Enhancement Request

posh-acme.Deploy covers a wide array of services, but the RDP listener has always been left out.
Given that the RDP Listener is the service providing administration via gui, an implementation seems reasonable.

Current Microsoft Documentation for retrieving correct cert and setting it

The current documentation does not provide scriptable access to the parameters that are needed to set a local cert for a certificate while they do exist. The documented procedure is to manually recover the thumbprint to subsequently set the certificate.

Retrieving the correct certificate

The following script provides the Thumbprint of the certificate created by posh-acme in the personal store:

# Get certificate thumbprint
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "XXXXXXX"}).Thumbprint;
Write-Host -Object "My thumbprint is: $Thumbprint";

# Replace with your certificate thumbprint
$thumbprint = "YOUR_CERT_THUMBPRINT"

# Escape the thumbprint for wmic
$escapedThumbprint = $thumbprint -replace "([a-fA-F0-9]{2})(?!$)",'$1 '

The following code sets the certificate with the defined thumbprint as certificate for the RDP listener

# Set the certificate for the RDP listener
$cmd = "wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting WHERE (__CLASS = 'Win32_TSGeneralSetting') CALL SetCertificate Thumbprint='$escapedThumbprint'"
Invoke-Expression $cmd

The following code restarts the service:

# Restart the Remote Desktop Services to apply changes
Restart-Service -Name TermService -Force

Greetings,

I've been working with both Posh-ACME modules recently on a project. One thing I noticed is the below (on Windows Server 2019).

From my review of the function, it appears that it's making the assumption that the only thing the sslFlags int is used for is SNI, but I don't think this is true. From my own testing, I think it's a set of boolean values which is then formatted into an integer. See below screenshot, I think it gives the general idea.

Say you had an existing site binding with all three checkboxes selected - you'd get a value of decimal 13 (8+4+1). Then say you ran the function. If my reading of the function is correct, the combination of the logic on lines 53, 54, 70, (and maybe?) 158 would break your configuration and only leave the SNI option selected (or deselected), and all other options would become disabled.

I haven't explicitly tested this (yet) but came across it in my review as I build out my own project. I think a much better way to handle this would be some kind of handling with a boolean such as:

[boolean]$SNI = ((Get-WebBinding -Name $SiteName -Protocol 'https' | Where-Object {$_.bindingInformation -eq $bindMatch}).sslFlags -band 1)

Then of course, you'd have to refactor the function so that this new way of processing the RequireSNI switch is handled correctly, and not overwrite any other sslFlags. The point is, the input given by the user of the function is not always the same as the output/result of what the function does.

All the deploy scripts have a mandatory Thumbprint parameter. It might be nice to be able to deploy a cert given a PfxFile only.

On My Machine

$env:psmodulePath

doesnt contain the above as my home documents directory is on a server.

Please see

PowerShell/PowerShellGet@6ed796f

If you want the same behaviour as PowerShellGet.

It seems trivial enough to modify the XPath selector to support either wildcard strings or search for multiple policies. In our environment we have a lot of policies and it is much easier to select all of them (since they all use the same cert). As of right now I am just getting all policies using similar code to what is already in Set-NPSCertificate and running each through it.

$cert = Submit-Renewal oursite.tld
if ($cert) {
    # https://github.com/rmbolger/Posh-ACME.Deploy/blob/main/Posh-ACME.Deploy/Public/Set-NPSCertificate.ps1
    ([xml](Get-Content ([Environment]::ExpandEnvironmentVariables('%SystemRoot%\System32\ias\ias.xml')))).SelectSingleNode("//RadiusProfiles//*").ChildNodes.name | % {
        Set-NPSCertificate $cert.Thumbprint -PolicyName $_ -RemoveOldCert
    }
}

This is just a general question: using Posh-ACME.Deploy, how would you approach writing a script to automate the process of adding a new binding to an IIS site? We would then proceed with requesting the SSL cert from Let's Encrypt, then binding the cert to the new hostname.

Hello, would it be possible to have some kind of guide to install a certificate with Posh-Acme and Posh-Acme.Deploy on an Exchange server? Like for example some command line that would allow us to do it ourselves?

Love the idea of deploy module.

I use this for RDP (not RDS server) and WSMAN

$cert = Submit-Renewal
if ($cert) {
    Set-WSManInstance -ResourceUri winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{CertificateThumbprint=$cert.ThumbPrint}
    Set-CimInstance -Namespace "root\cimv2\TerminalServices" -Query "SELECT * FROM Win32_TSGeneralSetting WHERE TerminalName = ''RDP-Tcp''" -Property @{ SSLCertificateSHA1Hash = $cert.Thumbprint }
}

Any interest in this

edit I think RDP is same as RDSH

Hello there,

I've been trying to get this working for a while. I usually give up after renewing my domains and wait until expiration is going to happen again to try something else. I know, my fault, I should probably spin up a 2016 VM and try on POSH-ACME test environment, but before that, I want to get some guidance from the actual repo admins for some directions I can take.

But this is what I get when renewing via Powershell command line with this command:

Submit-Renewal -MainDomain 'api.example.com' -Verbose | Set-IISCertificate -SiteName "api.example.com" -HostHeader "api.example.com" -RemoveOldCert -Verbose

Exception: C:\Users\Administrator\Documents\PowerShell\Modules\Posh-ACME.Deploy\1.3.0\Public\Set-IISCertificate.ps1:23
Line |
  23 |              throw "The WebAdministration module is required to use th …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The WebAdministration module is required to use this function.

The certificate renews just fine after DNS propagation wait.

I've already installed IIS Server and all IIS Management Tools roles and rebooted the server.

I've done this command "Get-WindowsOptionalFeature -Online -FeatureName IIS-ManagementScriptingTools" I've read should be done.

I'm at a loss and just don't know where to turn to next. I'm not a Powershell guru either. I really want my scripts automated for certificate renewals and getting frustrated. By comparison (and vent frustration), I've setup a handful of LAMP servers and setup Let's Encrypt automatic renewals with easier configuration :)

Thanks in advance.

After running Set-IISCertificate on a test server, I found that a new binding without SNI is created. This is a little annoying as SNI is needed for servers running multiple SSL sites. I think that Posh-ACME.Deploy shall update binding with SNI first if one exists.

Besides, is it possible to delete out-dated certificate at the same time? As the certificates are sharing the same certificate holder name, manually updating certificates is a pain. I have to check out certificates' properties to figure out which one is the newest one.

Here is a use case where one server is renewing a wildcard certificate with Let's Encrypt but that certificate has to be redeployed quarterly to many other servers.

Posh-ACME.Deploy is installed on multiple servers using:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module PowerShellGet -RequiredVersion 2.2.4 -SkipPublisherCheck -Force
iex (irm https://raw.githubusercontent.com/rmbolger/Posh-ACME.Deploy/main/instdev.ps1)

One SERVER maintains the PAOrder and exports renewed certificate to PFX file:

$domainName = 'mydomain.com'
Set-PAOrder $domainName
if ($cert = Submit-Renewal) {
$cert | Set-IISCertificate -SiteName 'Default Web Site' -RemoveOldCert
$certPath = 'cert:\localMachine\my\' + $cert.Thumbprint
$mypwd = ConvertTo-SecureString -String 'p@ssWord' -Force -AsPlainText
Get-ChildItem -Path $certPath | Export-PfxCertificate -FilePath \\SERVER\share\certpfx.pfx -Password $mypwd -Force
}

Another server (WEBSERVER) is to import PFX certificate and Set-IISCertificate:

$remoteCommands = {
$mypwd = ConvertTo-SecureString -String 'p@ssWord' -Force -AsPlainText
Set-IISCertificate -PfxFile '\\SERVER\share\certpfx.pfx' -PfxPass $mypwd -SiteName 'Default Web Site' -Port 443 -RemoveOldCert
}
Invoke-Command -ComputerName WEBSERVER -ScriptBlock $remoteCommands

Produces this error:

However, no error when commands are executed locally on WEBSERVER in PowerShell console:

Example:

$mypwd = ConvertTo-SecureString -String 'p@ssWord' -Force -AsPlainText
Set-IISCertificate -PfxFile '\\SERVER\share\certpfx.pfx' -PfxPass $mypwd -SiteName 'Default Web Site' -Port 443 -RemoveOldCert

Hello again. I finally was able to get Posh-ACME and Posh-ACME.Deploy installed on my Windows Server 2016 VM to do some testing. This was after Let's Encrypt emailed me that I need to re-issue renewals for all my certificates, well before their expiration and with only a 2 days notice before they revoke them themselves. Thankfully I'm not on vacation off the grid... makes me wonder how to tackle this automatically in the future. If anyone has ideas.

So, I was able to reproduce an issue I've been having on my production server, but running in LE_STAGE for Posh-ACME. Here below are the steps to re-create.

Note: I'm starting from complete scratch here, so someone can try this on their own VM easily.
Note 2: Using PowerShell 5.1

I was getting errors installing modules, so found solution to enable TLS 1.2 and set the default repository with the two below commands:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Register-PSRepository -Default

• Install Posh-ACME: Install-Module -Name Posh-ACME
• Install Posh-ACME.Deploy: Install-Module -Name Posh-ACME.Deploy
• Set POSH-ACME to Staging so we can renew as frequent as we need: Set-PAServer LE_STAGE
• Using Route53 here, so setup that information for the new certificate creation:

$awsSecret=ConvertTo-SecureString "your_aws_secret_string" –asplaintext –force

$r53Params = @{R53AccessKey='your_aws_access_key';R53SecretKey=$awsSecret}

• This issue is found with multiple sites, so create all your new certificates:

New-PACertificate stagetest1.example.com -Contact [email protected] -DnsPlugin Route53 -PluginArgs $r53Params -AcceptTOS -Verbose

New-PACertificate stagetest2.example.com -Contact [email protected] -DnsPlugin Route53 -PluginArgs $r53Params -AcceptTOS -Verbose

New-PACertificate stagetest3.example.com -Contact [email protected] -DnsPlugin Route53 -PluginArgs $r53Params -AcceptTOS -Verbose

• In IIS, import your new certificates to the server
• In IIS, create 3 separate sites, all using HTTPS binding and each site using its respective certificate
• While creating each site, make sure to check Require Server Name Indentification and fill in the hostname, ex: stagetest1.example.com

To review: At this point, you should have Posh-ACME running in LE_STAGE, 3 new certificates created and imported into IIS, and 3 new IIS sites created, configured for HTTPS and each site bound to their respective certificate, and finally, SNI enabled with correct hostname filled.

At this point, this should run fine for providing SSL/HTTPS to your clients.

Now, the inevitable renewal issue.

• Create 3 new PowerShell scripts somewhere like C:\Temp named renew-set-iis-stagetest1.ps1 with the below. Make sure to create the other 2 as well for those renewals and change the MainDomain, SiteName and HostHeader.

if ($cert = Submit-Renewal -MainDomain "stagetest1.example.com" -Verbose -Force) {
    $cert | Set-IISCertificate -SiteName "stagetest1.example.com" -HostHeader "stagetest1.example.com" -RemoveOldCert -Verbose
}

• Let's issue a renewal via the script that will then set IIS certificate on success (goal is to have this script run on a scheduled task)
• In PowerShell CD to the directory where the scripts are saved and run the stagetest1 script: .\renew-set-iis-stagetest1.ps1
• Let the script renew and then attempt to set the certificate for that particular site

Once finished, goto IIS management console and go-to the HTTPS binding for stagetest1.example.com. You will see that the certificate for that binding has been updated to use the new certificate, but SNI has been un-checked.

• Now, run the 2nd script: .\renew-set-iis-stagetest2.ps1

Refresh your view in IIS management, go-to the HTTPS binding for stagetest1.example.com, You will see that site is now using the new certificate for stagetest2.example.com. Because SNI was un-checked from the previous script. stagetest2.example.com site HTTPS binding is using the new certificate as well, but SNI is now un-checked for that site.

• Now, run the 3rd script: .\renew-set-iis-stagetest3.ps1

Refresh your view in IIS again, go-to each site HTTPS binding, every site is now using stagetest3.example.com certificate, every site also has SNI disabled.

I've also noticed that sometimes the old certificate is not removed as well. Most of the time it isn't removed, but noticed one time the old cert was removed from IIS. Separate issue, but related. Maybe because IIS is still using the other certificates because of this issue.

This could also be cron on linux

Currently I do this

$poshACMEPath="C:\Posh-ACME"
$scriptFileName = "$poshACMEPath\renew-cert.ps1"
$script = 
'
$env:POSHACME_HOME = "'
$script += $poshACMEPath
$script +=
'"
$cert = Submit-Renewal
if ($cert) {
    Set-WSManInstance -ResourceUri winrm/config/Listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{CertificateThumbprint=$cert.ThumbPrint}
    Set-CimInstance -Namespace "root\cimv2\TerminalServices" -Query "SELECT * FROM Win32_TSGeneralSetting WHERE TerminalName = ''RDP-Tcp''" -Property @{ SSLCertificateSHA1Hash = $cert.Thumbprint }
}
'
$script | Out-File -FilePath $scriptFileName -Force

$argument = '-NoProfile -WindowStyle Hidden -File ' + "$scriptFileName"

Unregister-ScheduledTask -TaskName "Renew Certificate" -Confirm:$false
$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
    -Argument $argument
$trigger =  New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Renew Certificate" -Description "Renew Certificate" -User System

It might be worth considering some kind of design where Submit-Renewal can create a set of deployment tasks.

That's maybe getting a bit ahead of the game but thought I'd mention it early in case it might affect the template of a deployment command.

Considering how your code uses the M$ Sites lookup, this isn't really your issue, but I DID want to give you a heads up of a FUN FUN FUN bug in the IIS powershell cmds. If you have a site name that contains a funny character like "[ ]" or "*", IIS 7 on Windows 2019 with Powershell 5 will find NOTHING. Not an error, mind you, like you'd get if you sent in an invalid site name, just a blank site. You just get no response and this logic rightly trips.

Cribbed from https://www.powershellgallery.com/packages/Posh-ACME.Deploy/1.0.0/Content/Public%5CSet-IISCertificate.ps1

    # verify the site exists
        $sitePath = "IIS:\Sites\$SiteName" # Returns an empty value if the SiteName contains a [] or * from my testing
        if (!($site = Get-Item $sitePath -EA SilentlyContinue)) {
            throw "Site $SiteName not found."
        }

Not that IIS stops you from naming your sites that way.

Oh, and if you try to be clever and rename your sites, be sure to Reset-IISServerManager to get it to pick up the name changes.

Hello @rmbolger,
it is me again :), I asked a question the other day related to Posh.Acme project..

I've been successfully issuing certificates using our ACME server implementation with Posh-ACME client.
Now I am trying to install certs to IIS with Posh-ACME.Deploy. I am getting this error.

`PS C:\WINDOWS\system32>> New-PACertificate -Domain acme.sec.cezd.corp -CertKeyLength 2048 -Subject 'CN=acme' -Install -force -verbose | Set-IISCertificate -SiteName 'acme' -Verbose -Port 443 -Debug -HostHeader acme.sec.cezd.corp -RequireSNI
VERBOSE: Updating directory info from https://acme.sec.cezd.corp/acme-server
VERBOSE: Using ACME Server https://acme.sec.cezd.corp/acme-server
VERBOSE: Using account TestovaciUcet
VERBOSE: Order name not specified, using 'acme.sec.cezd.corp'
VERBOSE: Creating a new order 'acme.sec.cezd.corp' for acme.sec.cezd.corp
VERBOSE: Removing old private key
VERBOSE: Finalizing the order.
VERBOSE: Creating new certificate request with key length 2048.
VERBOSE: Creating new private key for the certificate request.
VERBOSE: Downloading signed certificate
VERBOSE: Updating cert expiration and renewal window
VERBOSE: Successfully created certificate.
VERBOSE: Importing CN=acme certificate to LocalMachine\My.
VERBOSE: Adding chain cert 'CN=acme' with thumbprint BC43FC2E50C9DEA43A3650C4C3E6EED9CBF74356 to LocalMachine\CA store.
VERBOSE: IIS Binding already exists for *:443:acme.sec.cezd.corp
VERBOSE: Checking SSL binding !443!acme.sec.cezd.corp
VERBOSE: Removing old thumbprint from !443!acme.sec.cezd.corp SSL binding
VERBOSE: Adding certificate thumbprint BC43FC2E50C9DEA43A3650C4C3E6EED9CBF74356
WARNING: Binding host name 'acme.sec.cezd.corp' is not equals to certificate subject name 'acme'. Client may not be able to connect to the site using HTTPS protocol.

Confirm
A specified logon session does not exist. It may already have been terminated
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): y
Set-IISCertificate : A specified logon session does not exist. It may already have been terminated
At line:1 char:113 ..
. -verbose | Set-IISCertificate -SiteName 'acme' -Verbose -Port 443 -D ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Set-IISCertificate], Win32Exception
FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Set-IISCertificate`

Actually, I get this error even if I try to do it manually. Select issued cert in IIS bindings console.

I should have proper rights to do so.
I am able to select other certs and configure binding with certs I issued in the past (not using Posh Acme)

Please, do you have any idea what can be wrong?

Thank you a lot for your time and response.

I just spent a ton of time diagnosing a RDS connection error on our RDS farm

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations

I am not using your script but it might be relevant.

Probably need to add to the script to set network service permissions on the private key of the RDS certificate in MachineKeys

this is one way

icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys*" /grant "NETWORK SERVICE":R

But it sets it for all certs. Maybe there is a way to get the filename of the private key when the cert is installed and only apply it to that file.

I'm attempting to create a submit renewal PowerShell script that I'll trigger with Windows Task Scheduler, two times per day at random times.

It will look something like this:

Submit-Renewal -AllOrders | ForEach-Object {
    $paCertificate = $_;
    $paCertificate | Format-List;
    # TODO Need to get all IIS websites, read all their bindings; do they use an old cert that matches one of the SANs of $paCertificate?
}

The server where I will be running this task, has a number of IIS websites (currently around 15), and new ones are added regularly. At the moment, all IIS websites use the same *.mydomain.com wildcard certificate for HTTPS, but we'll add some new ones soon that use specific, non-wildcard certificate (e.g. foobar.mydomain.com).

I need a script (or, if a single script is impossible, perhaps multiple ones) that renews all certs and updates the bindings of all IIS sites.

I'm having trouble figuring out how to do this with the Set-IISCertificate cmdlet from the Posh-ACME.Deploy module, because it requires the -SiteName parameter.

If I could somehow retrieve the names of all current websites that have an HTTPS binding using the old *.mydomain.com cert, I could loop over the websites and call Set-IISCertificate -SiteName $SiteName -RemoveOldCert in every iteration.

How can I reliably find all IIS websites on a server that use a HTTPS binding using the old *.mydomain.com cert?

Perhaps I need to search for the old certificate's thumbprint like this?

$OldCertificateThumbprint = Get-ChildItem Cert:\LocalMachine\My\ | Where-Object { $_.Subject -Contains "CN=*.mydomain.com" } | Select-Object Thumbprint

And then find all sites with

Get-ChildItem IIS:\SslBindings\ | ?{$_.thumbprint -eq $OldCertificateThumbprint }

This requires the use of the WebAdministration module however, which seems to be not recommended; I've read that Microsoft recommends using the IISAdministration instead.

Perhaps anyone knows how this should be done with the IISAdministration module?

Many thanks in advance for your help!

I have added an enhancement to Set-IISCertificateNew to allow binding a certificate to multiple host headers in a single call.

Solves

*.example.com doesn't respond to https://example.com, and example.com doesn't respond to https://www.example.com
Two separate calls are required to update both bindings.

Allow for multiple host headers

If DNS has an A record pointing at example.com (@ -> example.com's IP)
and another A record for record.example.com (record -> example.com's IP)

IIS needs two separate bindings for for the site (one for example.com and one for *.example.com)

This enhancement allows multiple host headers, comma separated, to be used without a breaking change (so far in my testing).
This can be used rather than two separate calls.

I'm not a contributor, so I can't do a PR, so I've attached my enhanced Set-IISCertifiicateNew here.
Set-IISCertificateNew.ps1.txt

Example Implementations:

Single Host Header

Set-IISCertificateNew -SiteName $siteName -Port 443 -HostHeader "example.com" -RequireSNI -Verbose -ErrorAction Stop

Multiple Host Headers

Set-IISCertificateNew -SiteName $siteName -Port 443 -HostHeader "example.com,*.example.com" -RequireSNI -Verbose -ErrorAction Stop

Hope this helps someone, Cheers.

Oh, and note to self, if you have computer management open, it locks the applicationHost.config file, too.

I would really love to see a Set-ExchangeCertificate to handle Microsoft Exchange.

I had contributed to https://github.com/PKISharp/win-acme/blob/master/dist/Scripts/ImportExchange.ps1 and used it but I think the way you're doing things here is significantly cleaner than what's being done in the scripts in the win-acme repo (and these deploy scripts can be used with win-acme anyway)

I'm trying to create a function app to run a script remotely. The script on the web server creates a new certificate, validates it, and then creates the binding in IIS to the server's site. I have run the script remotely before by using Invoke-AzVMRunCommand without any issues. Now I'm building a function app in Azure to run the script, using the same Invoke-AzVMRunCommand, but I'm seeing the following errors that we can't figure out:

2021-06-28T16:20:12.834 [Information] OUTPUT: Value[0]        :
2021-06-28T16:20:12.835 [Information] OUTPUT:   Code          : ComponentStatus/StdOut/succeeded
2021-06-28T16:20:12.835 [Information] OUTPUT:   Level         : Info
2021-06-28T16:20:12.835 [Information] OUTPUT:   DisplayStatus : Provisioning succeeded
2021-06-28T16:20:12.835 [Information] OUTPUT:   Message       : MainDomain            status KeyLength SANs OCSPMustStaple CertExpires Plugin
2021-06-28T16:20:12.835 [Information] OUTPUT: ----------            ------ --------- ---- -------------- ----------- ------
2021-06-28T16:20:12.835 [Information] OUTPUT: staging5.xdemo2.com ready  2048      {}   False                      {Manual}
2021-06-28T16:20:12.836 [Information] OUTPUT:
2021-06-28T16:20:12.836 [Information] OUTPUT: LastWriteTime : 6/28/2021 11:19:34 AM
2021-06-28T16:20:12.836 [Information] OUTPUT: Length        : 87
2021-06-28T16:20:12.836 [Information] OUTPUT: Name          : x
2021-06-28T16:20:12.836 [Information] OUTPUT:
2021-06-28T16:20:12.836 [Information] OUTPUT:
2021-06-28T16:20:12.838 [Information] OUTPUT: Subject       : CN=staging5.xdemo2.com
2021-06-28T16:20:12.838 [Information] OUTPUT: NotBefore     : 6/28/2021 10:19:36 AM
2021-06-28T16:20:12.839 [Information] OUTPUT: NotAfter      : 9/26/2021 10:19:35 AM
2021-06-28T16:20:12.839 [Information] OUTPUT: KeyLength     : 2048
2021-06-28T16:20:12.839 [Information] OUTPUT: Thumbprint    : x
2021-06-28T16:20:12.839 [Information] OUTPUT: AllSANs       : {staging5.xdemo2.com}
2021-06-28T16:20:12.840 [Information] OUTPUT: CertFile      : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.840 [Information] OUTPUT:                 ing5.xdemo2.com\cert.cer
2021-06-28T16:20:12.840 [Information] OUTPUT: KeyFile       : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.840 [Information] OUTPUT:                 ing5.xdemo2.com\cert.key
2021-06-28T16:20:12.840 [Information] OUTPUT: ChainFile     : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.840 [Information] OUTPUT:                 ing5.xdemo2.com\chain.cer
2021-06-28T16:20:12.840 [Information] OUTPUT: FullChainFile : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.841 [Information] OUTPUT:                 ing5.xdemo2.com\fullchain.cer
2021-06-28T16:20:12.841 [Information] OUTPUT: PfxFile       : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.841 [Information] OUTPUT:                 ing5.xdemo2.com\cert.pfx
2021-06-28T16:20:12.841 [Information] OUTPUT: PfxFullChain  : C:\Posh-Acme\acme-staging-v02.api.letsencrypt.org\20039939\stag
2021-06-28T16:20:12.841 [Information] OUTPUT:                 ing5.xdemo2.com\fullchain.pfx
2021-06-28T16:20:12.841 [Information] OUTPUT: PfxPass       : System.Security.SecureString
2021-06-28T16:20:12.841 [Information] OUTPUT:
2021-06-28T16:20:12.842 [Information] OUTPUT:
2021-06-28T16:20:12.842 [Information] OUTPUT:
2021-06-28T16:20:12.847 [Information] OUTPUT: Value[1]        :
2021-06-28T16:20:12.848 [Information] OUTPUT:   Code          : ComponentStatus/StdErr/succeeded
2021-06-28T16:20:12.848 [Information] OUTPUT:   Level         : Info
2021-06-28T16:20:12.848 [Information] OUTPUT:   DisplayStatus : Provisioning succeeded
2021-06-28T16:20:12.848 [Information] OUTPUT:   Message       : New-ItemProperty : Property Bindings is not found on  \\S-STG-WEB-1\Sites.
2021-06-28T16:20:12.849 [Information] OUTPUT: Parameter name: propName
2021-06-28T16:20:12.849 [Information] OUTPUT: At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME.Deploy\1.2.0\Public\Set
2021-06-28T16:20:12.849 [Information] OUTPUT: -IISCertificate.ps1:98 char:13
2021-06-28T16:20:12.849 [Information] OUTPUT: +             New-ItemProperty $sitePath -Name Bindings -Value $bindPro ...
2021-06-28T16:20:12.849 [Information] OUTPUT: +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2021-06-28T16:20:12.850 [Information] OUTPUT:     + CategoryInfo          : InvalidArgument: (:) [New-ItemProperty], Argumen
2021-06-28T16:20:12.850 [Information] OUTPUT:    tException
2021-06-28T16:20:12.850 [Information] OUTPUT:     + FullyQualifiedErrorId : InvalidArgument,Microsoft.PowerShell.Commands.Ne
2021-06-28T16:20:12.850 [Information] OUTPUT:    wItemPropertyCommand
2021-06-28T16:20:12.850 [Information] OUTPUT:
2021-06-28T16:20:12.850 [Information] OUTPUT: New-Item : Cannot create a file when that file already exists
2021-06-28T16:20:12.850 [Information] OUTPUT: At C:\Program Files\WindowsPowerShell\Modules\Posh-ACME.Deploy\1.2.0\Public\Set
2021-06-28T16:20:12.850 [Information] OUTPUT: -IISCertificate.ps1:159 char:25
2021-06-28T16:20:12.851 [Information] OUTPUT: + ...     $cert | New-Item IIS:\SslBindings\$sslMatch -SslFlags $sslFlags | ...
2021-06-28T16:20:12.851 [Information] OUTPUT: +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2021-06-28T16:20:12.851 [Information] OUTPUT:     + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
2021-06-28T16:20:12.851 [Information] OUTPUT:     + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.P
2021-06-28T16:20:12.851 [Information] OUTPUT:    owerShell.Commands.NewItemCommand
2021-06-28T16:20:12.851 [Information] OUTPUT:
2021-06-28T16:20:12.851 [Information] OUTPUT: Status          : Succeeded
2021-06-28T16:20:12.851 [Information] OUTPUT: Capacity        : 0
2021-06-28T16:20:12.852 [Information] OUTPUT: Count           : 0
2021-06-28T16:20:12.852 [Information] OUTPUT:
2021-06-28T16:20:13.680 [Information] OUTPUT: Finished Invoke-AzVMRunCommand
2021-06-28T16:20:13.719 [Information] OUTPUT:
2021-06-28T16:20:13.873 [Information] Executed 'Functions.Add-Host-SSL' (Succeeded, Duration=117379ms)

I'm calling which server to contact with based on IP address and server name. Tried using both external and internal IP addresses.

I am running into an issue uwing powershell 7. This script seems to depend on having WebAdministration installed, but i cant seem to install it on powershell 7. What am I doing wrong and how can I work past this?

webadministration is not available in Powershell 7.x but iisadministration is.

Please fix set-iiscertificate so it doesn't require webadministration on windows 10.