winrm-cert-auth-failed-when-metadata-clear-text-password-is-given

ConfigWinRMCertificateAuthPlugin fails when the user password has been provided in clear text in the metadata with the default cloudbase-init config.

If you set in the config file: "first_logon_behaviour=no", the issue disappears.

The cause of the issue is that the winrm cert mapping requires a valid user password and the password is not valid if it is set to be changed at the first login.

Cloudbase-init logs:
Plugin 'ConfigWinRMCertificateAuthPlugin' failed with error '(-2147352567, 'Exception occurred.', (0, 'Session', 'The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again. ', None, 0, -2144108204), None)'com_error: (-2147352567, 'Exception occurred.', (0, 'Session', 'The WINRM certificate mapping configuration operation cannot be completed because the user credentials could not be verified. Please check the username and password used for mapping this certificate and verify that it is a non-domain account and try again. ', None, 0, -2144108204), None)

The solution is to set before the cert mapping the password policy to not change at first login (if different), afterward put it back to the before state.