Certificate problem

[bagu]

Hello,

I'm coming here to finish a question from this forum : https://www.apachelounge.com/viewtopic. ... 8503#38503

As i said on this forum, i have an apache web server with letsencrypt certificate (thanks to mod_md !).
I have set up my two domains to have the same mx pointing to mail.bagu.biz (witch is on the certificate)

But when i replace my cacert certificate by the letsencrypt certificate, everything fail on the client side.
And, there is no error message on hmailserver.

So : Is there something i miss ? Or, is there a difference between cacert certificate and letsencrypt certificate ?

[bagu]

I enable debug and i get this :

"DEBUG" 8232 "2019-09-19 17:47:19.697" "TCP connection started for session 6"
"DEBUG" 8232 "2019-09-19 17:47:19.698" "Performing SSL/TLS handshake for session 6. Verify certificate: False"
"DEBUG" 1900 "2019-09-19 17:47:19.718" "The read operation failed. Bytes transferred: 0 Remote IP: 172.16.0.1, Session: 6, Code: 335856658, Message: sslv3 alert bad certificate"
"DEBUG" 1900 "2019-09-19 17:47:19.718" "Ending session 6"

The certificate work well for the web server...

[Dravion]

In your Debug log its unclear if its a SMTP or IMAP or POP3
Session. Your Client also is trying to negiotate a SSLv3
Session which is unsecure and thats why in newer hMailServer versions SSLv3 support was removed.

As said before.You need two certificates and its corresponding key files. The other Problem is, mod_md
is trying to replace a SSL-Certificate file which was loaded
as the hMailServer Service was started by Windows. Keep in mind that mod_md was developed to renew Apache2
Virtualhost SSL-Certificates on the fly and was not tested
by its Developers to work with hMailServer as well.

Try to restart hMailServer Windows Service manually after
mod_md has renewed your LE SSL-Certificates.

[bagu]

Hello and thanks for your answer.

The problem happen in SMTP and IMAP session.
I use Thunderbird and i don't know why it's trying to negotiate a SSLv3 session.

For mod_md, the certificate is in place since a while.
Maybe i may use a copy of certificate/key instead of the certificate in mod_md folder.

Also, i always restart hmailserver service after changing certificate, so i think it's not the problem.

[Dravion]

In your log, it clearly says "bad certificate".

Thats a Error message rooted in OpenSSL's
Security Library which is used by hMailServer to handle SSL-Stuff. It means it cannot load mod_md's LE renewed
SSL-Certificate because it seens to be corrupt or is formatted in a way OpenSSL doesn't understand.

[bagu]

It's really strange because i use the same certificate for my website and everything appear ok Oo
And https://www.checktls.com/TestReceiver say that everything is ok when i set the LE certificate.

Argh ! :S

[mattg]

Run this and post the results

viewtopic.php?f=20&t=30914

SSLv3.0 is broken and should be depreciated
I don't think that a modern apache server has SSLv3.0 enabled in default settings, I think you need to specifically add it.

If your hMailserver allows SSLv3.0 (which it looks like it does) then the certificate that you have may not like that, and may be too complex to allow SSLv3.0 connections.

I suspect turning SSLv3.0 OFF in hMailserver will solve this for you

[bagu]

Code: Select all

2019-09-20   Hmailserver: 5.7.0-B2429

DOMAINS

   "Domain1.com" - baxx.bix                       Enabled: True
      |- "Alias1.com" - maxx.baxx.bix

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:             7000   Enabled: True    
                   Max message size:    30000   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts: 2000   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: e:\www\wwwbagubiz\certificats\privatedkimkey.txt
                                                Selector:    mail

   "Domain2.com" - baxx.fr                        Enabled: True
      |- "Alias2.com" - maxx.baxx.fr

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:             4000   Enabled: True    
                   Max message size:    30000   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts: 4000   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: e:\www\wwwbagufr\certificats\privatedkimkey.txt
                                                Selector:    mail
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 500     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 172.16.0.1 - 172.16.1.255     Priority: 400     Name: Local Network

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


   !!  Warning:  DEFAULT DOMAIN is SET  !! - "Domain1.com"
------------------------------------------------------
AUTOBANNED Local Addresses:
    172.16.0.1           Expires : 25/09/2019 13:40:21

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:         1500  (25,00 hours, 1,04 days)
                              Minutes to Autoban:           8760  (146,00 hours, 6,08 days)

There is a total of 192 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
                    127.0.0.1        -   127.0.0.1
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  5 Mins: 30   Plain Text:         True  Bind: 
                     Host: Alias1.com          Empty sender:       True  Batch recipients:    50
Max Msg Size: 30000  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr:  True
                                               Max number commands:   2  Loop limit:           3
                                                                         Recipient hosts:     25
  Routes:
    9bxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    acxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    grxxxxxxxxxxxxxxxxxxxxx.f- S: Remote  R: Remote - Addr: All         (ok)
    loxxxxxxxxxxxxxx.fr      - S: Remote  R: Remote - Addr: All         (ok)
    mdxx.loxxxxxxxxxxxxxx.fr - S: Remote  R: Remote - Addr: All         (ok)
    nexx.fr                  - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.com            - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.orx            - S: Remote  R: Local  - Addr: All         (ok)
    sfx.fr                   - S: Remote  R: Remote - Addr: All         (ok)
    tixxxxx.net              - S: Remote  R: Remote - Addr: Selective   (ok)
    yaxxx.fr                 - S: Remote  R: Remote - Addr: All         (ok)

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 2    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 3    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:        True - 2    Use SA score:        True
              Subject Text: "*****SPAM*****"
  Spam delete threshold: 20         Maximum message size: 4096

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 2     Result: 127.0.0.*
                  psbl.surriel.com      Score: 1     Result: 127.0.0.*
                virbl.dnsbl.bit.nl      Score: 1     Result: 127.0.0.*
            b.barracudacentral.org      Score: 2     Result: 127.0.0.*
                    bl.spamcop.net      Score: 3     Result: 127.0.0.*
                   dnsbl.sorbs.net      Score: 2     Result: 127.0.0.*
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2
                  all.spamrats.com      Score: 2     Result: 127.0.0.38|127.0.0.43

SURBL ENTRIES:
                   multi.surbl.org      Score: 2

GREYLISTING:
  Greylisting:   True       Defer mins: 1       Days Unused: 3      Days Used: 365
                            Bypass SPF: True     Bypass A/MX: False

Greylist WHITELIST ENTRIES:
   IP Address: 127.0.0.1
   IP Address: 88.184.248.22

Greylist DOMAINS enabled:
           Domain1.com
                 |--   Alias1.com
           Domain2.com
                 |--   Alias2.com

WHITELISTING

-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete Attachments.

  Max Message Size: 10000
     CLAM AV:   True       Hostname: 127.0.0.1    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.exe.txt         False text files
               *.inf             Setup file
               *.js              Fichiers javascript
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Bagu.biz
       Certificate: D:\wamp\apache\md\domains\Domain1.com\pubcert.pem
       Private key: D:\wamp\apache\md\domains\Domain1.com\privkey.pem
   Certificat
       Certificate: D:\Certificats\mail.Domain1.com.crt
       Private key: D:\Certificats\mail.Domain1.com.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :  False
             TLS 1.1 :  False
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:  False
SslCipherList  :

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 143   / IMAP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: Certificat
               0.0.0.0         / 587   / SMTP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: Certificat
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  D:\wamp\logs\hmailserver\\hmailserver_2019-09-20.log  - !! NOT PRESENT !!
    Error:    D:\wamp\logs\hmailserver\\ERROR_hmailserver_2019-09-20.log
    Event:    D:\wamp\logs\hmailserver\\hmailserver_events.log - Last Event: 2019/09/20
    Awstats:  D:\wamp\logs\hmailserver\\hmailserver_awstats.log
                        APPLICATION -      .
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -      .
                        TCPIP       -      .
                        DEBUG       -      .
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory F:\Sauvegardes\ServeurMail is writable.

Relative message paths are stored in the database for all messages.

There are no error logs in the log directory.
-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  D:\hMailServer\
Database folder: 
Data folder:     D:\hMailServer\Data
Log folder:      D:\wamp\logs\hmailserver\
Temp folder:     X:\Temp
Event folder:    D:\hMailServer\Events\

[Database]
Type=              MYSQL
Username=          hmailserver
PasswordEncryption=1
Port=              3306
Server=            127.0.0.1
Internal=          0

[Settings]
DNSBLChecksAfterMailFrom=1
RewriteEnvelopeFromWhenForwarding=1
DisableAuthList=25
SepSvcLogs=1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.96, Hmailserver Forum.

Here it is, but i never enable sslv3, so i am a little bit disappointed

[palinka]

You have no ciphers? I'm not the expert on ssl/tls, but i do believe *something* has to be listed there.

[bagu]

Oh, i remove them to rewrite them...

Here are my ciphers :

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM::ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;

I think i will replace it by :

Code: Select all

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

[mattg]

As you are only running TLSv1.2 you could try this

HIGH:!TLSv1:!SSLv3;

It is what I run

[jim.bus]

bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.

Is it possible bagu is running into an unstable part or bug of hMailServer 5.7.0-B2429? An instability or bug that doesn't deal well with SSLv3.0. I also thought Martin said he had to remove SSLv3.0 in order to add TLSv1.3 but I don't know what Build he said he had to do that with.

[bagu]

jim.bus is quite right.

I'm using the Dravion version.

mattg : i will try your cipher Thanks

[bagu]

After some other tests, same prolem happen on v5.6.8 - Build 2451 (BETA) and vhMailServer 5.6.7 - Build 2425 with and without the mattg cipher


P.S. : new post because after a small amount of time, i can't edit my previous post

[palinka]

Have you tried with the default ciphers on any version?

[bagu]

I can't remember the default cipher and it seem there is no way to make it default again (maybe a futur feature ? )

EDIT : ok, the default cipher is :
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;

For archive purpose

RE-EDIT : same result

[palinka]

Have you tried creating a certificate using win-acme? It will export pem format certificates which can be used by both Apache and hmailserver. I created a couple of tutorials for win-acme in the tutorial forum.

[bagu]

I already try it, but it seem it failed to launch :

Code: Select all

 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libbind9.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libbind9.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libbind9.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libbind9.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libbind9.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libdns.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libdns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libdns.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libdns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libdns.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libeay32.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libeay32.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libeay32.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libeay32.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libeay32.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libirs.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libirs.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libirs.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libirs.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libirs.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisc.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisc.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisc.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisccc.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccc.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccc.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisccfg.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccfg.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccfg.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccfg.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccfg.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libns.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libns.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libns.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libxml2.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libxml2.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libxml2.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libxml2.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libxml2.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}

So i'm not sure it really work

[palinka]

wonder if it's possible to have a wildcard certificate for two domains with mod_md.

I ask this because i have an hmailserver installation with only one certificate for *.bagu.fr and *.bagu.biz witch allow me to have smtp.bagu.fr and other things like that without having the need to have these subdomains responding with apache. (dns only)

I have exactly what you need.

https://hmailserver.com/forum/viewtopic ... 21&t=34386

Who is your domain host?

[palinka]

I already try it, but it seem it failed to launch :

Tried what? Win-acme?

[bagu]

Yes, this one : https://pkisharp.github.io/win-acme/

[bagu]

wonder if it's possible to have a wildcard certificate for two domains with mod_md.

I ask this because i have an hmailserver installation with only one certificate for *.bagu.fr and *.bagu.biz witch allow me to have smtp.bagu.fr and other things like that without having the need to have these subdomains responding with apache. (dns only)

I have exactly what you need.

https://hmailserver.com/forum/viewtopic ... 21&t=34386

Who is your domain host?

My mail server answer througt mail.bagu.biz
I just begin to read your post, but i need more time to understand what to download

[palinka]

System requirements
Windows Server 2008 R2 or higher (though Windows 2008 has been reported to work)
.NET Framework version 4.7.2 or higher, which can be downloaded here

Do you have the min .NET?

[bagu]

Yes, but i have a higher version...

I will try to install the 4.7.2 to see if it change something

Oh, i can't : ".NET Framework 4.7.2 ou une mise à jour ultérieure est déjà installé sur cet ordinateur."

[palinka]

Who is your domain host?

My mail server answer througt mail.bagu.biz
I just begin to read your post, but i need more time to understand what to download

I mean who provides your domain hosting? Like godaddy, etc.

[bagu]

Oh, ok...

My registrar is Gandi but my dns provider is cloudflare.
I host my domains myself on the same server than hmailserver with apache. (that's why i use mod_md)

[palinka]

Oh, ok...

My registrar is Gandi but my dns provider is cloudflare.
I host my domains myself on the same server than hmailserver with apache. (that's why i use mod_md)

https://github.com/rmbolger/Posh-ACME/b ... dflare.ps1

If you insist on mod_md, it appears to be possible to do dns validation. Modify the script above to accept whatever parameters are sent by mod_md. Look at my tutorial as an example. That's exactly how i got it to work with win-acme.

[palinka]

mod_md:

Wildcard Certificates
Wildcard certificates are possible with version 2.x of `mod_md``. But they are not straight-forward. Let's Encrypt requires the `dns-01` challenge verification for those. No other is considered good enough.
The difficulty here is that Apache cannot do that on its own. (which is also a security benefit, since corrupting a web server or the communication path to it is the scenario `dns-01` protects against). As the name implies, `dns-01` requires you to show some specific DNS records for your domain that contain some challenge data. So you need to _write_ your domain's DNS records.
If you know how to do that, you can integrated this with `mod_md`. Let's say you have a script for that in `/usr/bin/acme-setup-dns` you configure Apache with:

Code: Select all

MDChallengeDns01 /usr/bin/acme-setup-dns

and Apache will call this script when it needs to setup/teardown a DNS challenge record for a domain.
Assuming you want a certificate for `*.mydomain.com`, mod_md will call:

Code: Select all

/usr/bin/acme-setup-dns setup mydomain.com challenge-data
# this needs to remove all existing DNS TXT records for 
# _acme-challenge.mydomain.com and create a new one with 
# content "challenge-data"

and afterwards it will call

Code: Select all

/usr/bin/acme-setup-dns teardown mydomain.com
# this needs to remove all existing DNS TXT records for 
# _acme-challenge.mydomain.com

Cloudflare.ps1

Code: Select all

param(
	[string]$Task,
	[string]$RecordName,
	[string]$TxtValue
)

#	FILL IN THESE VARIABLES FROM YOUR CLOUDFLARE ACCOUNT
$CFAuthEmail = ''
$CFAuthKey = ''
$CFAuthToken = ''
$CFAuthTokenInsecure = ''

function Add-DnsTxtCloudflare {
    [CmdletBinding(DefaultParameterSetName='Email')]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(ParameterSetName='Email',Mandatory,Position=2)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=3)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=2)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=2)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'
    $authHeader = Get-CFAuthHeader @PSBoundParameters

    Write-Verbose "Attempting to find hosted zone for $RecordName"
    if (!($zoneID = Find-CFZone $RecordName $authHeader)) {
        throw "Unable to find Cloudflare hosted zone for $RecordName"
    }

    # check for an existing record
    $response = Invoke-RestMethod "$apiRoot/$zoneID/dns_records?type=TXT&name=$RecordName&content=$TxtValue" `
        -Headers $authHeader -ContentType 'application/json' @script:UseBasic

    # add the new TXT record if necessary
    if ($response.result.Count -eq 0) {

        $bodyJson = @{ type="TXT"; name=$RecordName; content=$TxtValue } | ConvertTo-Json
        Write-Verbose "Adding $RecordName with value $TxtValue"
        Invoke-RestMethod "$apiRoot/$zoneID/dns_records" -Method Post -Body $bodyJson `
            -ContentType 'application/json' -Headers $authHeader @script:UseBasic | Out-Null

    } else {
        Write-Debug "Record $RecordName with value $TxtValue already exists. Nothing to do."
    }


    <#
    .SYNOPSIS
        Add a DNS TXT record to Cloudflare.

    .DESCRIPTION
        Use Cloudflare V4 api to add a TXT record to a Cloudflare DNS zone.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CFAuthEmail
        The email address of the account used to connect to Cloudflare API

    .PARAMETER CFAuthKey
        The Global API Key associated with the email address entered in the CFAuthEmail parameter.

    .PARAMETER CFAuthToken
        The scoped API Token that has been given read/write permissions to the necessary zones. This SecureString version can only be used from Windows or any OS with PowerShell Core 6.2+.

    .PARAMETER CFAuthTokenInsecure
        The scoped API Token that has been given read/write permissions to the necessary zones. This standard String version may be used with any OS.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        Add-DnsTxtExample '_acme-challenge.site1.example.com' 'asdfqwer12345678' 'admin@example.com' 'xxxxxxxxxxxx'

        Adds a TXT record for the specified site with the specified value.
    #>
}

function Remove-DnsTxtCloudflare {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(ParameterSetName='Email',Mandatory,Position=2)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=3)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=2)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=2)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'
    $authHeader = Get-CFAuthHeader @PSBoundParameters

    Write-Verbose "Attempting to find hosted zone for $RecordName"
    if (!($zoneID = Find-CFZone $RecordName $authHeader)) {
        throw "Unable to find Cloudflare hosted zone for $RecordName"
    }

    # check for an existing record
    $response = Invoke-RestMethod "$apiRoot/$zoneID/dns_records?type=TXT&name=$RecordName&content=$TxtValue" `
        -Headers $authHeader -ContentType 'application/json' @script:UseBasic

    # remove the txt record if it exists
    if ($response.result.Count -gt 0) {

        $recID = $response.result[0].id
        Write-Verbose "Removing $RecordName with value $TxtValue"
        Invoke-RestMethod "$apiRoot/$zoneID/dns_records/$recID" -Method Delete `
            -ContentType 'application/json' -Headers $authHeader @script:UseBasic | Out-Null

    } else {
        Write-Debug "Record $RecordName with value $TxtValue doesn't exist. Nothing to do."
    }


    <#
    .SYNOPSIS
        Remove a DNS TXT record from Cloudflare.

    .DESCRIPTION
        Use Cloudflare V4 api to remove a TXT record to a Cloudflare DNS zone.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CFAuthEmail
        The email address of the account used to connect to Cloudflare API.

    .PARAMETER CFAuthKey
        The Global API Key associated with the email address entered in the CFAuthEmail parameter.

    .PARAMETER CFAuthToken
        The scoped API Token that has been given read/write permissions to the necessary zones. This SecureString version can only be used from Windows or any OS with PowerShell Core 6.2+.

    .PARAMETER CFAuthTokenInsecure
        The scoped API Token that has been given read/write permissions to the necessary zones. This standard String version may be used with any OS.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        Remove-DnsTxtExample '_acme-challenge.site1.example.com' 'asdfqwer12345678' 'admin@example.com' 'xxxxxxxxxxxx'

        Removes a TXT record for the specified site with the specified value.
    #>
}

function Save-DnsTxtCloudflare {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )
    <#
    .SYNOPSIS
        Not required.

    .DESCRIPTION
        This provider does not require calling this function to commit changes to DNS records.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
    #>
}

############################
# Helper Functions
############################

function Get-CFAuthHeader {
    [CmdletBinding(DefaultParameterSetName='Email')]
    param(
        [Parameter(ParameterSetName='Email',Mandatory,Position=0)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=1)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=0)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=0)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraConnectParams
    )

    if ('Email' -eq $PSCmdlet.ParameterSetName) {
        $authHeader = @{
            'X-Auth-Email' = $CFAuthEmail
            'X-Auth-Key'   = $CFAuthKey
        }
    } elseif ('Bearer' -eq $PSCmdlet.ParameterSetName) {
        $CFTokenInsecure = (New-Object PSCredential "user",$CFToken).GetNetworkCredential().Password
        $authHeader = @{
            Authorization = "Bearer $CFTokenInsecure"
        }
    } elseif ('BearerInsecure' -eq $PSCmdlet.ParameterSetName) {
        $authHeader = @{
            Authorization = "Bearer $CFTokenInsecure"
        }
    } else {
        throw "Unable to determine valid auth headers."
    }

    return $authHeader
}

function Find-CFZone {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [hashtable]$AuthHeader
    )

    # setup a module variable to cache the record to zone mapping
    # so it's quicker to find later
    if (!$script:CFRecordZones) { $script:CFRecordZones = @{} }

    # check for the record in the cache
    if ($script:CFRecordZones.ContainsKey($RecordName)) {
        return $script:CFRecordZones.$RecordName
    }

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'

    # We need to find the zone ID for the closest/deepest sub-zone that would
    # contain the record.
    $pieces = $RecordName.Split('.')
    for ($i=1; $i -lt ($pieces.Count-1); $i++) {

        $zoneTest = "$( $pieces[$i..($pieces.Count-1)] -join '.' )"
        Write-Debug "Checking $zoneTest"
        $response = Invoke-RestMethod "$apiRoot/?name=$zoneTest" -Headers $AuthHeader @script:UseBasic

        # The response object always contains a "result" array even if empty
        if ($response.result.Count -gt 0) {
            Write-Debug ($response | ConvertTo-Json -Depth 5)
            $zoneID = $response.result[0].id
            $script:CFRecordZones.$RecordName = $zoneID
            return $zoneID
        }
    }

    return $null
}

if ($Task -eq 'setup'){
	Add-DnsTxtCloudflare $RecordName $TxtValue $CFAuthEmail $CFAuthKey $CFAuthToken $CFAuthTokenInsecure
}

if ($Task -eq 'teardown'){
	Remove-DnsTxtCloudflare $RecordName $TxtValue $CFAuthEmail $CFAuthKey $CFAuthToken $CFAuthTokenInsecure
}

Test it by running in powershell:

Code: Select all

PS C:\> C:\path\to\Cloudflare.ps1 setup mydomain.com challenge-data

If it fails, comment out all instances of @script:UseBasic and try again. Also, I haven't really looked at the script - all I did was add the same things I added to my provider's script. CFAuthToken & CFAuthTokenInsecure may actually be generated by the script. So if it doesn't work, try commenting out those variables at the top.

[bagu]

Ok, i give many tries, but nothing work...

So, i read many docs, and here is how i get a working solution :

1. i launch powershell as an admin
2. Install Posh-ACME with this command :

   Code: Select all

   Install-Module -Name Posh-ACME

3. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

   Code: Select all

   Set-PAServer LE_STAGE

4. Ask my certificate with :

   Code: Select all

   New-PACertificate '*.bagu.biz','*.bagu.fr' -AcceptTOS -Contact my@email.biz

5. Then, i go to cloudflare to create the TXT Dns lines
6. Validate the changes by pressing a key on powershell
7. Then, i search my certificate with :

   Code: Select all

   Get-PACertificate | fl

8. Get cert.key as key and fullchain.cer as public certificate

I may try to replace the asking-certificate command by these :

Code: Select all

$pArgs = @{ CFAuthEmail='my@email.biz'; CFAuthKey='mycloudflaresecretpassword' }
New-PACertificate '*.bagu.biz','*.bagu.fr' -AcceptTOS -Contact my@email.biz -DnsPlugin Cloudflare -PluginArgs $pArgs

To avoid the need of stage 4

It look like easier for me, and it work like a charm for the moment (i don't already try to use cloudflare dnsplugin)
If the cloudflare plugin work (i will see that in 55 days), i will say it here and make an task to automate the process.

Thank you everyone

Thank you palinka to show me the Posh-ACME process

[palinka]

Im glad it worked. Try to use the script. It's for automation.

No more errors in hmailserver?

[bagu]

I will try it later, it's late for now

And yes, no more error in hmailserver with this certificate.
So i search why the mod_md certificate don't work...It seem that there is something different...

[mattg]

bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.

jim.bus is quite right.

I'm using the Dravion version.

Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/

[jimimaseye]

bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.

jim.bus is quite right.

I'm using the Dravion version.

Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/

Note proof that these hybrid clones provided by dravion and others should be called something different to distinguish them from official Hmailserver. People world then know who to best ask. (Martin made this suggestion request but it fell on deaf ears).

[jim.bus]

bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.

jim.bus is quite right.

I'm using the Dravion version.

Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/

Note proof that these hybrid clones provided by dravion and others should be called something different to distinguish them from official Hmailserver. People world then know who to best ask. (Martin made this suggestion request but it fell on deaf ears).

I tend to agree there is confusion. If you don't check on what Build someone is asking questions on, you don't know if it is an official version or not. I'm not certain if this is the best way to go but I sort of feel either hMailServer is going to go forward as an existing product with efforts be put into evolving hMailServer or perhaps there should be another branch of the product which isn't confused with hMailServer. Personally I would like to see hMailServer evolve as a product. It has served me well over the years though it could be updated to keep in sync with other evolving products it uses such as MySQL which seems to have dropped 32 bit and isn't producing them anymore and upgrading to TLSv1.3, etc.

Last I heard Martin upgraded to an Alpha or Beta version (whatever you want to call it) but then it seems it has died because I do not hear about much activity (from Martin at any rate) on it though I have only looked occasionally to see if anything was going on. I have some confidence in the official versions of hMailServer regarding being well tested. Personally right now I wouldn't want to go with any of the Builds beyond B2425 as I keep hearing of problems cropping up from people (not the people who are upgrading it but people who actually are seemingly users) who are installing them and then finding problems they post in the official hMailServer Forums looking for solutions. There is an Alpha Discussions Forum but the problems with these Alphas seems to get reported in the General Discussions Forum which I think adds to the confusion.

[bagu]

In my case, the problem occurs on the stable versions, beta and dravion.
So, I do not think it comes from hmailserver, but it comes from the certificate generated by mod_md.

In fact, if I use a certificate other than the one generated by mod_md, everything works fine.

Now, I'm watching Dravion's work carefully because I think it's about creating a cross-platform version of hmailserver, it's really a good idea.
By cons, use another name, although close (if martin is ok) would know that the dravion version is based on hmailserver.

[jim.bus]

In my case, the problem occurs on the stable versions, beta and dravion.
So, I do not think it comes from hmailserver, but it comes from the certificate generated by mod_md.

In fact, if I use a certificate other than the one generated by mod_md, everything works fine.

Now, I'm watching Dravion's work carefully because I think it's about creating a cross-platform version of hmailserver, it's really a good idea.
By cons, use another name, although close (if martin is ok) would know that the dravion version is based on hmailserver.

With regards to cross platform, yes that is a good idea but the concern I have about that is apparently from what I've heard there are more developers who want to do Unix based OS development than Windows. One of the draws for me was that I wanted a Windows based Email Server and hMailServer is one of the few if not only email server that runs on Windows. If hMailServer continued to be just as supported as a Cross Platform version of hMailServer then I would think that would be wonderful but I do not want to see hMailServer die as an obsolete Windows application.

[bagu]

I doubt that this leads to this result if we consider that the builds must remain multi-platform.
Indeed, many developers would like to have a port of hmailserver because it is really within reach of all.
But if the basic idea of porting is that it remains multi-platform, there should be no problem. It depend on the lead or team lead.

[bagu]

I come back to the original problem.
I successfully tested the command with the cloudflare plugin.
On the other hand, the original command seems to set up a profile with all the right parameters.
The command to update all is

Code: Select all

Submit-Renewal -PluginArgs @{CFAuthEmail='my@email.fr'; CFAuthKey='cloudflaresupersecretpassword'}

I will test the order when the period allows me.