-
Notifications
You must be signed in to change notification settings - Fork 7
/
Update-Certificate.ps1
725 lines (628 loc) · 31.7 KB
/
Update-Certificate.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
<#
.SYNOPSIS
Create a new or update an existing LetsEncrypt certificate for one or more
domains and add it to a store then update the SSL bindings for an IIS web site
.DESCRIPTION
The script will use ACMESharp to create a new or update an existing
certificate for a domain. If generated successfully the script will
add the certificate to the certificate store and update the SSL binding for a web site.
This script is for use with IIS
The script will validate the parameter provided. For example, the web site name must
be a valid IIS site name, the domain(s) listed must be defined as host headers for
the site, there must be an existing https or ftps binding (even if it has an invalid certificate)
and the domain and alias specified must not also appear in the list of alternative names.
.PARAMETER alias
A unique idenifier for the attempt to create a certificate.
.PARAMETER domain
The domain for which you want to create a certificate.
.PARAMETER domains
A hashtable of domains for which you want to create a certificate
for example @{"alias1"="my.domain.com";"alias2"="other.domain.com"}.
The domains must be defined as host headers in the site given in the
webSiteName parameter.
.PARAMETER websiteName
The name of the web site hosting the domain(s) for which you are generating a certificate.
LetsEncrypt will verify your attempt to create a certificate by checking for a
file containing a token provided by LetsEncrypt. This script will create the file relative
to the location of the web site you specify in this parameter.
.PARAMETER noCertOverwrite
Should a newly generated certificate overwrite a previously
generated certificate for the same alias.
.PARAMETER certFolder
A temporary location to hold the generated certificate before
it is imported into the certificate store. (Default Downloads)
.PARAMETER certPath
The location in the certificate store into which the certificate should
be imported. (Default: \LocalMachine\WebHosting)
.PARAMETER location
The location of this script and the ACMEScript software. (Default: c:\ACMEScript)
.PARAMETER Country
The country (C) to display in the certificate
.PARAMETER StateOrProvince
The state or province (ST) to display in the certificate
.PARAMETER Organization
The organization (O) to display in the certificate
.PARAMETER OrganizationUnit
The the organization unit (OU) to display in the certificate
.PARAMETER Description
The Description to display in the certificate
.PARAMETER Email
The email address to display in the certificate
.PARAMETER checkParameters
Provided if the parameters are to be check but the process not executed
.PARAMETER keepOldCertificates
Set this option to true if old certificates for the domain are to be retained (by default they are removed)
.PARAMETER notIIS
Use this option if IIS is not to be updated or used for http-01 challenges
.PARAMETER isFTPS
Set this option to true if updated site is FTPS
.PARAMETER VaultProfile
Which ACMESharp vault profile to use, will default to "":user"", or "":system"" if elevated, or \$env:ACMESHARP_VAULT_PROFILE if set
.PARAMETER ChallengeType
Which ACME challenge method to use, 'http-01' or 'dns-01'
.PARAMETER ChallengeHandler
Which ACMESharp challenge handler to use, e.g. 'awsRoute53'
.PARAMETER ChallengeParameters
Hash table or parametrs for the challenge handler, e.g. @{HostedZoneId="ZA1234567890";AwsProfileName="myuser"}
.EXAMPLE
C:\PS> Update-Certificate -alias "www-mydomain" -domain "www.mydomain.com" -websiteName "My Website"
This command creates a certificate for www.mydomain.com which is hosted by the web site named 'My Website' using the default http-01 challenge method
.EXAMPLE
C:\PS> Update-Certificate -alias "www-mydomain" -domain "www.mydomain.com" -websiteName "My Website" -domains @{"alias1"="my.domain.com";"alias2"="other.domain.com"}
This command will generate a certificate for use with all the domains 'www.mydomain.com', 'my.domain.com' and 'other.domain.com'
.EXAMPLE
C:\PS> Update-Certificate -alias "www-mydomain" -domain "www.mydomain.com" -websiteName "My Website" -ChallengeType "dns-01" -ChallengeHandler "awsRoute53" -ChallengeParameters @{HostedZoneId="ZA1234567890";AwsProfileName="myuser"}
This command creates a certificate for www.mydomain.com which is hosted by the web site named 'My Website' using the specified dns-01 challenge method, handler, and parameters
.NOTES
Author: Bill Seddon
History:
January 25th, 2016 Initial version
February 6th 2016 Updated to support alternative names, update the IIS SSL binding and allow some Csr parameters to be defined
January 2017 Updated by Aaron Roydhouse to support dns-01 challenges using AWS Route 53, and other challenge methods
February 2018 Updated by Stepan Vardanyan to support FTPS certificate update in IIS, fixed binding checking
#>
Function Update-Certificate
{
param
(
[Parameter(Mandatory=$true, Position=0,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="An alias to identify this attempt to create a certificate")
]
[ValidateNotNullOrEmpty()]
[string]$alias, # "wordpressroute",
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="The domain for which you want to create/renew a certificate")
]
[ValidateNotNullOrEmpty()]
[string]$domain, # = "wordpress.wproute.com",
[Parameter(
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage='A hashtable of additional domains for which you want to create/renew a certificate: @{"alias1"="my.domain.com";"alias2"="other.domain.com"}')
]
[ValidateNotNullOrEmpty()]
[HashTable]$domains = @{}, # = ("alias1","my.domain.com"),("alias2","other.domain.com")
[Parameter(Mandatory=$false,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="The name of the IIS web site associated with the certificate being generated such as 'Default Web Site'")]
[ValidateNotNullOrEmpty()]
[string]$WebSiteName,
[Parameter(HelpMessage="The module to overwrite an existing certificate in the temporary certificate location if there is one by default. You can prevent overwriting by enabling this switch.")]
[switch]$noCertOverwrite = $false,
[Parameter(HelpMessage="The temporary location to which the created certification should be save")]
[string]$certFolder = $env:temp, # "C:\Users\Administrator\Downloads",
[Parameter(HelpMessage="The OS certificate store folder to which you want to import the generated certificate")]
[string]$certPath = "\LocalMachine\WebHosting",
[Parameter(HelpMessage="The location of the ACMESharp folder")]
[string]$location,
[Parameter(HelpMessage="The country (C) to display in the certificate")]
[string]$Country,
[Parameter(HelpMessage="The state or province (ST) to display in the certificate")]
[string]$StateOrProvince,
[Parameter(HelpMessage="The organization (O) to display in the certificate")]
[string]$Organization,
[Parameter(HelpMessage="The the organization unit (OU) to display in the certificate")]
[string]$OrganizationUnit,
[Parameter(HelpMessage="The Description to display in the certificate")]
[string]$Description,
[Parameter(HelpMessage="The email address to display in the certificate")]
[string]$Email,
[Parameter(HelpMessage="Provided if the parameters are to be check but the process not executed")]
[switch]$checkParameters = $false,
[Parameter(HelpMessage="Use this option if IIS is not to be updated")]
[switch]$notIIS = $false,
[Parameter(HelpMessage="Set this option to true if old certificates for the domain are to be retained (by default they are removed)")]
[switch]$isFTPS= $false,
[Parameter(HelpMessage="Set this option to true if updated site is FTPS")]
[switch]$keepOldCertificates = $false,
[Parameter(HelpMessage="ACMESharp vault profile, will default to "":user"", or "":system"" if elevated, or \`$env:ACMESHARP_VAULT_PROFILE if set")]
[string]$VaultProfile = "",
[Parameter(HelpMessage="Which ACME challenge method to use, ""http-01"" or ""dns-01""")]
[string]$ChallengeType = "http-01",
[Parameter(HelpMessage="Which ACMESharp challenge handler to use, e.g. ""awsRoute53"" or ""manual""")]
[string]$ChallengeHandler = "manual",
[Parameter(HelpMessage="Hash table or parametrs for the challenge handler, e.g. @{HostedZoneId=""ZX1234567890"";AwsProfileName=""myuser""}")]
[HashTable]$ChallengeParameters = @{}
)
# Check an alias has been provided
if ( ! $alias )
{
"You must supply a value for the alias to use for this attempt to create a certificate"
}
# Check an domain has been provided
if ( ! $domain )
{
"You must supply a value for the domain for which you want to create a certificate"
}
if ( ! $notIIS )
{
# Check an web site has been provided, if we are to install in IIS
if ( ! $WebSiteName )
{
"The name of a web server must be provided"
}
# The $websiteFolder must exist
$webSite = Get-Website -Name $WebSiteName
if ( ! $webSite )
{
"The Web Site '$WebSiteName' does not exist"
}
}
# The three mandatory parameters must exist
if ( ! $alias -or ! $domain -or (! $notIIS -and (! $WebSiteName -or ! $webSite ) ) )
{
"Must supply domain, alias, and for IIS installs a website"
return
}
# Check the domains
# Each element of the array must be an array of length two
if ( ($domains | Where-Object { $_ -is [System.Collections.Hashtable] }).Count -ne $domains.Count )
{
"Each element of the 'domains' array must be an alias/domain (key/value) pair"
return
}
# The $domains list cannot include the $domain as an alternative
if ( $domains.GetEnumerator() | Where-Object { $_.Value -eq $domain } )
{
"The main domain '$domain' cannot also be included as an alternative"
return
}
# The $domains list cannot include the $domain as an alternative
if ( $domains.GetEnumerator() | Where-Object { $_.Key -eq $alias } )
{
"The main alias '$alias' cannot also be included as an alternative"
return
}
# Add the main alias to the domains list so they can all be processed together
$domains[$alias] = $domain
# To use http-01 with IIS the website needs to be operating
if ( (! ($webSite.State -eq "Started")) -and (! ($ChallengeType -eq "http-01")) -and (! $notIIS) )
{
"The web site '$WebSiteName' is not started. It will not be possible to complete the http-01 challenge"
return
}
# If the certificate is to be install in IIS then check the bindings already exist
if ( ! $notIIS)
{
# Check that the domains for which certificates are to be generated have binding
# either it should be https with domain binding or ftp with 990 port
# (DO NOT SET host name in ftp binding of 990 port, it will cause non-updated cert)
$invalidDomains = $domains.GetEnumerator() |
Where-Object { $dom = $_.Value;
! ( $webSite.bindings.Collection | Where-Object { ($_.protocol -eq 'https' -and $_.bindingInformation -like "*:$dom*" ) -or ($_.protocol -eq 'ftp' -and $_.bindingInformation -like "*:990:*") } )
}
if ( $invalidDomains.Count -gt 0 )
{
"The following domain(s) do not have an https or ftps binding in the web site '$WebSiteName': {0}" -f (@( $invalidDomains | ForEach-Object { $_.Value } ) -join ",")
"Please add binding(s) in IIS before using these domain(s)"
return;
}
}
$csrDetails = @{}
if ( $Country ) { $csrDetails["Country"]=$Country }
if ( $StateOrProvince ) { $csrDetails["StateOrProvince"]=$StateOrProvince }
if ( $Organization ) { $csrDetails["Organization"]=$Organization }
if ( $OrganizationUnit ) { $csrDetails["OrganizationUnit"]=$OrganizationUnit }
if ( $Description ) { $csrDetails["Description"]=$Description }
if ( $Email ) { $csrDetails["Email"]=$Email }
"aliases/domains:"
$domains.GetEnumerator() | ForEach-Object { " $($_.Key)=$($_.Value)" }
if (! $notIIS)
{
$websiteFolder = $webSite.physicalPath
$websiteFolder = [System.Environment]::ExpandEnvironmentVariables($websiteFolder)
"Web Site Name: $WebSiteName"
"Web Site Folder: $websiteFolder"
}
"Cert Folder: $certFolder"
if ( $csrDetails.Count -gt 0 )
{
"csr Details:"
$csrDetails.GetEnumerator() | ForEach-Object { " $($_.Key)=$($_.Value)" }
}
if ( $checkParameters ) { return }
$certalias = "cert$alias"
$mainalias = $alias # The value '$alias' will change but this value is needed to generate the certificate
$maindomain = $domain # The value '$domain' will change but this value is needed to generate the certificate
$pfx = "cert$alias.pfx"
$filepath = "$certFolder\$pfx"
$location = if ( $location ) { $location } else { $PSScriptRoot }
Set-Location -Path $location
$ACMESharpModule = "ACMESharp"
if ( ! (get-module $ACMESharpModule) )
{
"Importing $ACMESharpModule"
Import-Module $ACMESharpModule -ErrorAction SilentlyContinue
if ( ! (get-module $ACMESharpModule) )
{
"!!!"
"!!! The module '$ACMESharpModule' was not loaded because no valid "
"!!! module file was found in any PowerShell module directory."
"!!!"
"!!! Please install $ACMESharpModule. For more information please visit:"
"!!! https://github.com/ebekker/ACMESharp/wiki/Quick-Start"
"!!!"
return
}
}
# A message will be displayed if the vault exists
if ( ! (Get-ACMEVault -VaultProfile $VaultProfile) )
{
"ACMESharp vault $VaultProfile does not exist"
"Create it with e.g. for default ':user' profile:"
"Initialize-ACMEVault"
"or for a named profile like 'Test':"
"Set-ACMEVaultprofile -ProfileName Test -Provider local -VaultParameters @{RootPath='C:\Users\MyUser\AppData\Local\ACMESharp\testVault';CreatePath=[bool]'True'}"
"Initialize-ACMEVault -BaseService LetsEncrypt-STAGING -VaultProfile Test"
}
if ( ! ((Get-ACMEVault -VaultProfile $VaultProfile).Registrations.Count) )
{
"There are no registrations. This process cannot proceed until a registration has been created"
"Issue a PowerShell command like: New-ACMERegistration -Contacts mailto:[email protected] -AcceptTos"
return
}
if ( ! (Get-ACMEChallengeHandlerProfile -GetChallengeType $ChallengeType) )
{
"Not a supported ACME challenge type: $ChallengeType"
"Supported types are:"
Get-ACMEChallengeHandlerProfile -ListChallengeTypes
}
if ( ! (Get-ACMEChallengeHandlerProfile -GetChallengeHandler $ChallengeHandler) )
{
"Not a supported ACME challenge handler: $ChallengeHandler"
"Supported handlers are:"
Get-ACMEChallengeHandlerProfile -ListChallengeHandlers
}
<#
* Begin looping over the requested domains to create or find the respective identifiers
* TODO: It would be faster to prepare all challenges first, and then request ACME to validate them all, especially for dns-01 challenges
#>
$identifiers = @{}
$challenges = @{}
$domains.GetEnumerator() | ForEach-Object {
$alias = $_.Key
$domain = $_.Value
if ( ! ( (Get-ACMEVault -VaultProfile $VaultProfile).Identifiers.Count -and (Get-ACMEIdentifier -VaultProfile $VaultProfile | Where-Object { $_.Alias -eq "$alias" }).Count ) )
{
"Create identifier for '$domain' using alias '$alias'"
$result = New-ACMEIdentifier -VaultProfile $VaultProfile -Dns $domain -Alias $alias
}
else
{
"The identifier '$alias' already exists"
$result = Get-ACMEIdentifier -VaultProfile $VaultProfile $alias
}
$identifiers[$alias] = $result
<# Before Complete
ChallengePart : ACMESharp.Messages.ChallengePart
Challenge :
Type : http-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/arCMu_9OqjPSnknZR9T39Q1fh3vyhMVOi5z8ZYGwoHE/10635610
Token : J1TtfKn0iikqKwMXxJQgI7qGKgsJ7Tq68VXUaR-pyoI
Status : pending
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName :
HandlerHandleDate :
HandlerCleanUpDate :
SubmitDate :
SubmitResponse :
#>
# Is this identifier already valid?
if ( ! ($result.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.SubmitDate }).Count )
{
# No? Has the request been submitted?
if ( ! ($result.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.HandlerName -eq $ChallengeHandler }).Count )
{
"Issue challenge for '$alias'"
$result = Complete-ACMEChallenge $alias -VaultProfile $VaultProfile -ChallengeType $ChallengeType -Handler $ChallengeHandler -HandlerParameters $ChallengeParameters
}
<# After complete
ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.HttpChallenge
Type : http-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/arCMu_9OqjPSnknZR9T39Q1fh3vyhMVOi5z8ZYGwoHE/10635610
Token : J1TtfKn0iikqKwMXxJQgI7qGKgsJ7Tq68VXUaR-pyoI
Status : pending
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 1/25/2016 1:44:55 AM
HandlerCleanUpDate :
SubmitDate :
SubmitResponse :
#>
# If this is a dns-01 challenge using AWS Route 53, then wait for the DNS entries to sync
# ACMESharp should to the Route53 GetChange API method to wait for the sync itself, but doesn't yet
if ( ($ChallengeType -eq "dns-01") -and ($ChallengeHandler -eq "awsRoute53") )
{
# Waiting for AWS Route 53 record to sync to all name servers
"Waiting for new Route 53 DNS record to sync"
Start-Sleep -Milliseconds 30000
}
# If this is a manual http-01 challenge using IIS, then up to us to add the file into the webroot
# In all other cases the ACMESharp challenge handler should do the work
if ( ($ChallengeType -eq "http-01") -and ($ChallengeHandler -eq "manual") -and ! $notIIS )
{
$content = ""
$path = ""
$result.Challenges | Where-Object { $_.Type -eq $ChallengeType } | ForEach-Object { $content = $_.Challenge.FileContent; $path = $_.Challenge.FilePath }
if ( ! $content )
{
"There is no content available after beginning the challenge"
return
}
"Content: $content"
"Path: $path"
"Saving the challenge content"
New-Item -Path "$websiteFolder\$path" -ItemType File -Force
# Can't use Out-File cmdlet because it output a trailing new line
[io.file]::WriteAllText("$websiteFolder\$path",$content)
}
# Assume that DNS record or the .well-known/acme-challenge/xxx file is in place
"Submit challenge for '$alias'"
$result = Submit-ACMEChallenge $alias -VaultProfile $VaultProfile -ChallengeType $ChallengeType
$challenges[$alias] = $result
<# After submit
ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.HttpChallenge
Type : http-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/AbLhGZFSDlAZ-V_tz_JsHpLUecZStsT-0pXqx91tTR0/10636625
Token : 8NvzB46821JxizVdwdUCiKwtetAJGKazKd7J1zKC5ww
Status : pending
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 1/25/2016 1:49:14 AM
HandlerCleanUpDate :
SubmitDate : 1/25/2016 1:49:47 AM
SubmitResponse : ACMESharp.AcmeClient+AcmeHttpResponse
#>
}
else
{
"The identifier '$alias' has been already been submitted"
}
}
# Check for validity here. If not valid update the identifier
$domains.GetEnumerator() | ForEach-Object {
$alias = $_.Key
$domain = $_.Value
if ( $identifiers[$alias].Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -eq 'valid' } ) { "$alias is valid"; return }
if ( $identifiers[$alias].Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -eq 'invalid' } ) { "$alias is invalid"; return }
$result = Update-ACMEIdentifier $alias -VaultProfile $VaultProfile -ChallengeType $ChallengeType
$identifiers[$alias] = $result
}
# If there are any invalid challenges then its time to abort
$abort = $false;
$identifiers.GetEnumerator() | ForEach-Object {
$alias = $_.Key
if ( ($_.Value.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -eq 'invalid' } ) )
{
$abort = $true;
"One or more of the challenges of the identifier for alias '$alias' is invalid"
}
}
if ( $abort ) { return }
# Now check the the challenges
$maxAttempts = 10
$attempts = 0
while ( ($identifiers | Where-Object { $_.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -ne 'valid' } } ) )
{
$attempts++
if ( $attempts -gt $maxAttempts )
{
"The request to validate a challenge request has not succeeded in $maxAttempts attempts"
return
}
# Update the identifier
"Updating the identifier in 10 seconds..."
Start-Sleep -Milliseconds 10000
$domains.GetEnumerator() | ForEach-Object {
$alias = $_.Key
$result = $identifiers[$alias]
if ( ( $result.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -eq 'pending' } ) )
{
$result = Update-ACMEIdentifier $alias -VaultProfile $VaultProfile -ChallengeType $ChallengeType
$identifiers[$alias] = $result
if ( ($result.Challenges | Where-Object { $_.Type -eq $ChallengeType -and $_.Status -eq 'invalid' } ) )
{
"The identifier for alias '$alias' is not valid"
return
}
}
}
}
# Now the challenge validation is complete, we can clean up the temporary challenge files or DNS records that were created
$challenges.GetEnumerator() | ForEach-Object {
$alias = $_.Key
$domain = $_.Value
"Cleaning challenge for '$alias'"
$result = Complete-ACMEChallenge $alias -VaultProfile $VaultProfile -ChallengeType $ChallengeType -Handler $ChallengeHandler -HandlerParameters $ChallengeParameters -Clean
if ( ($ChallengeType -eq "http-01") -and ($ChanllengeHandler -eq "manual") -and ! $notIIS )
{
# TODO: Clean up (remove) all the challenge folders created by this script
# Remove-Item -Path "$websiteFolder\$path"
}
}
# "Complete"
# return
<#
This is what an unsubmitted certificate look like
Id : 4a3b194d-6a4c-4ced-8d0b-d1626431b72c
Alias : certwordpressstrongtyping-2016-02-06
Label :
Memo :
IdentifierRef : 25c43cde-999b-4642-93be-d5bf12059458
IdentifierDns : wordpress.strongtyping.com
AlternativeIdentifierDns :
KeyPemFile :
CsrPemFile :
GenerateDetailsFile : 4a3b194d-6a4c-4ced-8d0b-d1626431b72c-gen.json
CertificateRequest :
CrtPemFile :
CrtDerFile :
IssuerSerialNumber :
SerialNumber :
Thumbprint :
Signature :
SignatureAlgorithm :
#>
try
{
$result = Get-ACMECertificate $certalias -VaultProfile $VaultProfile
"A certificate for '$mainalias' already exists with id $($result.Id)"
<# The New-ACMECertificate may have been executed but not submitted. Here's what the output looks like after issuing the 'New' command
Id : 585d3bd3-358f-4dac-9046-4d709c6d40a3
Alias : certwproutecom-2016-02-21-2
Label :
Memo :
IdentifierRef : fcb838e4-8208-4901-a8d2-e25eea965362
IdentifierDns : www.wproute.com
AlternativeIdentifierDns : {www.wproute.co.uk, www.wp-route.com, www.wp-route.co.uk}
KeyPemFile :
CsrPemFile :
GenerateDetailsFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-gen.json
CertificateRequest :
CrtPemFile :
CrtDerFile :
IssuerSerialNumber :
SerialNumber :
Thumbprint :
Signature :
SignatureAlgorithm :
And here's what it might look like after:
Id : 585d3bd3-358f-4dac-9046-4d709c6d40a3
Alias : certwproutecom-2016-02-21-2
Label :
Memo :
IdentifierRef : fcb838e4-8208-4901-a8d2-e25eea965362
IdentifierDns : www.wproute.com
AlternativeIdentifierDns : {www.wproute.co.uk, www.wp-route.com, www.wp-route.co.uk}
KeyPemFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-key.pem
CsrPemFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-csr.pem
GenerateDetailsFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-crt.pem
CrtDerFile : 585d3bd3-358f-4dac-9046-4d709c6d40a3-crt.der
IssuerSerialNumber :
SerialNumber : 016795AE9CA42058B6EA700FB1A159AE48D9
Thumbprint : 338ED04BBFFC3136FD0AAAA0DB7389E63B9FF3C1
Signature : 338ED04BBFFC3136FD0AAAA0DB7389E63B9FF3C1
SignatureAlgorithm : sha256RSA
#>
}
catch
{
# OK, time to create the certificate and submit it
"Creating a new certificate for domain '$maindomain' with alias '$certalias'"
if ( $domains.Count -gt 1 )
{
" With these alternative names:"
" {0}" -f ( ( [array]($domains.GetEnumerator() | Where-Object { $_.Key -ne $mainalias } | ForEach-Object { $_.Value } ) -join "," ) )
}
$new = New-ACMECertificate $mainalias -VaultProfile $VaultProfile -Generate -Alias $certalias -CsrDetails $csrDetails -AlternativeIdentifierRefs ([array]($domains.GetEnumerator() | Where-Object { $_.Key -ne $mainalias } | ForEach-Object { $_.Key } ))
try
{
$error.Clear()
$result = Submit-ACMECertificate $certalias -VaultProfile $VaultProfile
}
catch
{
"!!! Certificate submission failed"
$error
return
}
}
# Check to see if a issuer serial number is available - if so, we are OK
$result = Update-ACMECertificate $certalias -VaultProfile $VaultProfile
$attempts = 0
while ( $result.IssuerSerialNumber -eq $null )
{
$attempts++
if ( $attempts -gt $maxAttempts )
{
"The request to validate a challenge request has not succeeded in $maxAttempts attempts"
return
}
"Updating the certificate in 10 seconds..."
Start-Sleep -Milliseconds 10000
$result = Update-ACMECertificate $certalias -VaultProfile $VaultProfile
}
$thumbprint = $result.ThumbPrint
"The current ACME certificate has id '$($result.Id)' and thumbprint '$thumbprint'"
# Export the certificate so it can be imported into IIS
if ( ! $noCertOverwrite -or ! (Get-ChildItem -Path $filepath) )
{
$result = Get-ACMECertificate $certalias -VaultProfile $VaultProfile -ExportPkcs12 $filepath -Overwrite
}
else
{
$result = Get-PfxCertificate -FilePath $filepath
"noCertOverwrite parameter specified but there is an existing certificate."
if ( $result.ThumbPrint -ne $thumbprint )
{
"Warning: The thumbprint of the ACME certificate ($($result.ThumbPrint))"
"does not match the thumbprint of the existing certificate ($thumbprint)"
$thumbprint = $result.ThumbPrint
}
}
"Certificate exported with thumbprint '$thumbprint'"
if ( -not $keepOldCertificates )
{
"Removing existing certificates with '$maindomain' as the common name"
get-childitem "cert:$certPath" | Where-Object { $_.Subject -eq "CN=$maindomain" } | Remove-Item
}
# Now import the certificate
"Importing to $certPath from $filepath"
$import_result = Import-PfxCertificate -CertStoreLocation "cert:$certPath" -FilePath $filepath -Exportable
$expires = ((Get-Item "Cert:$certpath\$thumbprint").notAfter).ToString("yyyy-MM-dd")
$friendly = "$maindomain $expires ACME"
"Setting friendly name to '$friendly'"
(Get-Item "Cert:$certpath\$thumbprint").FriendlyName = "$friendly"
if ( ! $notIIS )
{
# Update the certificate bindings
$domains.GetEnumerator() | ForEach-Object {
$alias = $_.Key
$domain = $_.Value
"Adding the SSL certificate with thumb print '$thumbprint' for '$domain'"
if ($isFTPS) {
# Set new SSL certificate for FTPS binding
Set-ItemProperty -Path "IIS:\Sites\$webSiteName" -Name ftpServer.security.ssl.serverCertStoreName -Value 'WebHosting'
Set-ItemProperty -Path "IIS:\Sites\$webSiteName" -Name ftpServer.security.ssl.serverCertHash -Value "$thumbprint"
}
else {
# Set new SSL certificate for HTTPS binding
$httpsBinding = Get-WebBinding -Name $webSiteName -Protocol https -Port 443
$httpsBinding.AddSslCertificate("$thumbprint", "WebHosting")
}
}
}
"Done"
}