Comments (6)
That's correct. The PluginArgs are saved to disk in the config stored in your user profile (by default $env:LOCALAPPDATA\Posh-ACME
on Windows).
If the values do change in the future, you'd need to update each order that's using them with the new values sort of like this:
Set-PAOrder -Plugin Combell -PluginArgs @{blah}
from posh-acme.deploy.
If you're on IIS 8.5 (Windows Server 2012 R2) or newer, you might be able to avoid enumerating the sites entirely using an underlying component of the Certificate Rebind feature. The way it works normally is only via native Windows certificate auto-enrollment. But all it's really doing is creating a scheduled task that triggers on a specific event log message and then runs a command with the old and new cert thumbprints like this:
& $env:SystemRoot\system32\inetsrv\appcmd.exe renew binding /oldcert:THUMBPRINT /newcert:THUMBPRINT
That will automatically update all IIS bindings that currently reference the cert with the old thumbprint to the cert with the new thumbprint. So all your script has to be able to do is find the old thumbprint like in your Get-ChildItem Cert:\blah
example and grab the new one from the cert object returned by Submit-Renewal.
Another solution that would probably work is switching the sites to use the Centralized Certificate Store (CCS). I haven't used it much, but it's a little more tedious because you have to create copies of the resulting PFX files for every SAN name in the cert. However once you do, overwriting the old copies with the new copies is all that's needed if I understand how things work correctly.
from posh-acme.deploy.
So I've been meaning to mess with this rebinding feature for a while and this is the perfect excuse. Give this script a try and see how it goes for you. It assumes all of your certs are associated with the same account and that account and server are currently active. You'd have to add some additional logic if the cert orders are spread between accounts or ACME servers. It also assumes all cert orders are associated with an IIS site that ultimately needs a rebind. But the appcmd.exe
line doesn't seem to care whether there are valid bindings associated with the thumbprints you send it or not. Even with thumbprints like asdf
and qwer
, it doesn't throw an error.
#Requires -Modules Posh-ACME
[CmdletBinding()]
param(
[switch]$RemoveOldCerts,
[switch]$Force
)
Get-PAOrder -List | ForEach-Object {
# grab the current cert thumbprint if it exists
$oldThumb = $_ | Get-PACertificate | Select -Expand Thumbprint
# try to renew
$orderName = $_.Name
$newCert = $_ | Submit-Renewal -Force:$Force
if ($newCert) {
$newThumb = $newCert.Thumbprint
# make sure it's installed
if (-not (Get-Item Cert:\LocalMachine\My\$newThumb -EA Ignore)) {
Write-Verbose "Importing updated '$orderName' cert to LocalMachine\My. Thumbprint: $newThumb"
$newCert | Install-PACertificate
}
# update the bindings if we have a corresponding old thumbprint
if ($oldThumb) {
Write-Verbose "Updating bindings for '$orderName' cert: $oldThumb -> $newThumb"
& $env:SystemRoot\system32\inetsrv\appcmd.exe renew binding /oldcert:$oldThumb /newcert:$newThumb
# remove the old cert if asked
if ($RemoveOldCerts) {
$oldCert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $oldThumb}
if ($oldCert) {
Write-Verbose "Deleting old certificate with thumbprint $oldThumb"
$oldCert | Remove-Item
}
}
}
else {
Write-Warning "Unable to update bindings for '$($newCert.Name)' cert. No old thumbprint found."
}
}
}
from posh-acme.deploy.
@rmbolger Thank you very much for your help! I'll try your script out today or tomorrow. I'll report back here with my findings after that 👌
from posh-acme.deploy.
@rmbolger Your script works, thank you very much!
I've made quite some changes to it though - see Submit-CertificateRenewalForAllPAOrders.ps1 if you're interested.
I noticed we're never supplying CombellApiKey
or CombellApiSecret
to the Posh-ACME cmdlets in Submit-CertificateRenewalForAllPAOrders.ps1
: Am I correct that these are cached by Posh-ACME indefinitely?
In other words, if I create a scheduled task that calls Submit-CertificateRenewalForAllPAOrders.ps1
and it runs under my Windows account, I never have to specify CombellApiKey
and CombellApiSecret
again? Assuming their values don't change, of course.
from posh-acme.deploy.
OK, thanks for the explanation! I'm closing this issue.
from posh-acme.deploy.
Related Issues (20)
- New-ItemProperty and Set-IISCertificate remote script issue HOT 8
- RDS Certificate needs NETWORK SERVICE permissions HOT 10
- Allow install cert by pfx file only HOT 6
- Trying to fix "The WebAdministration module is required to use this function" on Server 2016 HOT 3
- Executing remote commands using Invoke-Command or Enter-PSSession produces errors HOT 1
- Guide for Exchange HOT 4
- Support for newer Powershell core versions HOT 9
- Set-IISCertificate issue with multiple sites, Server Name Identification (SNI) HOT 4
- Enhancement to Set-IISCertificateNew to handle multiple bindings in a single call HOT 5
- Allow for multiple policies and/or wildcards with Set-NPSCertificate HOT 7
- Installing cert on IIS -> getting error: A specified logon session does not exist. It may already have been terminated HOT 7
- Dependency issue HOT 1
- Set-IISCertificate - RequireSNI Switch Refactor HOT 7
- Set-IISCertificate Shall Update Existing Binding on Port 443 Instead of Creating A New One HOT 1
- WSMAN RDP HOT 5
- Consider task creation HOT 2
- Dev install module path HOT 6
- Set-IISCertificate doesn't work with Site names that have some uncommon characters. HOT 2
- IIS Binding Help HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.deploy.