We’re looking for a Windows client that supports renewal of certificate via DNS. I came across Certify the Web client, but this is only free for a number of installations. Starting from 3 servers you have to pay.
Can you provide let me know which is a good client ? Is there a client with a GUI ?
You can try Crypt::LE Windows binaries (that can also produce PFX if you’re using IIS). Manual DNS verification works out of the box. If you need automated DNS verification you can use either -delayed mode of the client or use the DNS plugin modified as you see fit (I believe @bradpcmac has successfully used it with dnscmd).
However, that is a command-line client rather than a GUI tool.
NB: The plugin can be directly used with the binaries, no installation of anything is required.
Hi, as @leader stated, I have used the Crypt::LE Windows binaries to setup an automated system leveraging the DNS.pm Perl module included in the Crypt::LE repository linked here. You can set it up to use dnscmd pretty easily. (My favorite thing about Crypt::LE is that it doesn’t require any installation.)
I wrote my own batch file to serve as the “interface”, and it works. If you’re going to be setting these up once and letting them run, that shouldn’t be too hard to setup. If you need to be able to create & renew various certs on the fly, then you’ll have to get a little more in-depth with your script.
Is this something you’re interested in doing, or are you looking for a point & click GUI?
You could also use Posh-ACME which is a PowerShell based client. It supports 30+ DNS providers out of the box. While it’s also a command line based client, I’ve tried to include plenty of documentation and tutorials both for the module itself and each DNS plugin.
What will your certificates be used for? IIS web server? Other web server? Other services altogether (SQL, RDS, Exchange, etc)?
It will be used for setting up an SSL certificate on an IIS web server. Many ACME clients include DNS validation and HTTP validation. But both method are problematic because I would need to manually update a TXT record on the DNS server upon every renewal (no public API access to our DNS server) and for HTTP validation the website is closed on public access to port 80 on the webserver.
Is there any client that would allow this validation to happen only once, and on the next renewal it remembers that validation occurred successfully, so it just renews the certificate with having to open DNS or HTTP validation.
Unfortunately not. The CA/B Forum, the governing body for all publicly trusted certificate authorities such as Let's Encrypt, does not allow permanent authorizations such as you're describing.
no public API access to our DNS server
If you mean that there is API access but it's just not public, that's fine. Only the ACME client, which presumably lives inside your network, needs API access to the DNS server. The only thing that needs to be external facing is the authoritative DNS resolver(s) for your zone so that the ACME server can query the TXT records your client creates. Many environments have internal DNS servers that use external secondary/slave servers to host the internet facing DNS traffic.
If you mean the DNS server has no API access at all, that's still not necessarily a deal breaker. Many clients support the concept of DNS challenge aliases which allow you to redirect the DNS challenge requests from your primary domain to a different domain using CNAME records that you only need to create once. So you can setup a DNS server that does have API access as the target of the CNAME records and use that.
Hi, just following up on this to see if you chose a path to try out yet. If you go with the Crypt::LE client, here’s how I’ve set mine up (generic overview) :
batch file: can be run manually where you type in domain name or call the script & pass in parameters (useful for Scheduled Task renewal jobs that automate the process once you generate the cert)
DNS verification: it uses DNS.pm that comes with the Crypt::LE release, so it handles that piece for you – you can modify this script to use your internally accessible DNS server (the DNS records would need to be made public somehow, of course for verification)
email report: in my script, I use blat (https://www.blat.net/) to send me a report of the cert generation/renewal job in case there are any issues. (then of course I still get the renewal notices from Let’s Encrypt just in case something slips through the cracks)
I also use the option to generate a PFX file, which we use with IIS Central Certificate Store.
My workflow is now:
We need a new certificate, I’ll run my batch file, type in the domain name, generate cert (IIS Bindings & a Scheduled Task are also created by the script)
62 days later, the Scheduled Task created by my batch file during Step 1 runs. Cert renewal threshold in the client is set to 30 days, so it renews. (this is all hands-off at this point)
I get an email letting me know the job ran & what happened.
There’s more to it than that, so let me know if you have any questions. If you’re comfortable with scripting your own implementation, Crypt::LE is an excellent and easily to deploy client (no installation needed).