New PowerShell ACMEv2 client: Posh-ACME


#1

Hey all-

I just released a new ACMEv2 client as a PowerShell module called Posh-ACME. Project site is here:

It’s also installable via PowerShellGallery.

Notable features include:

  • Single command for new certs, New-PACertificate
  • Easy renewals via Submit-Renewal
  • RSA and ECC private keys supported for accounts and certificates
  • DNS challenge plugins for various DNS servers and providers (PRs welcome)
  • DNS challenge CNAME support
  • Help system for DNS plugins using Get-DnsPlugins and Get-DnsPluginHelp
  • DNS plugins support batch updates
  • Multiple accounts supported per user profile which allows different certs to have different contact emails
  • PEM and PFX output files
  • No elevated Windows privileges required

Features lacking at the moment:

  • Extensive list of DNS plugins (this is my highest priority now that it’s released, particularly acme-dns)
  • Pre/Post hooks to aid with certificate deployment and automation
  • HTTP challenge support
  • Account key rollover
  • PowerShell Core support

During development, I was particularly inspired by acme.sh which is a fantastic client for non-Windows platforms. I wanted the same feeling but on Windows and none of the existing Windows native clients I found really fit the bill. Even fewer supported ACMEv2 with wildcards.

There’s a Quick Start in the project readme. There’s also a much more in-depth tutorial.

I’d be happy for any feedback. Cheers!


#2

Posh-ACME 1.1 is now released. From the changelog:

  • Added tab completion for -DnsPlugin parameter
  • Added new DNS plugins
    • Acme-Dns
    • Azure
    • GCloud (Google Cloud)
    • Windows

#3

I imagine you could have an interesting project logo! :tophat:


#4

Hah, I hadn’t even considered adding a project logo. I’m too focused on fleshing out the features for the time being.


#5

Thanks for this, the simplest easiest to use ACME powershell client. I’ve migrated my automation to this from ACMESharp (as I’m still waiting for v2 support). The native integration with AWS/R53 was also a great win

Looking forward to seeing usable output / hooks for easier use in automation!


#6

Glad you like it. The automation hooks are the next thing I’d love to get working. But I’m still trying to figure out how it should work. I’d love any input you have.

For instance, would output’ing some sort of certificate object with details like the thumbprint, paths to files, etc. be good enough? Or do you think people would like a more formal deployment plugin system like the DnsPlugins such that you’d need to add additional parameters to the call to New-PACertificate.

I actually like the idea of writing cert details to the pipeline on new issuance and renewal and that should be pretty easy to implement as well. I was also thinking of adding a switch like -Install that would optionally add the resulting cert to the computer’s cert store (which obviously necessitates running as admin).

But I also feel like there should be an easier way to do what I think would be common tasks with the resulting cert such as associating it with an IIS site, RDP or RD Gateway services, Exchange endpoints, etc. But a lot of those workflows get complicated pretty quickly. So it’s hard to imagine what a formal plugin-like system would look like.

Perhaps canned workflows like that would make more sense in a separate module or collection of scripts intended to be used with the cert detail output from Posh-ACME?


#7

Posh-ACME 2.0 is now released. From the changelog:

  • Potentially Breaking Changes
    • New-PACertificate now outputs certificate details to the pipeline which should aid automation
    • New-PACertificate now reuses all previous order params (for the same MainDomain) when not explicitly specified
    • All generated PFX files now have ‘poshacme’ as the default password to address compatibility issues with other tools
  • New-PACertificate now generates fullchain.pfx in addition to cert.pfx
  • Added optional parameters to New-PACertificate
    • -FriendlyName sets Friendly Name when imported into Windows certificate store
    • -PfxPass overrides the default password for generated PFX files
    • -Install switch imports fullchain.pfx to Windows certificate store. Requires elevation
  • Added new DNS plugins
    • DOcean (Digital Ocean)
    • Cloudflare. Thanks @rian-hout!
  • Added Get-PACertificate which returns certificate details
  • Added usage guides for most DNS plugins
  • Added progress bar while waiting for DNS changes to propagate
  • Old csr and chain files are no longer backed up when creating a new order
  • Manual plugin now displays all records to create with one prompt
  • Fixed AcmeDns plugin issue where CNAMEs would display twice user Ctrl-C from prompt
  • Bugfix for Azure plugin (#17). Thanks @juliansiebert!
  • New-PACertificate will no longer redownload certs when run with same arguments (#9)

#8

Posh-ACME 2.1 is now released. From the changelog:

  • Added account key rollover support. Use -KeyRollover switch in Set-PAAccount.
  • Added PfxPass (SecureString) to Get-PACertificate output
  • Added new DNS plugins
    • DMEasy (DNS Made Easy)
    • GoDaddy. Thanks @Rukas!
  • All calls to Invoke-WebRequest and Invoke-RestMethod now use -UseBasicParsing to avoid issues with PowerShell using Internet Explorer’s DOM parser. Thanks @Rukas!
  • Fixed hard coded cert store paths in Import-PfxCertInternal
  • Fixed tests for New-Jws

#9

Thanks for all your hardwork on this module. Thsi is exactly what I was looking for.


#10

You’re quite welcome. I’m also working on a companion module to make deploying the certs easier. It’s not quite ready for prime time yet. But you can test the dev version if you’d like. The included functions are intended for piping from the output of New-PACertificate, Get-PACertificate, and Submit-Renewal.

I also recently solved one of the initial problems I was having with PowerShell Core support in the main module and have started working on making that go as well.


#11

Great work. I’ve so far been unable to get GoDaddy to recognize the TXT entries for a cert verification, but I’ve gotten it to work with others (like DNSSimple.)


#12

The GoDaddy plugin was contributed by another user so I couldn’t fully test it myself. But if you have time, create an issue on the GitHub project and we can try to work through it. Might be able to pull in the original plugin author there as well.


#13

Posh-ACME 2.2 is now released. From the changelog:

  • Added cross platform PowerShell Core support!
    • Some DNS plugins don’t work yet on non-Windows due to known issue handling SecureString PowerShell Core 6.0. Check details on the project wiki.
    • -Install param on New-PACertificate throws error on non-Windows because there’s no certificate store to install to.
    • Windows plugin doesn’t work in Core at all yet due to lack of Core compatible DnsServer module.
  • Added new DNS plugin Zonomi. Thanks @Zippy79!