j81blog / genlecertforns Goto Github PK
View Code? Open in Web Editor NEWThis script helps you to create a Let's Encrypt certificate for your NetScaler
License: GNU General Public License v3.0
This script helps you to create a Let's Encrypt certificate for your NetScaler
License: GNU General Public License v3.0
When neither DNS nor HTTP is possible (in very hardened setups), the TLS in-place validation on port 443 comes in mind;
https://letsencrypt.org/docs/challenge-types/
(https://datatracker.ietf.org/doc/html/rfc8737)
Posh-ACME supports it. On the ADC the "ALPN responder" has to be aware of this special TLS request. Did you ever had a look at this type?
Running this script under PS 7 generates this error:
2020-06-18 13:05:31:2726 INFO DNS-VALIDATION Checking non-matching DNS Records
2020-06-18 13:05:31:2997 INFO DNS-VALIDATION All IP Addresses match.
2020-06-18 13:05:31:3125 INFO CHECKORDERVALIDATION Checking if validation is required.
2020-06-18 13:05:32:2342 INFO CHECKORDERVALIDATION Validation IS required.
2020-06-18 13:05:32:2735 INFO CONFIGUREADC Trying to login into the Citrix ADC.
2020-06-18 13:05:32:3072 ERROR CONFIGUREADC Could not configure the ADC. Exception Message: Exception calling "CompileAssemblyFromSource" with "2" argument(s): "Operation is not supported on this platform."
2020-06-18 13:05:32:5752 INFO FINAL Script Terminated, ExitCode: 1
I launched PS 5.1 and everything completed successfully. I'm opening this request so that PS 7 compatibility can be introduced eventually.
Hello! is it possible to add Send ACK delay parameter, some DNS providers has propagation time about 1 hour?
New-PACertificate has -DNSSleep parameter.
DNS - Validate Records
-Checking records..........: **** Ready
Continuing, Waiting 30 seconds for the records to settle
Pre-Checking the TXT records
-DNS Hostname..............: example.com
-TXT Record check..........: OK
-DNS Hostname..............: *.example.com
-TXT Record check..........: OK
Sending Acknowledgment
-DNS Hostname..............: example.com
-Send Ack..................: * ERROR
Hi,
great script!
We are currently working on the implementation for our environment. Two questions came up:
We would like to enable the CS for LE only during the ACME validation.
What API calls would we need? Would it be easy to add an option to the script?
How would we request ECC certicates? Both LE and NS are capable of this.
Regards,
Mario
2020-04-10 12:22:15:1745 INFO SCRIPTBASICS Starting a new log
2020-04-10 12:22:15:2264 INFO DOTNETCHECK Checking if .NET Framework 4.7.1 or higher is installed.
2020-04-10 12:22:15:2454 INFO DOTNETCHECK .NET Framework 4.7.1 or higher is installed.
2020-04-10 12:22:15:2584 INFO SCRIPTVARIABLES ValidationMethod is set to: "http".
2020-04-10 12:22:15:2914 INFO SCRIPTVARIABLES PfxPassword was specified via parameter.
2020-04-10 12:22:15:3234 INFO SCRIPTVARIABLES Starting new session.
2020-04-10 12:22:15:3414 INFO VERSIONINFO Current script version: v2.6.3, checking if a new version is available.
2020-04-10 12:22:16:0710 INFO VERSIONINFO New version (v2.7.6) is available, check "https://github.com/j81blog/GenLeCertForNS/tree/dev".
2020-04-10 12:22:16:0867 INFO VERSIONINFO Version check finished.
2020-04-10 12:22:16:1023 INFO LOADMODULE Try loading the Posh-ACME v3.12.0 Modules.
2020-04-10 12:22:19:2131 INFO LOADMODULE v3.12.0 of Posh-ACME is installed, loading module.
2020-04-10 12:22:20:1022 INFO LOADMODULE Posh-ACME loaded successfully.
2020-04-10 12:22:20:1223 INFO ADC-CHECK Trying to login into the Citrix ADC.
2020-04-10 12:22:20:2743 INFO CONNECT-ADC Connecting to https://<>...
2020-04-10 12:22:20:5505 INFO CONNECT-ADC Connected
2020-04-10 12:22:20:5715 INFO ADC-CHECK Connected to Citrix ADC https://<>, as user nsroot, ADC Version NetScaler NS13.0: Build 52.24.nc
2020-04-10 12:22:20:6027 INFO CERTIFICATEPRECHECK Keysize: 2048
2020-04-10 12:22:20:6339 INFO DNSPRECHECK continuing with the "http" validation method!
2020-04-10 12:22:20:6831 INFO DNSPRECHECK Checking for double SAN values.
2020-04-10 12:22:20:7021 INFO DNSPRECHECK No double SAN values found.
2020-04-10 12:22:20:7718 INFO DNSPRECHECK Verifying Content Switch.
2020-04-10 12:22:20:8438 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (404) Not Found.
2020-04-10 12:22:20:8598 ERROR DNSPRECHECK Error Verifying Content Switch. Details: The remote server returned an error: (404) Not Found.
2020-04-10 12:22:20:8868 ERROR DNSPRECHECK The Content Switch "cs_domain.com_http" does NOT exist! Please make sure a HTTP Content Switch is available.
2020-04-10 12:22:20:9018 INFO FINAL Script Terminated, ExitCode: 1
The payload for the systemfile REST api requires a filename and location. You are passing in a fully pathed filename, which it should be JUST the filename. It does not find the file otherwise. I am using version 13 of the ADC
Using godaddy dns validation
cert1 is going fine. also with wildcard
cert2:
NOTE: -CN or -SAN contains a wildcard entry, continuing with the "dns" validation method!
-CN........................: mydomain.eu
-SAN(s)....................: *.mydomain.eu
-Wildcard..................: A wildcard was found while also using the -AutoRun parameter. Only HTTP validation (no Wildcard) is allowed!
when running:
powershell -File "c:\LE\GenLeCertForNS.ps1" -AutoRun -ConfigFile 'c:\LE\GenLe-Config.json' -Production
Scratching my head for hours already...
Hello
When DNS is used it still ask for CsVipName.
In older Version you could just say "dummy", but now it is check against the NS.
Workaround for me: set LECertificates to $false
[Parameter(ParameterSetName = "CommandPolicy", Mandatory = $true)]
[Parameter(ParameterSetName = "CommandPolicyUser", Mandatory = $false)]
[Parameter(ParameterSetName = "LECertificates", Mandatory = $false)]
[Parameter(ParameterSetName = "CleanADC", Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[alias("NSCsVipName")]
[String[]]$CsVipName,
BTW: I add function to use autodns / internetx direct api to do the dns changes
function Remove-AutoDNSRecord($user,$pass,$zone,$name,$type='TXT',$pref,$ttl=300,$value) {
$ns="a.ns14.net"
$style="rr_rem"
$xmlpost ='<?xml version="1.0" encoding="utf-8"?>
<request>
<auth>
<user>'+$user+'</user>
<password>'+$pass+'</password>
<context>4</context>
</auth>
<task>
<code>0202001</code>
<default>
<'+$style+'>
<name>'+$name+'</name>
<type>'+$type+'</type>
<pref>'+$pref+'</pref>
<ttl>'+$ttl+'</ttl>
<value>'+$value+'</value>
</'+$style+'>
</default>
<zone>
<name>'+$zone+'</name>
<system_ns>'+$ns+'</system_ns>
</zone>
</task>
</request>'
$result = Invoke-RestMethod -URI https://gateway.autodns.com -body $xmlpost -Method post
return $result.response.result.msg.text
}
function Add-AutoDNSRecord($user,$pass,$zone,$name,$type='TXT',$ttl=300,$pref,$value) {
$ns="a.ns14.net"
$style="rr_add"
$xmlpost ='<?xml version="1.0" encoding="utf-8"?>
<request>
<auth>
<user>'+$user+'</user>
<password>'+$pass+'</password>
<context>4</context>
</auth>
<task>
<code>0202001</code>
<default>
<'+$style+'>
<name>'+$name+'</name>
<type>'+$type+'</type>
<pref>'+$pref+'</pref>
<ttl>'+$ttl+'</ttl>
<value>'+$value+'</value>
</'+$style+'>
</default>
<zone>
<name>'+$zone+'</name>
<system_ns>'+$ns+'</system_ns>
</zone>
</task>
</request>'
$result = Invoke-RestMethod -URI https://gateway.autodns.com -body $xmlpost -Method post
return $result.response.result.msg.text
}
Hi John,
I hope I'm posting this appropriately in github.
I run Netscaler NS12.1 57.18.nc and the 2.6.3 production release of your code has been problematic - it can never properly unbind the rsp_letsencrypt_10 policy:
2020-11-12 06:27:02:1305 INFO CONFIGUREADC LB Service binding is OK
2020-11-12 06:27:02:5335 INFO CONFIGUREADC Checking if policy "rsp_letsencrypt_test" is bound to Load Balance VIP.
2020-11-12 06:27:02:6245 INFO CONFIGUREADC Trying to unbind "".
2020-11-12 06:27:02:7505 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:7995 ERROR CONFIGUREADC Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:8455 INFO CONFIGUREADC Trying to remove the Responder Policy "rsp_letsencrypt_test".
2020-11-12 06:27:02:9535 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:9955 ERROR CONFIGUREADC Failed to remove. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:0325 INFO CONFIGUREADC Checking if policy "rsp_letsencrypt_10" is bound to Load Balance VIP.
2020-11-12 06:27:03:1305 INFO CONFIGUREADC Trying to unbind "".
2020-11-12 06:27:03:2315 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:2755 ERROR CONFIGUREADC Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.
According to the v.12 Citrix API documentation, all that's needed is the policy name when dealing with an unbind. The URI that's constructed needs to be of TYPE lbvserver_service_binding, not TYPE responderpolicy_binding, so I changed lines 1767-1769 as follows:
Write-ToLogFile -I -C ConfigureADC -M "Trying to unbind `"$($ResponderBinding.name)`"."
$arguments = @{"policyname" = "$($ResponderBinding.name)"; }
$response = Invoke-ADCRestApi -Session $ADCSession -Method DELETE -Type lbvserver_service_binding -Arguments $arguments -Resource $NSLbName
I took a look at your DEV branch which seems to be a significant rewrite. I don't see the syntax that's been problematic for me in there, so perhaps you've already revised this.
This has been a phenomenal script that's let me move to LE on our Netscaler - thanks!
Hello!
It should be possible to set Traffic Domain for ADC CS vserver, LB vserver, LB service and server.
I was able to make it work with additional payload parameter:
line 1912
$payload = @{"name" = "$($Parameters.settings.SvcName)"; "ip" = "$($Parameters.settings.SvcDestination)"; "servicetype" = "HTTP"; "port" = "80"; "healthmonitor" = "NO"; "td" = "###";}
line 1932
$payload = @{"name" = "$($Parameters.settings.LbName)"; "servicetype" = "HTTP"; "ipv46" = "0.0.0.0"; "Port" = "0"; "td" = "###"; }
Is it possible to add Traffic Domain as part of Parameters list?
It should be possible to delegate _acme-challenge.<YOUR_DOMAIN> to the ADC and through the script generate the challenge DNS response automatically.
Using the new -UseLbVip function of the script. It works aside from one little weirdness. What we are seeing is if the svc_letsencrypt_cert_dummy is left bound to the LBVip (We are using a production LBVip for http to https redirection), in Edge only (which is also super odd), the http to https redirection doesn't work. Everything works fine in Chrome/Firefox. Do you tihnk you should add a quick function to unbind that svc_letsencrypt_cert_dummy from the LBVip when it's done doing it's thing?
Is it possible to deploy the same certificate to more than one Netscaler?
We have a GSLB setup with a couple of Netscalers with identical configs.
Hello
when I request
-CN "*.domain.tld" -SAN "domain.tld"
with DNS
It will try to add to different TXT Records to the same DNS - so one will fail.
When I only request -CN "domain.tld"
the validation will also fail.
So please on DNS make sure only one TXT will be added and that domains without host will work.
Thanks.
(tested with 2.84)
Hello.
We are using this with "ValidationMethod": "http"
for 2 certificates.
The renewal works fine and as expected, but after each renewal we have to link the new certs using
link ssl certKey $CertKeyNameToUpdate "Let’s Encrypt R3"
Are we missing something in our config ore is there a post run hook we can configure?
Thank you for the great script and your support
On the ADCs the "name" entries are quite long (long FQDN). Why is the paramater "CertKeyNameToUpdate" quite short?
[ValidateLength(1, 31)]
[String]$CertKeyNameToUpdate
The spec says up to 128, if I'm reading it right?
certkeypair_name | | Read-write | Cert Key Pair Name.Minimum length = 1Maximum length = 128
Hi,
Isn't it possible to use Posh-ACME's DnsAlias parameter (https://poshac.me/docs/v4/Functions/Publish-Challenge/#-dnsalias) with your script?
We use CNAME records to delegate answering the challenge to separate DNS zone.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.