Pull cert into local certificate store using FQDN and Subsequent renew about posh-acme HOT 5 OPEN

I saw -Force does not delete the old cert despite being written in the documentation

Where did you see in the documentation that -Force deletes the old cert? It does not and never has. That parameter is only related to the ACME order object. The function normally tries to re-use an existing pending order that if one exists that has not been completed. But -Force tells it to ignore any existing orders and create a new one from scratch. It shouldn't be necessary to use on a normal basis.

The solution you've got in your task for cleaning up old certs should work just fine.

Is there any reason why not to use force and just throw the first script into the task manager?

Don't use -Force. The reason you want to use Submit-Renewal in your scheduled task instead of your original script is that it will only take action when the previous order has reached the renewal window. If New-PACertificate is directly in your task, it will be renewing the cert every time the task runs which you don't want.

Your renewal code contains DC variables as well, I tried to modify them, could you take a look? I feel insecure about the process of obtaining the name.

Obtaining the DNS name for a machine is tricky because it's not guaranteed that the DNS name matches what the computer thinks its own name is. But for domain joined Windows systems, I think your code should generally work. On non-domain joined machines, it may only return a short hostname rather than an FQDN. It also doesn't work on Linux if that matters to you.

from posh-acme.

Hey, thank you for the clarification. I think I misunderstood an error message referencing -force then :)

I am aware that the solution works only for domain joined windows devices, I figured that limitation was easier to handle than the DC one as all servers we used are domain joined, but not all are DCs.

• Given that the renew task runs only if the cert is below a threshold of renewal is there any way to test it?
• so now I can posh-acme.deploy the store certificate for particular purposes, correct?

from posh-acme.

Submit-Renewal has a -Force option that can be used to ignore the suggested renewal window. Just don't forget to take it out when you're done testing.

The cert doesn't technically need to be in the cert store to use the functions in Posh-ACME.Deploy. And they'll also add it for you if necessary. But yes, you can use those functions to deploy the resulting cert in the services they support.

from posh-acme.

Hey, getting back to the -Force discussion on New-PACertificate:

PS C:\Windows\system32> certificatePulllocalhost.ps1
VERBOSE: Updating directory info from https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using ACME Server https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using account 1525528706
VERBOSE: Order name not specified, using 'mi-dc-pr-1.gmservice.app'
VERBOSE: Using existing order 'mi-dc-pr-1.gmservice.app' with status valid
VERBOSE: Updating plugin args for plugin(s) Cloudflare
WARNING: This certificate order has already been completed. Use -Force to overwrite the current certificate.

I traced it down to "New-PACertificate.ps1", can you help me to understand the warning better? For me overwrite means replace the old one.

from posh-acme.

New-PACertificate always tries to use an existing order if it can find one that matches the specified parameters instead of creating a new one from scratch every time. This reduces your chances of being rate limited. The warning is basically letting you know that it cancelled the operation you requested because the cert you wanted already exists. So if you actually did want to replace the current one, you need to specify -Force to bypass the warning. It's effectively the same thing that happens with Submit-Renewal when the renewal window on the previous cert hasn't been reached yet but without the warning in that case since that is the expected result.

from posh-acme.