I haven't tried Posh-ACME because I know and like Win-Acme. However, I found that posh-acme has many powershell scripts for different dns providers and they all have to follow a certain format. All of the scripts contain only functions, which is perfect for easy modification. These scripts are awesome because they already work for many dns provider APIs. This is also a great way to get certificates without having to need a web server for authentication. You only need to add a couple of minor things to make it work with Win-Acme, which sends the following variables to scripts:
{Task} {Identifier} {RecordName} {Token}
{Task} tells your script to CREATE or DELETE the validation dns text entry
{Identifier} is the domain name you're creating the certificate for
{RecordName} is the text record you're creating (_acme-challenge.example.com)
{Token} is the entry for the recordname, which is a unique string used for validation
Modify the script:
Find your dns provider in the list and edit it to add the following.
At the top of the file:
Code: Select all
param(
[string]$Task,
[string]$DomainName,
[string]$RecordName,
[string]$TxtValue
)
$DynuClientID = 'blah-blah-blah-blah-f8hdkg63jndh'
$DynuSecret = 'supersecretstringofbafflegarble'
At the bottom of the file:
Code: Select all
if ($Task -eq 'create'){
Add-DnsTxtDynu $RecordName $TxtValue $DynuClientID $DynuSecret
}
if ($Task -eq 'delete'){
Remove-DnsTxtDynu $RecordName $TxtValue $DynuClientID $DynuSecret
}
Additionally, I had to comment out a few instances of the following in the script: @script:UseBasic
Don't ask me why, but it was causing authentication to fail.
To test the script, open powershell and run the script with the 4 parameters discussed above ({Task} {Identifier} {RecordName} {Token}).
Code: Select all
C:\scripts\lews\wacs\Scripts\Dynu.ps1 create example.com blah.example.com some-message-without-spaces
Now, download the latest stable Win-Acme: https://github.com/PKISharp/win-acme
Unzip it somewhere, open a command prompt, CD to the win-acme directory and run wacs.exe. A new window will open. The console output below is using v2.0.10.444 of Win-Acme, which (as of today) is the latest stable version.
Code: Select all
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.10.444 (RELEASE)
[INFO] IIS not detected
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/PKISharp/win-acme
M: Create new certificate (full options)
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
O: More options...
Q: Quit
Please choose from the menu:
Code: Select all
[INFO] Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to reflect
the bindings at that time.
1: Manual input
2: Read a CSR created by another program
<Enter>: Abort
How shall we determine the domain(s) to include in the certificate?:
Code: Select all
Enter comma-separated list of host names, starting with the common name:
You MUST put the wildcard as an alternative name, meaning if you don't, you will not have a certificate for the domain name - it will only work on subdomains. Also, the certificate will be known by the first entry.
Code: Select all
[INFO] Target generated using plugin Manual: example.com and 1 alternatives
Suggested FriendlyName is '[Manual] example.com', press enter to accept or type an alternative:
Enter anything you want, such as example.com or just hit enter.
Code: Select all
The ACME server will need to verify that you are the owner of the domain names
that you are requesting the certificate for. This happens both during initial
setup *and* for every future renewal. There are two main methods of doing so:
answering specific http requests (http-01) or create specific dns records
(dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/PKISharp/win-acme/.
1: [dns-01] Create verification records manually (auto-renew not possible)
2: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
3: [dns-01] Create verification records with your own script
<Enter>: Abort
How would you like prove ownership for the domain(s) in the certificate?:
Code: Select all
Path to script that creates DNS records:
Code: Select all
1: Using the same script
2: Using a different script
3: Do not delete
How to delete records after validation:
Code: Select all
{Identifier}: Domain that's being validated
{RecordName}: Full TXT record name
{Token}: Expected value in the TXT record
Input parameters for create script, or enter for default "create {Identifier} {RecordName} {Token}":
Code: Select all
Input parameters for delete script, or enter for default "delete {Identifier} {RecordName} {Token}":
Code: Select all
After ownership of the domain(s) has been proven, we will create a Certificate
Signing Request (CSR) to obtain the actual certificate. The CSR determines
properties of the certificate like which (type of) key to use. If you are not
sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
What kind of private key should be used for the certificate?:
Code: Select all
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
C: Abort
How would you like to store the certificate?:
Code: Select all
Path to folder where .pem files are stored:
Code: Select all
1: IIS Central Certificate Store (.pfx per domain)
2: Windows Certificate Store
3: No additional storage steps required
C: Abort
Would you like to store it in another way too?:
Code: Select all
With the certificate now saved to the store(s) of your choice, you may choose
one or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Start external script or program
2: Do not run any (extra) installation steps
Which installation step should run first?:
Code: Select all
[INFO] Authorize identifier: example.com
[INFO] Authorizing example.com using dns-01 validation (DnsScript)
[INFO] Script C:\scripts\lews\wacs\Scripts\Dynu.ps1 starting with parameters create example.com _acme-challenge.example.com ltWLguTpuTOlWnvCfscQekM5G8J1M74CgX5NYxxBCqU
[INFO] Script finished
[INFO] Answer should now be available at _acme-challenge.example.com
[EROR] Preliminary validation failed
*** I cut out some of the log - I had a "pre-validation" error related to the way win-acme deals with DDNS subdomains.
*** PreValidation is win-acme only and will not affect ACTUAL letsencrypt validation.
[INFO] It looks like validation is going to fail, but we will try now anyway...
[WARN] First chance error calling into ACME server, retrying with new nonce...
[INFO] Authorization result: valid
[INFO] Script C:\scripts\lews\wacs\Scripts\Dynu.ps1 starting with parameters delete example.com _acme-challenge.example.com ltWLguTpuTOlWnvCfscQekM5G8J1M74CgX5NYxxBCqU
[INFO] Script finished
[INFO] Requesting certificate example.com
[INFO] Store with PemFiles...
[INFO] Exporting .pem files to C:\xampp\certificates
[INFO] Installing with None...
[INFO] Scheduled task looks healthy
Do you want to replace the existing task? (y/n*) -
Code: Select all
[INFO] Adding renewal for example.com
[INFO] Next renewal scheduled at 2019/11/14 10:35:58
M: Create new certificate (full options)
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
O: More options...
Q: Quit
Please choose from the menu: