Windows Offline TXT records (Posh-ACME)

snybot · October 2, 2020, 7:59am

Hi,

I am trying to create a offline Certificate for a internal Server with the Posh-ACME Windows Plugin. I created the requiered TXT Records in my DNS Server, but I always run into issues..

    check that a DNS record exists for this domain
At C:\Program 
Files\WindowsPowerShell\Modules\Posh-ACME\3.16.0\Private\Wait-AuthValidation.ps1:34 char:17
+ ...             throw "Authorization invalid for $($auth.fqdn): $message" ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Authorization i...for this domain:String) 
    [], RuntimeException
    + FullyQualifiedErrorId : Authorization invalid for

Command that I used:

#New-CimSession -ComputerName DNS-Server -Credential (Get-Credential)
New-PACertificate -Domain Domain Name  -DnsPlugin Windows -PluginArgs @{WinServer='DNS Server'}

JuergenAuer · October 2, 2020, 8:02am

Hi @snybot

your domain name is required to check that.

snybot · October 2, 2020, 8:07am

Hi Juergen,

my Domain is local Domain and not offical registered. I think that is the Problem right?

JuergenAuer · October 2, 2020, 8:08am

Then you can't create a public trusted certificate.

A worldwide unique domain name is required.

webprofusion · October 3, 2020, 8:01am

Yes you can't use a local machine name for certs from Let's Encrypt however you can run your own certificate authority using something like SmallStep (which also has an acme ca api), so then you can use the same acme tools.

Alternatively use something like certutil to create a self signed certificate and use that, it won't be trusted by anything (that requires the root certificate for the issuing CA to be in the computers certificate store as a Trusted Root).