2016:"
+        Write-Host "  - Fehlende Root-Zertifikate (Windows Update ausfuehren)"
+        Write-Host "  - Proxy blockiert HTTPS"
+        Write-Host "  - get.scoop.sh nicht erreichbar"
+        return $false
+    } finally {
+        [Net.ServicePointManager]::ServerCertificateValidationCallback = $prevCb
+    }
+}
+
 # 2. Scoop pruefen / installieren
 Write-Host "[2/4] Pruefe Scoop..."
 $scoopShims = "$env:USERPROFILE\scoop\shims"
@@ -48,28 +85,9 @@ $scoopInstalled = (Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShim
 
 if (-not $scoopInstalled) {
     Write-Host "      Scoop nicht gefunden - wird installiert..."
-
-    $installed = $false
-    # Versuch 1: Invoke-RestMethod
-    try {
-        Invoke-RestMethod -Uri https://get.scoop.sh | Invoke-Expression
-        $installed = $true
-    } catch {
-        Write-Host "      Invoke-RestMethod fehlgeschlagen ($_), versuche WebClient..."
+    if (-not (Install-Scoop)) {
+        Read-Host "Enter zum Beenden"; exit 1
     }
-    # Versuch 2: WebClient (anderer TLS-Stack)
-    if (-not $installed) {
-        try {
-            (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') | Invoke-Expression
-            $installed = $true
-        } catch {
-            Write-Host "FEHLER: Scoop-Download fehlgeschlagen: $_"
-            Write-Host "Netzwerk oder SSL/TLS pruefen."
-            Read-Host "Enter zum Beenden"; exit 1
-        }
-    }
-
-    # Pruefen ob Scoop wirklich da ist
     if (-not ((Test-Path "$scoopShims\scoop.ps1") -or (Test-Path "$scoopShims\scoop.cmd"))) {
         Write-Host "FEHLER: Scoop-Installation fehlgeschlagen (Verzeichnis fehlt)."
         Read-Host "Enter zum Beenden"; exit 1
@@ -88,20 +106,14 @@ if ($env:PATH -notlike "*$scoopShims*") {
 Write-Host "[3/4] Installiere 7zip via lessmsi..."
 scoop config use_lessmsi true
 $7zipOk = $false
-try {
-    scoop install 7zip 2>&1 | Out-Null
-    $7zipOk = $true
-} catch {}
+try { scoop install 7zip 2>&1 | Out-Null; $7zipOk = $true } catch {}
 
 if (-not $7zipOk) {
     Write-Host "      7zip fehlgeschlagen - bereinige und versuche erneut..."
     try { scoop uninstall 7zip } catch {}
     try { scoop cache rm 7zip } catch {}
     Remove-Item -Recurse -Force "$env:USERPROFILE\scoop\apps\7zip" -ErrorAction SilentlyContinue
-    try {
-        scoop install 7zip
-        $7zipOk = $true
-    } catch {
+    try { scoop install 7zip; $7zipOk = $true } catch {
         Write-Host "FEHLER: 7zip konnte nicht installiert werden: $_"
         Read-Host "Enter zum Beenden"; exit 1
     }