Posh-ACME problems with DNS validation of multi-domain cert

Hi everyone!
First time poster here, trying to generate a cert for an Exchange server using Posh-ACME with DNS validation and it went very well until I needed to make it multi-domain.

I have four domains host.domain.com, autodiscover.domain.com, webmail.domain.com and autodiscover.domain.net. Now, one of these is using a different DNS provider than the others and at first I thought that wouldn't be a problem at all since New-PACertificate takes a list of DNS plugins. It even gives a warning if I specify less than four plugins.

Thing is.. it seems to use the same plugin arguments for all four plugin calls. I've looked at the code and stepped through it and I can see no way to specify that call no 4 should use different parameters. Is there a way to do this? I'd rather not hack the code since it makes updating a pain. Am I missing something?

Thanks in advance!


Hey @Mans. You're super close to the right answer already. When you specify a list of plugins, it will associate each plugin with each name in the order unless the number of plugins doesn't match. When they don't match, it will assume the last plugin specified is the one to use for the rest of the names in the order.

So in your specific case, you could do something like this where the first 3 names use PluginA and the last one uses PluginB.

$names = 'host.domain.com','autodiscover.domain.com','webmail.domain.com','autodiscover.domain.net'
$plugins = 'PluginA','PluginA','PluginA','PluginB'
New-PACertificate $names -Plugin $plugins -PluginArgs $blah

You could also simplify a bit by changing the order of the names so that the odd name is first in the list and then you only have to specify each plugin name once because the second one will applied to everything after the first name.

$names = 'autodiscover.domain.net','host.domain.com','autodiscover.domain.com','webmail.domain.com'
$plugins = 'PluginB','PluginA'
New-PACertificate $names -Plugin $plugins -PluginArgs $blah

I should probably add that the hashtable for -PluginArgs should contain all of the parameters necessary for all of the plugins you're using. The module will send the correct parameters to the correct plugin automatically.


Hi @rmbolger!
Always nice to get a reply from the maintainer! :slight_smile:

I think I made the noob mistake of not giving enough info when asking for help..

It's the $blah I'm having trouble with. I've tried this but it blows up with "duplicate keys ... not allowed".

$names = 'autodiscover.domain.net','host.domain.com','autodiscover.domain.com','webmail.domain.com'
$plugins = 'Loopia','Loopia'
$LoopiaUser1 = 'myuid1@loopiaapi'
$LoopiaUser2 = 'myuid2@loopiaapi'
$LoopiaSecret1 = 'a-secret'
$LoopiaSecret2 = 'another-secret'
$blah= @{LoopiaUser=$LoopiaUser1;LoopiaPass=$LoopiaSecret1;LoopiaUser=$LoopiaUser2;LoopiaPass=$LoopiaSecret2}
New-PACertificate $names -Plugin $plugins -PluginArgs $blah

Will it only work if plugin 1 != plugin 2?

Doh, yes. That's correct. You can only have one set of credentials per plugin per ACME account (though this will be per-order in 4.x). There are a few ways to workaround the limitation.

The easiest is to basically duplicate the plugin you're working with and just change its name and parameters so they're unique across the rest of the plugins. That obviously gets unwieldy if you need more than one extra copy of the plugin though.

The other ways involve a bit more custom scripting where you respond to the challenges using Publish-DnsChallenge and Send-ChallengeAck. I don't have anything written up specifically for this use-case, but it's very similar to what DuckDNS users have to do for certs with multiple names. Depending on your level of PowerShell comfort, you might be able to adapt the script in its usage guide

Thanks Ryan,
Just needed one extra copy so I went ahead and cloned Loopia.ps1 to Loopia2.ps1 and updated the functions Add-DnsTxt*, Remove-DnsTxt* and Save-DnsTxt* as well as the parameters to reflect the new name.
Now it works perfectly!


Excellent. Obviously, you'll want to update your duplicate if it ever changes in the future. So keep an eye on the release notes when you upgrade. But unless someone finds a bug with the plugin or Loopia changes their API, there shouldn't be any changes until the 4.x release when the plugin architecture as a whole is changing a bit.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.