Letsencrypt wildcart certificte on Windows server

ma1005700 · August 21, 2018, 6:47am

@rmbolger sorry for the messup

I am successfully able to generate certificate with POSH-ACME. Just need few commands to import the newly generated certificate to RD gateway.

If I use below command;

New-PACertificate ‘*.abc-dc.com’ -AcceptTOS -Contact mohit.agrawal02@infosys.com -DnsPlugin Route53 -PluginArgs $r53Params -Install -force

Will it import the certificate to RD Gateway ? If not what command i should use ?

ma1005700 · August 21, 2018, 8:45am

Please help me with the command for revoking certificate as well

rmbolger · August 21, 2018, 2:32pm

The command you typed will generate a certificate and add it to the Windows certificate store. But it will not get associated with RD Gateway unless you also use the Set-RDGWCertificate command from Posh-ACME.Deploy. You can either append it to your original command on the pipeline:

New-PACertificate '*.example.com' | Set-RDGWCertificate -RemoveOldCert -Verbose

Or you can use the output from Get-PACertificate like this:

Get-PACertificate '*.example.com' | Set-RDGWCertificate -RemoveOldCert -Verbose

To revoke a certificate, you use Set-PAOrder with the -RevokeCert flag like this.

Set-PAOrder '*.example.com' -RevokeCert

mnordhoff · August 21, 2018, 3:27pm

It’s usually not necessary to revoke certificates, though. Only if the private key is compromised or you no longer control a domain.

(In particular, revocation has no effect on rate limits.)

ma1005700 · August 22, 2018, 4:33am

Thanks a lot @rmbolger Does it mean that i need to have both ‘posh-acme’ and ‘posh-acme.deploy’ in order to generate and associate certificate with RD gateway ?? Or I can use Set-RDGWCertificate after generating certificate from ‘posh.acme’ ?

rmbolger · August 22, 2018, 4:48am

You’ll need to have both modules installed in order to have access to both sets of functions, yes. You don’t need to use them in the same command if you don’t want to. You can generate the cert with Posh-ACME and then separately use Posh-ACME.Deploy to add the cert to RD Gateway. That’s totally up to you and how you want to automate things. Personally, I use them both together.

ma1005700 · August 22, 2018, 7:13am

how to generate certificate in staging environment using these ‘posh-acme’ ? I already hit the rate-limit of letsencrypt last week

rmbolger · August 22, 2018, 1:56pm

Here’s a link to the Posh-ACME tutorial. Perhaps give that a read.

github.com

rmbolger/Posh-ACME/blob/master/Tutorial.md

# Posh-ACME Tutorial

- [Picking a Server](#picking-a-server)
- [Your First Certificate](#your-first-certificate)
- [DNS Plugins](#dns-plugins)
- [Renewing A Certificate](#renewing-a-certificate)
- [Going Into Production](#going-into-production)
- [(Advanced) DNS Challenge Aliases](#advanced-dns-challenge-aliases)

## Picking a Server

Before we begin, let's configure our ACME server to be the Let's Encrypt *Staging* server. This will let us figure out all of the commands and parameters without likely running into the production server's [rate limits](https://letsencrypt.org/docs/rate-limits/). 

```powershell
Set-PAServer LE_STAGE
```

`LE_STAGE` is a shortcut for the Let's Encrypt Staging server's directory URL. You could do the same thing by specifying the actual URL which is https://acme-staging-v02.api.letsencrypt.org/directory. The other currently supported server shortcut is `LE_PROD` for the Let's Encrypt Production server. Any ACMEv2 compliant directory URL will work though.

Once you set a server, the module will continue to perform future actions against that server until you change it with another call to `Set-PAServer`. The first time you connect to a server, a link to its Terms of Service will be displayed. You should review it before continuing.

This file has been truncated. show original

ma1005700 · August 23, 2018, 7:30am

@rmbolger pls see the below output:

Command PS C:\Users\Administrator> Get-PACertificate '*.abc-dc.com' | Set-RDGWCertificate -RemoveOldCert -Verbose
VERBOSE: Setting new RDGW thumbprint value
Set-Item : Access to the object at RDS:\GatewayServer\SSLCertificate\Thumbprint is denied for the cmdlet Set-Item.The
certificate is not valid or you do not have sufficient permissions to perform this operation.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Posh-ACME.Deploy\Public\Set-RDGWCertificate.ps1:43
char:17

... Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Va ...
```
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : PermissionDenied: ( [Set-Item], AccessViolationException
- FullyQualifiedErrorId : PermissionDenied,Microsoft.PowerShell.Commands.SetItemCommand

How to fix this ?

rmbolger · August 23, 2018, 1:29pm

Run PowerShell elevated (as administrator).

ma1005700 · August 31, 2018, 8:56am

Its all done successfully

@rmbolger Thanks a lot…!!!

system · September 30, 2018, 8:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.