Comments (5)
I saw -Force does not delete the old cert despite being written in the documentation
Where did you see in the documentation that -Force
deletes the old cert? It does not and never has. That parameter is only related to the ACME order object. The function normally tries to re-use an existing pending order that if one exists that has not been completed. But -Force
tells it to ignore any existing orders and create a new one from scratch. It shouldn't be necessary to use on a normal basis.
The solution you've got in your task for cleaning up old certs should work just fine.
Is there any reason why not to use force and just throw the first script into the task manager?
Don't use -Force
. The reason you want to use Submit-Renewal
in your scheduled task instead of your original script is that it will only take action when the previous order has reached the renewal window. If New-PACertificate
is directly in your task, it will be renewing the cert every time the task runs which you don't want.
Your renewal code contains DC variables as well, I tried to modify them, could you take a look? I feel insecure about the process of obtaining the name.
Obtaining the DNS name for a machine is tricky because it's not guaranteed that the DNS name matches what the computer thinks its own name is. But for domain joined Windows systems, I think your code should generally work. On non-domain joined machines, it may only return a short hostname rather than an FQDN. It also doesn't work on Linux if that matters to you.
from posh-acme.
Hey, thank you for the clarification. I think I misunderstood an error message referencing -force then :)
I am aware that the solution works only for domain joined windows devices, I figured that limitation was easier to handle than the DC one as all servers we used are domain joined, but not all are DCs.
- Given that the renew task runs only if the cert is below a threshold of renewal is there any way to test it?
- so now I can posh-acme.deploy the store certificate for particular purposes, correct?
from posh-acme.
Submit-Renewal has a -Force
option that can be used to ignore the suggested renewal window. Just don't forget to take it out when you're done testing.
The cert doesn't technically need to be in the cert store to use the functions in Posh-ACME.Deploy. And they'll also add it for you if necessary. But yes, you can use those functions to deploy the resulting cert in the services they support.
from posh-acme.
Hey, getting back to the -Force discussion on New-PACertificate:
PS C:\Windows\system32> certificatePulllocalhost.ps1
VERBOSE: Updating directory info from https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using ACME Server https://acme-v02.api.letsencrypt.org/directory
VERBOSE: Using account 1525528706
VERBOSE: Order name not specified, using 'mi-dc-pr-1.gmservice.app'
VERBOSE: Using existing order 'mi-dc-pr-1.gmservice.app' with status valid
VERBOSE: Updating plugin args for plugin(s) Cloudflare
WARNING: This certificate order has already been completed. Use -Force to overwrite the current certificate.
I traced it down to "New-PACertificate.ps1", can you help me to understand the warning better? For me overwrite means replace the old one.
from posh-acme.
New-PACertificate
always tries to use an existing order if it can find one that matches the specified parameters instead of creating a new one from scratch every time. This reduces your chances of being rate limited. The warning is basically letting you know that it cancelled the operation you requested because the cert you wanted already exists. So if you actually did want to replace the current one, you need to specify -Force
to bypass the warning. It's effectively the same thing that happens with Submit-Renewal
when the renewal window on the previous cert hasn't been reached yet but without the warning in that case since that is the expected result.
from posh-acme.
Related Issues (20)
- Set-PAOrder revokes certificate when -Force used, even with -RevokeCert:$false HOT 1
- [WebRoot Plugin] Support for Network Share Credentials HOT 3
- Is there a reason that the (Get-PACertificate).RenewAfter property is a [System.String] when the NotBefore and NotAfter are [datetime]? HOT 2
- How to use with PowerDNS, can't fins DNS-plugin? HOT 12
- Feedback Request: Dropping Support for PowerShell 5.1 HOT 5
- 1year / 365 days cert ZeroSSL (aka Lifetime LifetimeDays variable) HOT 8
- WEDOS DNS support ? HOT 5
- Multiple Accounts with DigiCert HOT 4
- Cloudflare Plug In fails to convert String to SecureString HOT 7
- Submit-Renewal doesn't appear to follow ErrorAction HOT 2
- Is there a full list of supported fields for -Subject? HOT 3
- 404 on Submit-ChallengeValidation when using LetsEncrypt Staging HOT 1
- OVH plugin using DnsAlias fails if not using subdomain of the OVHdomain HOT 2
- Trying to use ZeroSSL HOT 4
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- CmdLets Repeatedly asking for DNS Text Records HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.