I don’t know if this is the right channel but we have this issue and appreciate any help
We have load balancer (f5) which is with public IP and defined at DNS. At that load balancer we have defined aliases for multiple web sites pointing to windows servers.
These aliases are not defined at DNS and only existing at our load balancer. When querying from outside they are hitting load balancer and then they are routed to windows IIS.
When using PoshAcme to request certificate from LE (with DNS challenge) we are receiving following error:
PS>TerminatingError(New-PACertificate): "Cannot bind argument to parameter 'Domain' because it is an empty string."
New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At C:\Scripts\cert_newest.ps1:91 char:19
The error message you received suggests your $hn1 variable is either an empty string or an empty array. I don't think the F5 or DNS has anything to do with this problem unless they are how you are setting the value of $hn1.
Can you post the contents of your script or perhaps just a snippet that involves the declaration of the $hn1 variable?
I'm confused. The error message you posted has nothing to do with validation failing. It's just a parameter binding error on the call to New-PACertificate in your script because PowerShell thinks the $hn1 variable is empty. Showing the value of $hn1 in your current session doesn't necessarily mean your script sees the same value due to how variable scoping works in PowerShell.
It would still be very helpful if you could post some or all of the contents of your C:\Scripts\cert_newest.ps1 script file. Feel free to sanitize it if it contains sensitive info.
If you're having an error with DNS validation. Can you post the output from a session where that is happening when using the -Verbose switch on the call to New-PACertificate?
output when running the script (LE service is down!)
Set-PAServer LE_PROD
New-PACertificate $hn1 -AcceptTOS -Contact ae.jackson@auckland.ac.nz -Plugin Infoblox `
-PluginArgs $ibParams -Verbose -DNSSleep 15 -install -force
Set-PAServer : {
"type": "urn:acme:error:serverInternal",
"detail": "The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details."
}
At line:31 char:1
Yeah, the Production API is currently down. Though, ideally you should be testing against the staging server until you sort out the issues with your script. Run Set-PAServer LE_STAGE and then try your command again.
Also, when you post output to the forum here, it is much easier to read if you place it in a code-fence block which just means pasting the output between a pair of 3 backtick characters (Shift+~ on a US keyboard) like this in the message editor:
Yes. It will happily submit the order request for that name to the ACME server. And if the ACME server returns a valid order object that has authorization(s) needing to be validated, it will send the name to the associated plugin for creation in DNS. Using ACME with fake or internal-only DNS zones is totally plausible with an internal CA.
But OP does not appear be reaching the point where the Posh-ACME sends the order request to the ACME server, probably due to the Prod API being unavailable at the moment. The last error indicates, the code is failing to retrieve the basic directory endpoint.
That error still points to the $hn1 variable being the problem...as if it's an array that has either a null or empty entry. I can reproduce it locally like this.
PS C:\> $hn1 = 'example.com',''
PS C:\> New-PACertificate $hn1
New-PACertificate : Cannot bind argument to parameter 'Domain' because it is an empty string.
At line:1 char:19
+ New-PACertificate $hn1
+ ~~~~
+ CategoryInfo : InvalidData: (:) [New-PACertificate], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,New-PACertificate
Can you run the following to check the type and number of potential entries in the array?
[New-PACertificate], ParameterBindingValidationException