Multiple domains from multiple accounts with PoshACME

Hi all,
I've been using Let's Encrypt certificates for some years inside Windows Servers environment with different clients for RD Gateway Service, RRAS and IIS... and lately I'm trying to focus on just using Posh-ACME with OVH plugin validation.

But now I'm struggling with a special situation where I need 1 certificate with 2 SAN from different domains of OVH accounts (and therefore different PluginArgs values...).

What I found is this old post of a user having my same question regarding v3 of Posh-ACME

...but years has passed and v4 is on! Is there a sample script somewhere to obtain a certificate like this with Posh-ACME functions?

I know very little about posh-acme but your question might get better reply at the posh-acme github. Its author @rmbolger might reply here too but will get alerted promptly if you post at github.

I just didn't want you to think we'd forgotten you. Hopefully either here or at their github gets you the answers you need.

2 Likes

Unfortunately, this is still not supported in v4. Each order/cert can only user one set of plugin parameters per plugin type. Realistically, I don't think this scenario will ever be supported and I'm not sure about any other clients that do either. There are some potential workarounds though.

The best supported method would be to use CNAME aliases for the validation records in one domain that point to the other domain (or add aliases for all of the records in both domains that point to a third domain). This allows you to use a single set of credentials that will work to validate all of the names.

For example, let's say you're trying to get a cert for service.example.com and service.example.net where example.com and example.net live in different OVH accounts.

  1. Create a CNAME for _acme-challenge.service.example.com that points to _acme-challenge.service.example.net. You only have to do this once. It will remain for the lifetime of the cert and its renewals without modification.

  2. Prepare your OVH plugin args variable with the credentials for example.net

  3. Run your New-PACertificate command as normal but include the -DnsAlias parameter to tell Posh-ACME that the TXT record for service.example.com needs to be written somewhere else.

$pArgs = @{
    OVHAppKey = 'xxxxxxxxxxx'
    OVHAppSecret = (Read-Host -Prompt "App Secret" -AsSecureString)
    OVHConsumerKey = (Read-Host -Prompt "Consumer Key" -AsSecureString)
    OVHRegion = 'ovh-eu'
}
$certParams = @{
    Domain = 'service.example.com','service.example.net'
    Plugin = 'OVH'
    PluginArgs = $pArgs
    DnsAlias = '_acme-challenge.service.example.net','' # match the CNAME target
}
New-PACertificate @certParams

The DnsAlias parameter is a string array that should ultimately match the number of elements in the Domain array. Any domain using an alias should have a value and the ones that don't can be empty.

More detail on using CNAME aliases can be found here:

3 Likes

Just a short answer to thank you about workaround proposed: I'll give it a try as soon as possible!

About other clients... well, now I'm actually generating this kind of certificate multidomain with Certify the Web 'community edition' (...I'm in the Windows world...) where in the Authorization section it's possible to configure multiple authorization settings with a domain match attribute which associates that authorization setting to a particular domain of the cert.

3 Likes