Alternative of certbot and dns-rfc2136 plugin on Windows

Hello.

My home network is behind NAT and can't be accessed from public network. So I need to use DNS-01 challenge to get Let's Encrypt certificate. With following combination certificate is successfully obtained and renewed on my home server.

• certbot
• dns-rfc2136 plugin
• BIND9 working on the host connected to public network

Now let's get down to the main topic. Recently I notices that default certificate of Windows remote desktop service isn't valid one and I'd like to replace it with Let's Encrypt certificate. So I checked Window installer of certbot but unfortunately it doesn't include DNS plugins. It means DNS-01 challenge isn't available. Then is there any alternative of certbot and dns-rfc2136 plugin that works on Windows 10?

Best Regards.

Posh-ACME can do it. If you want something with a GUI, Certify the Web can do it as well.

Thank you for quick reply. I'll check them right away.

@_az, you did read the part about

I'm not 100% certain, an LE cert can be used for Windows RDP.

Here is somewhat of how I recall it:
Using Let's Encrypt to secure Windows Remote Desktop connections - Server - Let's Encrypt Community Support

Hi @yasu

I wouldn't do that.

Windows RDP is a working system, self signed certificates are regulary renewed.

Some months, there is a question - "new certificate" - that's all.

I use RDP a long time - there is no need to replace that working configuration with a Letsencrypt certificate.

We successfully use win-acme to get certificates and use them for RDP... I should do a write up but the main gist is:

• setup win-acme to perform a dns-01 challenge using our custom scripts to create/delete the records on OVH DNS.

• as a certificate post-installation script, run the following command to update the certificate:

Script: C:\Windows\System32\wbem\WMIC.exe
ScriptParameters: /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="{CertThumbprint}"

NB: it might be necessary to start wacs.exe with the parameter --certificatestore My to select the right certificate store.

With win-acme you can setup automation for renewal of the certificate and updating in it in RDP settings. There's no downside that I'm aware of, it automatically sets up a scheduled task to check for renewal twice a day, but only actually runs if the in the last 30 days of validity of the certificate, just like certbot.

Yes as noted already https://certifytheweb.com is a GUI ACME client that supports all manner of DNS validation (some of which is provided via Posh-ACME) and has a basic built in Task for Deploying to RDP, you can also script your own deployment for custom stuff (https://docs.certifytheweb.com/docs/script-hooks).

• New Certificate > Add domain(s) to be included in the certificate
• on the Authorization tab, select challenge type dns-01, method RFC2136, add new credentials for your server, configure the path to nsupdate exe.
• Deployment (auto) will store the cert in the local store
• Hit Request Certificate, if that all validates OK you'll get a new certificate, ready for use.
• on the Tasks tab, Add a new Deployment Task > Deploy to RDP Listener Service (you may have other requirements in which case you can instead run a custom script). You probably want to follow that up with a Restart Service task to restart your RDP listener (optional). You can also hit ▶ any time to run the task and apply the latest cert.

After your first successful request all renewals are automatic.

Just to throw more options on the pile. With Posh-ACME and Posh-ACME.Deploy, you can do something like this:

New-PACertificate example.com <more params here> | Set-RDSHCertificate

And similarly on renewal:

Submit-Renewal | Set-RDSHCertificate

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.