Need some help on creating a renewal script that renews wildcard certificates bound to multiple websites about posh-acme.deploy HOT 6 CLOSED

That's correct. The PluginArgs are saved to disk in the config stored in your user profile (by default $env:LOCALAPPDATA\Posh-ACME on Windows).

If the values do change in the future, you'd need to update each order that's using them with the new values sort of like this:

Set-PAOrder -Plugin Combell -PluginArgs @{blah}

from posh-acme.deploy.

If you're on IIS 8.5 (Windows Server 2012 R2) or newer, you might be able to avoid enumerating the sites entirely using an underlying component of the Certificate Rebind feature. The way it works normally is only via native Windows certificate auto-enrollment. But all it's really doing is creating a scheduled task that triggers on a specific event log message and then runs a command with the old and new cert thumbprints like this:

& $env:SystemRoot\system32\inetsrv\appcmd.exe renew binding /oldcert:THUMBPRINT /newcert:THUMBPRINT

That will automatically update all IIS bindings that currently reference the cert with the old thumbprint to the cert with the new thumbprint. So all your script has to be able to do is find the old thumbprint like in your Get-ChildItem Cert:\blah example and grab the new one from the cert object returned by Submit-Renewal.

Another solution that would probably work is switching the sites to use the Centralized Certificate Store (CCS). I haven't used it much, but it's a little more tedious because you have to create copies of the resulting PFX files for every SAN name in the cert. However once you do, overwriting the old copies with the new copies is all that's needed if I understand how things work correctly.

from posh-acme.deploy.

So I've been meaning to mess with this rebinding feature for a while and this is the perfect excuse. Give this script a try and see how it goes for you. It assumes all of your certs are associated with the same account and that account and server are currently active. You'd have to add some additional logic if the cert orders are spread between accounts or ACME servers. It also assumes all cert orders are associated with an IIS site that ultimately needs a rebind. But the appcmd.exe line doesn't seem to care whether there are valid bindings associated with the thumbprints you send it or not. Even with thumbprints like asdf and qwer, it doesn't throw an error.

#Requires -Modules Posh-ACME

[CmdletBinding()]
param(
    [switch]$RemoveOldCerts,
    [switch]$Force
)

Get-PAOrder -List | ForEach-Object {

    # grab the current cert thumbprint if it exists
    $oldThumb = $_ | Get-PACertificate | Select -Expand Thumbprint

    # try to renew
    $orderName = $_.Name
    $newCert = $_ | Submit-Renewal -Force:$Force

    if ($newCert) {

        $newThumb = $newCert.Thumbprint

        # make sure it's installed
        if (-not (Get-Item Cert:\LocalMachine\My\$newThumb -EA Ignore)) {
            Write-Verbose "Importing updated '$orderName' cert to LocalMachine\My. Thumbprint: $newThumb"
            $newCert | Install-PACertificate
        }

        # update the bindings if we have a corresponding old thumbprint
        if ($oldThumb) {
            Write-Verbose "Updating bindings for '$orderName' cert: $oldThumb -> $newThumb"
            & $env:SystemRoot\system32\inetsrv\appcmd.exe renew binding /oldcert:$oldThumb /newcert:$newThumb

            # remove the old cert if asked
            if ($RemoveOldCerts) {
                $oldCert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $oldThumb}
                if ($oldCert) {
                    Write-Verbose "Deleting old certificate with thumbprint $oldThumb"
                    $oldCert | Remove-Item
                }
            }
        }
        else {
            Write-Warning "Unable to update bindings for '$($newCert.Name)' cert. No old thumbprint found."
        }
    }
}

from posh-acme.deploy.

@rmbolger Thank you very much for your help! I'll try your script out today or tomorrow. I'll report back here with my findings after that 👌

from posh-acme.deploy.

@rmbolger Your script works, thank you very much!

I've made quite some changes to it though - see Submit-CertificateRenewalForAllPAOrders.ps1 if you're interested.

I noticed we're never supplying CombellApiKey or CombellApiSecret to the Posh-ACME cmdlets in Submit-CertificateRenewalForAllPAOrders.ps1: Am I correct that these are cached by Posh-ACME indefinitely?

In other words, if I create a scheduled task that calls Submit-CertificateRenewalForAllPAOrders.ps1 and it runs under my Windows account, I never have to specify CombellApiKey and CombellApiSecret again? Assuming their values don't change, of course.

from posh-acme.deploy.

OK, thanks for the explanation! I'm closing this issue.

from posh-acme.deploy.