profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/rmbolger/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Ryan Bolger rmbolger Dvolve Los Angeles, CA Principal Engineer for Trace3 specializing in Identity Management, Cloud Automation, Infoblox, and PKI.

rmbolger/Posh-ACME 446

ACME protocol client for obtaining certificates using Let's Encrypt (or other ACME compliant CA)

rmbolger/Posh-IBWAPI 38

PowerShell module for interacting with the Infoblox WAPI (REST API).

rmbolger/Posh-ACME.Deploy 14

Collection of certificate deployment functions intended for use with Posh-ACME

rmbolger/BootPickerForWindows 10

A set of credential providers for Windows that provide a quick way to switch back to Mac OS X on Apple machines dual booting with Windows via BootCamp.

rmbolger/PwnedPassCheck 10

Check passwords and hashes against the haveibeenpwned.com Pwned Passwords API using PowerShell

rmbolger/DnsClient-PS 9

A cross-platform DNS client for PowerShell utilizing the DnsClient.NET library.

rmbolger/Posh-IBCLI 4

PowerShell module for interacting with the Infoblox CLI via SSH

rmbolger/LightORama 3

Scripts and code relating to Light-O-Rama based light shows

rmbolger/HashtagPhotoDownloaders 1

Downloads photos associated with a hashtag on various social networks

rmbolger/Posh-Prowl 1

A simple wrapper for the Prowl notification API.

startedrmbolger/Posh-ACME

started time in 9 hours

issue commentrmbolger/Posh-ACME

Renewal Issue with -AllAccounts

An addendum - submitting manual renewals one domain at a time works as expected using the following script:

Param(
    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string] $Domain
    
)

Set-Location C:\automation

Set-PAServer LE_PROD

Set-PAOrder $Domain

if ($cert = Submit-Renewal) {
    $cert | Set-IISCertificate -SiteName "xxxxxxx" -HostHeader "webmail.$Domain" -RequireSNI -Verbose -RemoveOldCert
    $cert | Set-IISCertificate -SiteName "xxxxxxx" -HostHeader "autodiscover.$Domain" -RequireSNI -Verbose -RemoveOldCert
    Write-Host "$TLD Attempted Renew Bindings!"
}

thecarnie

comment created time in 10 hours

issue openedrmbolger/Posh-ACME

Renewal Issue with -AllOrders

I am not sure if I'm doing something wrong - but this process was working in the past for our configuration.

Breakdown: Running Windows Server 2019 + IIS + MS-DNS. Running our scripts to request initial certificates works properly. Running our script to call the renewals task every 12 hours for expired certs fails with no "renewal orders" found.

I currently have over a dozen expired certificates and none of them are showing "ready to renew" - but here is one of the order.json files from the suspect domains.

I am needing to know what further information you might need - and if there is something I'm missing on our renewals script.

(attaching both)

SAMPLE OF AN order.json FROM PROBLEM RENEWAL (some data masked)

{
    "status":  "pending",
    "expires":  "2021-05-15T08:50:11Z",
    "identifiers":  [
                        {
                            "value":  "domainname.tld",
                            "type":  "dns"
                        },
                        {
                            "value":  "*.domainname.tld",
                            "type":  "dns"
                        }
                    ],
    "authorizations":  [
                           "https://acme-v02.api.letsencrypt.org/acme/authz-v3/######",
                           "https://acme-v02.api.letsencrypt.org/acme/authz-v3/######"
                       ],
    "finalize":  "https://acme-v02.api.letsencrypt.org/acme/finalize/######/######",
    "OCSPMustStaple":  false,
    "DnsSleep":  120,
    "PreferredChain":  "",
    "AlwaysNewKey":  false,
    "DnsAlias":  [
                     "",
                     ""
                 ],
    "MainDomain":  "domainname.tld",
    "FriendlyName":  "domainname.tld",
    "CertExpires":  null,
    "KeyLength":  "2048",
    "RenewAfter":  null,
    "Install":  true,
    "UseSerialValidation":  false,
    "Plugin":  [
                   "Windows",
                   "Windows"
               ],
    "SANs":  [
                 "*.domainname.tld"
             ],
    "ValidationTimeout":  60,
    "certificate":  null,
    "location":  "https://acme-v02.api.letsencrypt.org/acme/order/#######/#######",
    "PfxPassB64U":  "xxxxxxxxxxx"
}

And the RENEWAL SCRIPT

Set-Location C:\automation

Set-PAServer LE_PROD

Submit-Renewal -AllAccounts -Verbose | ForEach-Object {
    $cert = $_
    # deploy for everything else
    $CN = "$cert.MainDomain"
    $TLD = $CN.Replace("*.","")

    $cert | Set-IISCertificate -SiteName "xxxxxxxxx" -HostHeader "webmail.$TLD" -RequireSNI -Verbose -RemoveOldCert
    $cert | Set-IISCertificate -SiteName "xxxxxxxxx" -HostHeader "autodiscover.$TLD" -RequireSNI -Verbose -RemoveOldCert
    Write-Host "$TLD Attempted Renew Bindings!"
    

}

I thank you greatly for your time on this issue - as I fear it is a configuration issue on my end, but I can't seem to pin it down.

created time in 11 hours

pull request commentrmbolger/Posh-ACME

Revocation

Hi Ryan,

Apologies for the false start yesterday! You should be good to pull the changes down now.

The reason that I implemented MainDomain and CertPEM is that our software, when calling out to a CA to revoke a certificate, provides the certificate to be revoked in PEM format. That’s what we have to pass over ACME anyway so it seemed easier to me to just accept that and send it straight over. I hope you’re okay with that!

Best wishes,

Martin

On 6 May 2021, at 17:47, Ryan Bolger ***@***.***> wrote:

No worries. And to be fair, the existing revocation functionality isn't exactly the easiest thing to find. And given all the different ways that exist https://letsencrypt.org/docs/revoking/ to revoke a cert, pulling all that functionality out into a dedicated function is probably a good idea long term.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rmbolger/Posh-ACME/pull/343#issuecomment-833679094, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASXH2OOGLZ4OSDP2VQITNHLTMLB2TANCNFSM44HD4MWA.

methorpe

comment created time in 2 days

pull request commentrmbolger/Posh-ACME

Revocation

Hi Ryan,

brown bag moment

Haha, yes, I know why :) I’d started making the modifications on the machine I’d cloned the repo on, and then ended up finishing the job on the machine that was actually Posh-ACME. And then, of course, forgot to push the changes back to the repo. Thank you for being more on the ball than I was!

And, even more embarrassingly, I had not noticed the -RevokeCert argument to Set-PAOrder. I will give that a try and report back, but it looks likely that you won’t need this pull request after all.

Thank you, and apologies!

Best wishes,

Martin

On 6 May 2021, at 16:42, Ryan Bolger ***@***.***> wrote:

Hi @methorpe https://github.com/methorpe. Thanks for the submission! Interestingly, I had actually been thinking about adding some additional functionality around revocation recently. So this is good timing. However, I think there might be some commits missing in the PR. The function as I can see it currently ends with $cert.GetEncoded() and never actually talks to the CA. Do you have some local commits that didn't get pushed to the Github fork?

That said, the shape of the function looks like it might be duplicating what you can already do using Set-PAOrder. For example:

Revoke-PACertificate example.com looks functionally equivalent to

Set-PAOrder example.com -RevokeCert -Force — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rmbolger/Posh-ACME/pull/343#issuecomment-833626028, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASXH2OPHSJMNSWXMVLMTTVTTMK2GJANCNFSM44HD4MWA.

methorpe

comment created time in 2 days

PR opened rmbolger/Posh-ACME

Revocation

Hi Ryan,

I've added a public function to revoke a certificate -- this merely calls out to the CA to request that the certificate be revoked, it doesn't update any of the local state on the machine. I think I've covered all the bases but please feel free to modify the code as you see fit.

My company (Venafi) has been developing a connector to allow our machine identity management software to connect to ACME CAs, and for what we wanted to do, Posh-ACME looked to be the best ACME library -- I hope you'll consider my patches as a way of contributing a little back!

Thanks for a super library.

Best wishes,

Martin

+51 -0

0 comment

2 changed files

pr created time in 3 days

startedrmbolger/Posh-ACME

started time in 4 days

startedrmbolger/Posh-ACME

started time in 4 days

startedrmbolger/Posh-ACME.Deploy

started time in 5 days

startedrmbolger/Posh-ACME

started time in 5 days

startedrmbolger/Posh-IBWAPI

started time in 5 days

pull request commentrmbolger/Posh-ACME

Add ukfast dns plugin

Well thats annoying! Sorry for this. The account provisioning process may not have completed properly after the account needed that manual intervention. I'll raise this with the team in charge of that process and see if we can remove this account and start from scratch, as you suggest.

It's a public holiday in the UK today, so I'll provide an update here tomorrow once I speak to the team.

Overglazed

comment created time in 6 days

issue openedrmbolger/Posh-ACME

Digital Ocean DNS: _acme-challenge.mywebsite.com TXT records safe to delete?

Hi,

You had kindly helped me set up DNS on DigitalOcean (DDNS for my domain updated by my Asus router). You also helped me to create my SSL cert for my domain using Posh-ACME + the DigitalOcean plugin.

Anyway, I just jumped on my DigitalOcean account for DNS. I noticed 4 ** _acme-challenge.mywebsite.com** TXT records.

I can't remember when/why/how I created these 4 TXT records. Are they safe to delete? I'm completely drawing a blank.

Thank you for your time!

created time in 7 days

startedrmbolger/Posh-ACME

started time in 8 days

startedrmbolger/PwnedPassCheck

started time in 8 days

pull request commentrmbolger/Posh-ACME

Add ukfast dns plugin

Sorry for that. I believe the issue should be resolved now. Would you be able to give it another go? :)

Overglazed

comment created time in 8 days

pull request commentrmbolger/Posh-ACME

Add ukfast dns plugin

I have spoken to our accounts team and they have managed to tracked down and enable the rmbolger account. Seems like registration went through but the account activation didn't complete. We're looking into what caused that.

You should now be able to log in to the https://my.ukfast.co.uk portal. If you're not sure of the password, you can use the password reset link on the login page.

Let me know if you have any further issues :)

Overglazed

comment created time in 9 days

startedrmbolger/Posh-ACME

started time in 9 days

pull request commentrmbolger/Posh-ACME

Company is called Simply.com, not Simply :)

@rmbolger We recognize the API is not optimal due to being built quickly and in another decade. At some point we will rewamp it :)

tomsommer

comment created time in 9 days

pull request commentrmbolger/Posh-ACME

Added support for IDN domains in the Simply.com plugin

The correct method is doing a lookup in /my/products/ and using the return [object] string matching the domain, in the following queries, since the object-reference in theory can be anything.

Norskov

comment created time in 9 days

pull request commentrmbolger/Posh-ACME

Added support for IDN domains in the Simply.com plugin

@tomsommer FYI. Based on my ticket earlier today.

Norskov

comment created time in 9 days

PR opened rmbolger/Posh-ACME

Added support for IDN domains in the Simply.com plugin
+24 -8

0 comment

1 changed file

pr created time in 9 days

fork Norskov/Posh-ACME

ACME protocol client for obtaining certificates using Let's Encrypt (or other ACME compliant CA)

fork in 9 days

pull request commentrmbolger/Posh-ACME

Add ukfast dns plugin

Hi @rmbolger. Were you able to register for an account successfully in the end?

I can speak to the team and find out what happened to your registration email if you can let me know the username you signed up with. :)

Thanks, Lee

Overglazed

comment created time in 10 days

PR opened rmbolger/Posh-ACME

Company is called Simply.com, not Simply :)
+3 -3

0 comment

1 changed file

pr created time in 10 days

fork tomsommer/Posh-ACME

ACME protocol client for obtaining certificates using Let's Encrypt (or other ACME compliant CA)

fork in 10 days

startedrmbolger/Posh-ACME

started time in 10 days

startedgolang-standards/project-layout

started time in 11 days

startedrmbolger/Posh-ACME

started time in 11 days

issue commentrmbolger/Posh-ACME

Submit Renewal Using Posh-Acme

Thanks Ryan. Gone through the tutorial.

Can you please let me know how the new TXT records are replaced in the Customer domains when submitted renewals.

getsolomon

comment created time in 12 days