Request failing for certs behind load balancer (using Posh-Acme Windows)

Hi there,

I don’t know if this is the right channel but we have this issue and appreciate any help

We have load balancer (f5) which is with public IP and defined at DNS. At that load balancer we have defined aliases for multiple web sites pointing to windows servers.
These aliases are not defined at DNS and only existing at our load balancer. When querying from outside they are hitting load balancer and then they are routed to windows IIS.
When using PoshAcme to request certificate from LE (with DNS challenge) we are receiving following error:

PS>TerminatingError(New-PACertificate): "Cannot bind argument to parameter 'Domain' because it is an empty string."
New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At C:\Scripts\cert_newest.ps1:91 char:19

  • New-PACertificate $hn1 -AcceptTOS -Contact emaiaddress@auckland.ac.nz ...
  •                                ~~~~
    
    • CategoryInfo : InvalidData: (:slight_smile: [New-PACertificate], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-PACertificate

Is there any method to request these (above described) kind of requests for certificates?
Thank you. Regards

The error message you received suggests your $hn1 variable is either an empty string or an empty array. I don't think the F5 or DNS has anything to do with this problem unless they are how you are setting the value of $hn1.

Can you post the contents of your script or perhaps just a snippet that involves the declaration of the $hn1 variable?

2 Likes

PS C:\Windows\system32> $hn1
test1.auckland.ac.nz
www.test1.auckland.ac.nz

after that at New-PACertificate $hn1 -AcceptTOS...
they are represented as: test1.auckland.ac.nz, www.test1.auckland.ac.nz

Script is working perfectly when these test1 are defined at DNS, but when they are aliases at f5 cert txt validation is failing.

thanks

1 Like

I'm confused. The error message you posted has nothing to do with validation failing. It's just a parameter binding error on the call to New-PACertificate in your script because PowerShell thinks the $hn1 variable is empty. Showing the value of $hn1 in your current session doesn't necessarily mean your script sees the same value due to how variable scoping works in PowerShell.

It would still be very helpful if you could post some or all of the contents of your C:\Scripts\cert_newest.ps1 script file. Feel free to sanitize it if it contains sensitive info.

If you're having an error with DNS validation. Can you post the output from a session where that is happening when using the -Verbose switch on the call to New-PACertificate?

1 Like

@darkog
Is the authentication method being used DNS or HTTP?

I'm using DNS method.

output when running the script (LE service is down!)
Set-PAServer LE_PROD
New-PACertificate $hn1 -AcceptTOS -Contact ae.jackson@auckland.ac.nz -Plugin Infoblox `
-PluginArgs $ibParams -Verbose -DNSSleep 15 -install -force
Set-PAServer : {
"type": "urn:acme:error:serverInternal",
"detail": "The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details."
}
At line:31 char:1

  • Set-PAServer LE_PROD
  •   + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Set-PAServer], WebException
      + FullyQualifiedErrorId : WebCmdletWebResponseException,Set-PAServer
    

New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At line:32 char:19

  • New-PACertificate $hn1 -AcceptTOS -Contact ae.jackson@auckland.ac.nz ...
  •               ~~~~
    
    • CategoryInfo : InvalidData: (:slight_smile: [New-PACertificate], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-PACertificate
1 Like

Maybe this has something to do with this error ? ? ?

image

@rmbolger
Will PoshACME create a non-existent DNS path?

www.this.path.has.not.been.created.EXAMPLE.com

Yeah, the Production API is currently down. Though, ideally you should be testing against the staging server until you sort out the issues with your script. Run Set-PAServer LE_STAGE and then try your command again.

Also, when you post output to the forum here, it is much easier to read if you place it in a code-fence block which just means pasting the output between a pair of 3 backtick characters (Shift+~ on a US keyboard) like this in the message editor:

```
PASTE OUTPUT HERE
```

Yes. It will happily submit the order request for that name to the ACME server. And if the ACME server returns a valid order object that has authorization(s) needing to be validated, it will send the name to the associated plugin for creation in DNS. Using ACME with fake or internal-only DNS zones is totally plausible with an internal CA.

But OP does not appear be reaching the point where the Posh-ACME sends the order request to the ACME server, probably due to the Prod API being unavailable at the moment. The last error indicates, the code is failing to retrieve the basic directory endpoint.

1 Like

When service is working

Set-PAServer LE_STAGE
New-PACertificate $hn1 -AcceptTOS -Contact ae.jackson@auckland.ac.nz -Plugin Infoblox `
    -PluginArgs $ibParams -Verbose -DNSSleep 15 -install -force
Please review the Terms of Service here: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At line:32 char:19
+ New-PACertificate $hn1 -AcceptTOS -Contact ae.jackson@auckland.ac.nz  ...
+                   ~~~~
    + CategoryInfo          : InvalidData: (:) [New-PACertificate], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-PACertificate
 

PS C:\Windows\system32> $hn1
dmc.auckland.ac.nz

That error still points to the $hn1 variable being the problem...as if it's an array that has either a null or empty entry. I can reproduce it locally like this.

PS C:\> $hn1 = 'example.com',''
PS C:\> New-PACertificate $hn1
New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At line:1 char:19
+ New-PACertificate $hn1
+                   ~~~~
    + CategoryInfo          : InvalidData: (:) [New-PACertificate], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-PACertificate

Can you run the following to check the type and number of potential entries in the array?

$hn1.GetType()
$hn1.Count
1 Like

Result is:

PS C:\Windows\system32> $hn1.GetType()

$hn1.Count

IsPublic IsSerial Name BaseType


True True Object System.Array

2

There you go. Your variable is an array with 2 entries, but only the first one has a domain name. The second one is either empty or null.

There are a number of ways you could potentially fix this. You could just reset the value of the variable to your domain name:

$hn1 = 'dmc.auckland.ac.nz'

You could strip empty entries from the array:

$hn1 = $hn1 | ?{ $_ }

You could just reference the first index in the array when calling New-PACertificate:

New-PACertificate $hn1[0]

What makes sense is going to depend on the code actually in your script which I'd still love to see at least a snippet of.

2 Likes

Can you check the length of those entries?
If so, do they match their expected lengths?

This do the trick $hn1 = $hn1 | ?{ $_ }

Something was not right into text file that I was reading from.
thanks

1 Like

Review the process that makes that file (or you may face this problem again in 60 to 90 days).
Possibly a CR-LF at the end ? ? ?