Letsencrypt wildcart certificte on Windows server

@rmbolger

Rest all steps are same for Posh-ACME.Deploy module as POSH-ACME; or any other set of commands ?

I have saved your Posh-ACME.Deploy module in ‘C:\Program Files\WindowsPowerShell\Modules’ but unable to save or install module. Could you please help with the steps as well so i can test this module :slight_smile:

Thanks again in Advanced…!!

Also when i tried importing existing certificate manually in RD Gateway Manager; it asked me for password…which i was not aware of…

It’s probably easier to install Posh-ACME.Deploy using the instructions from the readme since I haven’t released it to the PowerShell Gallery yet.

iex (invoke-restmethod https://raw.githubusercontent.com/rmbolger/Posh-ACME.Deploy/master/instdev.ps1)

The default PFX password is poshacme unless you set it to something else using the -PfxPass parameter when you requested the cert originally. But if you’re using the functions in Posh-ACME.Deploy, you won’t need to know it because it’s passed automatically via the pipeline as a SecureString object.

When i gave manual command; i got following :slight_smile:

PS C:\Users\Administrator> Set-RDCertificate -Role RDGateway -ConnectionBroker “EC2AMAZ-VGEGMBI” -ImportPath “C:\Users\Administrator\Downloads\cert.pfx” -Password $Password
Set-RDCertificate : Deployment does not contain an RD Gateway server.
At line:1 char:2

  • Set-RDCertificate -Role RDGateway -ConnectionBroker "EC2AMAZ-VGEGMBI …
  •  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-RDCertificate

Set-RDCertificate is the native function from the RemoteDesktop module and requires you to have done a full RD “deployment” first. Set-RDGWCertificate is the function from Posh-ACME.Deploy. Similar, but different. Use the module one like I showed earlier.

Not able to work with Posh.ACME.Deploy module. I run following command successfully ;

  1. iex (invoke-restmethod https://raw.githubusercontent.com/rmbolger/Posh-ACME.Deploy/master/instdev.ps1)

It executed successfully and installed all 3 modules for installing certificate for IIS, RD Gateway. When i am running Set-RDGWCertificate command; it is not throwing any error and executed but there is no certificate installed or created.

Please help with the installation. You have help me all the way and now this is the last step to importing certificate. Thank in advanced @rmbolger

Did you run it like I mentioned earlier? You might want to add the -Verbose flag to see some output as well.

Get-PACertificate example.com | Set-RDGWCertificate -RemoveOldCert -Verbose

Ryan

@rmbolger please see the below command and output

command : $currentCert = Get-RDCertificate -Role RDGateway

Output : Get-RDCertificate : A Remote Desktop Services deployment does not exist on EC2AMAZ-C52RRJS. This operation can be
performed after creating a deployment. For information about creating a deployment, run “Get-Help
New-RDVirtualDesktopDeployment” or “Get-Help New-RDSessionDeployment”.
At line:1 char:16

  • $currentCert = Get-RDCertificate -Role RDGateway
  •            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : NotSpecified: (:slight_smile: [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-RDCertificate

I have installed all features except “Remote Desktop Virtulization Host” under Remote Desktop Services Role" in windows 2016. I have also installed “Remote Desktop Service Installation” on this server.

You’re using the wrong command again. Get-PACertificate is from Posh-ACME. Get-RDCertificate is from the built-in RemoteDesktop module which you don’t need and can’t currently use because you haven’t created a “Deployment” (which you also don’t need just to use RD Gateway). Installing the roles doesn’t create a deployment. If that’s what you actually want, you might need to do some additional reading on how to setup Remote Desktop services. It’s sort of beyond the scope of help I’m willing to give here.

@rmbolger sorry for the messup :no_mouth:

I am successfully able to generate certificate with POSH-ACME. Just need few commands to import the newly generated certificate to RD gateway.

If I use below command;

New-PACertificate ‘*.abc-dc.com’ -AcceptTOS -Contact mohit.agrawal02@infosys.com -DnsPlugin Route53 -PluginArgs $r53Params -Install -force

Will it import the certificate to RD Gateway ? If not what command i should use ?

Please help me with the command for revoking certificate as well :slight_smile:

The command you typed will generate a certificate and add it to the Windows certificate store. But it will not get associated with RD Gateway unless you also use the Set-RDGWCertificate command from Posh-ACME.Deploy. You can either append it to your original command on the pipeline:

New-PACertificate '*.example.com' | Set-RDGWCertificate -RemoveOldCert -Verbose

Or you can use the output from Get-PACertificate like this:

Get-PACertificate '*.example.com' | Set-RDGWCertificate -RemoveOldCert -Verbose

To revoke a certificate, you use Set-PAOrder with the -RevokeCert flag like this.

Set-PAOrder '*.example.com' -RevokeCert

It’s usually not necessary to revoke certificates, though. Only if the private key is compromised or you no longer control a domain.

(In particular, revocation has no effect on rate limits.)

Thanks a lot @rmbolger Does it mean that i need to have both ‘posh-acme’ and ‘posh-acme.deploy’ in order to generate and associate certificate with RD gateway ?? Or I can use Set-RDGWCertificate after generating certificate from ‘posh.acme’ ?

You’ll need to have both modules installed in order to have access to both sets of functions, yes. You don’t need to use them in the same command if you don’t want to. You can generate the cert with Posh-ACME and then separately use Posh-ACME.Deploy to add the cert to RD Gateway. That’s totally up to you and how you want to automate things. Personally, I use them both together.

how to generate certificate in staging environment using these ‘posh-acme’ ? I already hit the rate-limit of letsencrypt last week :no_mouth:

Here’s a link to the Posh-ACME tutorial. Perhaps give that a read.

@rmbolger pls see the below output:

Command PS C:\Users\Administrator> Get-PACertificate ‘*.abc-dc.com’ | Set-RDGWCertificate -RemoveOldCert -Verbose
VERBOSE: Setting new RDGW thumbprint value
Set-Item : Access to the object at RDS:\GatewayServer\SSLCertificate\Thumbprint is denied for the cmdlet Set-Item.The
certificate is not valid or you do not have sufficient permissions to perform this operation.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Posh-ACME.Deploy\Public\Set-RDGWCertificate.ps1:43
char:17

  • … Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Va …
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : PermissionDenied: (:slight_smile: [Set-Item], AccessViolationException
    • FullyQualifiedErrorId : PermissionDenied,Microsoft.PowerShell.Commands.SetItemCommand

How to fix this ?

Run PowerShell elevated (as administrator).

Its all done successfully :slight_smile:

@rmbolger Thanks a lot…!!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.