Update !
The old method seem to don't work anymore.
Here is the new way to do this working :
First, follow this on cloudflare:
- In the API Tokens section, click Create Token
- Give it a name such as 'DNS edit all zones'
- Add the following permissions:
- Zone - DNS - Edit
- Zone - Zone - Read
- Set the following Zone Resources:
- Click Continue to summary
- Click Create Token
- This is your token. Copy it for later because it can't be retrieved after leaving this page. You must generate a new value if you forget the old one.
From :
https://github.com/rmbolger/Posh-ACME/b ... -Readme.md
Then, next steps are quite the same :
- Launch powershell as an admin
- Remove restrictions with :
- Install Posh-ACME with this command :
If you wish to update Posh-Acme, type :
- Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :
- Set cloudflare param with :
Code: Select all
$pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
$pArgs.CFTokenReadAllInsecure = 'Poshread-token'
Replace Poshedit-token and Poshread-token by your tokens
- Ask a new certificate with :
Code: Select all
New-PACertificate 'site1.fr','site2.fr','*.site1.fr','*.site2.fr' -AcceptTOS -Contact yourcloudflare@email.fr -DnsPlugin Cloudflare -PluginArgs $pArgs -Verbose
- Follow screen instructions on powershell
- Then, search your certificate with :
- Get cert.key as key and fullchain.cer as public certificate and insert them in Hmailserver
To refresh your certificate, you can use this batch (and laucnch it by scheduled task):
%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath = get from Get-PACertificate | fl command
Replace Poshedit-token and Poshread-token by your tokens
Replace PathToYourCertificates by the certificate location folder where HmailServer pick your certificate
Code: Select all
<# : Begin batch (batch script is in commentary of powershell v2.0+)
@echo off
: Use local variables
setlocal
: Change current directory to script location - usefull for including .ps1 files
cd %~dp0
: Invoke this file as powershell expression
powershell -executionpolicy remotesigned -Command "Invoke-Expression $([System.IO.File]::ReadAllText('%~f0'))"
: Restore environment variables present before setlocal and restore current directory
endlocal
: End batch - go to end of file
set orgpath=%localappdata%\Posh-ACME\acme-v02.api.letsencrypt.org\IdOfYourPosh-ACMEDirectory\!NameOfCertPath
set destpath=C:\PathToYourCertificates\
net stop hmailserver
robocopy %orgpath% %destpath% *.pfx *.cer *.key /is
certutil -addstore -f "My" "%destpath%\chain.cer"
net start hmailserver
timeout 60
goto:eof
#>
# here start your powershell script
Set-PSRepository -Name "PSGallery" -installationpolicy Trusted
# Update Posh-ACME
Update-Module -Name Posh-ACME
# Update certificates
$pArgs = @{ CFTokenInsecure = 'Poshedit-token' }
$pArgs.CFTokenReadAllInsecure = 'Poshread-token'
Submit-Renewal -PluginArgs $pArgs -Verbose
Hope it can help.
If you have some idea, you're welcome.
The batch can be use to update certificate form apache.
I also use mailsend command to send a notification when the certificate is renewed.
You must set site1.fr AND *.site1.fr to avoid some weird problems on apache for example. ("
server certificate does NOT include an ID which matches the server name")