Win-acme run script following cert renewal

I’ve got a Windows Server 2019 with a copy of ManageEngine’s ADSelfService Plus (ADSSP) running on it. ADSSP uses tomcat and JRE. I’ve got Win-Acme running on the server and I have it pull the PEM files into the directory c:\ssl. I then run the following commands from an elevated command prompt to import the new chain PEM into a keystore file, replace the keystore file in the tomcat deployment and restart the ADSSP service:

"c:\ManageEngine\ADSelfService Plus\jre\bin\keytool" -import -alias tomcat -file c:\ssl\my.domain.com-chain.pem -keystore SelfService.keystore -noprompt -storepass MyPassword
Copy /y SelfService.keystore "C:\ManageEngine\ADSelfService Plus\conf\SelfService.keystore"
sc stop "ADSelfServicePlus"
sc start "ADSelfServicePlus"

I’d like to put all of that into a script and then have it automatically run each time Win-Acme completes its renewal, but I’m just not sure how to make that happen (or if it is even possible). I’ve taken a look at https://www.win-acme.com/reference/plugins/installation/script but I’m still struggling.

Can this be done? What is the best method to achieve this? Should I put the above commands into a batch file? If so, how would I specify that I want the batch file to run with elevated privileges? Is it better to put it into a powershell script? Same question about elevated privileges. Thanks!

1 Like

doesn’t --installation script --script C:\script.bat work?

2 Likes

Thanks for the response. I tried that but now I’ve got a new problem. When I removed the previous renewal and created a new one it caused win-acme to exit unexpectedly and it didn’t save the new config. I’m guessing the fact that I’ve tried renewing too many times in a short period is where the problem has occured. I’m going to let it sit for a couple of days and give it a try then. I’ll report back.

While I wait, I’ll speculate aloud about why I think your suggestion might work. Win-Acme is running elevated when I create the renewal. When it runs again automatically later for the renewal as scheduled it will be running elevated. When it runs the batch file, that too should be elevated so there shouldn’t be an issue. Anyhow… thanks for the assist and I’ll update in a couple of days.

1 Like

Commenting to follow along here because I’m just getting started figuring this out for my own ADSSP setup.

But also, there is a setting on the general tab in Scheduled Tasks to “Run with highest privileges”. I can’t say for sure if that will help with this specific issue but I’ve had to use it in the past when I essentially needed to elevate to admin rights (a la UAC prompt) even if the defined user account is already an admin on the system. And yes, as you’ve surmised, any child processes started with an elevated parent process will also be elevated properly.

1 Like

Thanks for the note @sullivas. Thanks also for pointing out the ability to run scheduled tasks in the system scheduler with elevated privileges. I think that too will prove helpful. Since you are also working on setting up ADSSP with letsencrypt, I thought I would share one small update to the batch file and explain the changes I made:

"c:\ManageEngine\ADSelfService Plus\jre\bin\keytool" -import -alias tomcat -trustcacerts -file c:\ssl\my.domain.com-chain.pem -keystore SelfService.keystore -noprompt -storepass MyPassword
"c:\ManageEngine\ADSelfService Plus\jre\bin\keytool" -importkeystore -srckeystore SelfService.keystore -destkeystore SelfService.keystore -deststoretype pkcs12 -noprompt -srcstorepass MyPassword
Copy /y SelfService.keystore "C:\ManageEngine\ADSelfService Plus\conf\SelfService.keystore"
net stop ADSelfServicePlus
net start ADSelfServicePlus
del SelfService.keystore

First thing I changed was the I added a second keystore command which converts the keystore to pkcs12 (which is what JRE recommends). Though the ADSSP SSL screens tell you to get rid of the "keystoreType=pkcs12" in conf\server.xml I leave it in there.

The second thing I changed was instead of using sc I used net stop and net start. The reason for this change is sc doesn't seem to wait for the stop to complete before it goes on to the next command. That can cause the system to fail to start the service because it hasn't finished stopping it. I solve that using net start and net stop because it waits until the task is complete to move on.

Finally, I added that del command which is just about housekeeping. The batch file creates the keystore file wherever the batch file lives so to get things ready for the next time the cert is renewed and the batch file runs I delete the file I just finished copying into the conf folder.

Sadly, while I believe all of this will work, I reissued the cert too many times and so I think I need to wait until much closer to its expiration to fully test this method out. If you test it sooner, let me know how it goes! Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.