j81blog / genlecertforns Goto Github PK

When neither DNS nor HTTP is possible (in very hardened setups), the TLS in-place validation on port 443 comes in mind;

https://letsencrypt.org/docs/challenge-types/
(https://datatracker.ietf.org/doc/html/rfc8737)

Posh-ACME supports it. On the ADC the "ALPN responder" has to be aware of this special TLS request. Did you ever had a look at this type?

Running this script under PS 7 generates this error:

2020-06-18 13:05:31:2726	INFO  	DNS-VALIDATION	Checking non-matching DNS Records
2020-06-18 13:05:31:2997	INFO  	DNS-VALIDATION	All IP Addresses match.
2020-06-18 13:05:31:3125	INFO  	CHECKORDERVALIDATION	Checking if validation is required.
2020-06-18 13:05:32:2342	INFO  	CHECKORDERVALIDATION	Validation IS required.
2020-06-18 13:05:32:2735	INFO  	CONFIGUREADC	Trying to login into the Citrix ADC.
2020-06-18 13:05:32:3072	ERROR 	CONFIGUREADC	Could not configure the ADC. Exception Message: Exception calling "CompileAssemblyFromSource" with "2" argument(s): "Operation is not supported on this platform."
2020-06-18 13:05:32:5752	INFO  	FINAL	Script Terminated, ExitCode: 1

I launched PS 5.1 and everything completed successfully. I'm opening this request so that PS 7 compatibility can be introduced eventually.

Hello! is it possible to add Send ACK delay parameter, some DNS providers has propagation time about 1 hour?
New-PACertificate has -DNSSleep parameter.

DNS - Validate Records
-Checking records..........: **** Ready
Continuing, Waiting 30 seconds for the records to settle

Pre-Checking the TXT records
-DNS Hostname..............: example.com
-TXT Record check..........: OK
-DNS Hostname..............: *.example.com
-TXT Record check..........: OK

Sending Acknowledgment
-DNS Hostname..............: example.com
-Send Ack..................: * ERROR

Hi,
great script!
We are currently working on the implementation for our environment. Two questions came up:

1. We would like to enable the CS for LE only during the ACME validation.
   What API calls would we need? Would it be easy to add an option to the script?

2. How would we request ECC certicates? Both LE and NS are capable of this.

Regards,
Mario

2020-04-10 12:22:15:1745 INFO SCRIPTBASICS Starting a new log
2020-04-10 12:22:15:2264 INFO DOTNETCHECK Checking if .NET Framework 4.7.1 or higher is installed.
2020-04-10 12:22:15:2454 INFO DOTNETCHECK .NET Framework 4.7.1 or higher is installed.
2020-04-10 12:22:15:2584 INFO SCRIPTVARIABLES ValidationMethod is set to: "http".
2020-04-10 12:22:15:2914 INFO SCRIPTVARIABLES PfxPassword was specified via parameter.
2020-04-10 12:22:15:3234 INFO SCRIPTVARIABLES Starting new session.
2020-04-10 12:22:15:3414 INFO VERSIONINFO Current script version: v2.6.3, checking if a new version is available.
2020-04-10 12:22:16:0710 INFO VERSIONINFO New version (v2.7.6) is available, check "https://github.com/j81blog/GenLeCertForNS/tree/dev".
2020-04-10 12:22:16:0867 INFO VERSIONINFO Version check finished.
2020-04-10 12:22:16:1023 INFO LOADMODULE Try loading the Posh-ACME v3.12.0 Modules.
2020-04-10 12:22:19:2131 INFO LOADMODULE v3.12.0 of Posh-ACME is installed, loading module.
2020-04-10 12:22:20:1022 INFO LOADMODULE Posh-ACME loaded successfully.
2020-04-10 12:22:20:1223 INFO ADC-CHECK Trying to login into the Citrix ADC.
2020-04-10 12:22:20:2743 INFO CONNECT-ADC Connecting to https://<>...
2020-04-10 12:22:20:5505 INFO CONNECT-ADC Connected
2020-04-10 12:22:20:5715 INFO ADC-CHECK Connected to Citrix ADC https://<>, as user nsroot, ADC Version NetScaler NS13.0: Build 52.24.nc
2020-04-10 12:22:20:6027 INFO CERTIFICATEPRECHECK Keysize: 2048
2020-04-10 12:22:20:6339 INFO DNSPRECHECK continuing with the "http" validation method!
2020-04-10 12:22:20:6831 INFO DNSPRECHECK Checking for double SAN values.
2020-04-10 12:22:20:7021 INFO DNSPRECHECK No double SAN values found.
2020-04-10 12:22:20:7718 INFO DNSPRECHECK Verifying Content Switch.
2020-04-10 12:22:20:8438 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (404) Not Found.
2020-04-10 12:22:20:8598 ERROR DNSPRECHECK Error Verifying Content Switch. Details: The remote server returned an error: (404) Not Found.
2020-04-10 12:22:20:8868 ERROR DNSPRECHECK The Content Switch "cs_domain.com_http" does NOT exist! Please make sure a HTTP Content Switch is available.
2020-04-10 12:22:20:9018 INFO FINAL Script Terminated, ExitCode: 1

The payload for the systemfile REST api requires a filename and location. You are passing in a fully pathed filename, which it should be JUST the filename. It does not find the file otherwise. I am using version 13 of the ADC

Using godaddy dns validation

cert1 is going fine. also with wildcard
cert2:
NOTE: -CN or -SAN contains a wildcard entry, continuing with the "dns" validation method!
-CN........................: mydomain.eu
-SAN(s)....................: *.mydomain.eu
-Wildcard..................: A wildcard was found while also using the -AutoRun parameter. Only HTTP validation (no Wildcard) is allowed!

when running:

powershell -File "c:\LE\GenLeCertForNS.ps1" -AutoRun -ConfigFile 'c:\LE\GenLe-Config.json' -Production

Scratching my head for hours already...

Hello

When DNS is used it still ask for CsVipName.
In older Version you could just say "dummy", but now it is check against the NS.

Workaround for me: set LECertificates to $false

[Parameter(ParameterSetName = "CommandPolicy", Mandatory = $true)]
    [Parameter(ParameterSetName = "CommandPolicyUser", Mandatory = $false)]
    [Parameter(ParameterSetName = "LECertificates", Mandatory = $false)]
    [Parameter(ParameterSetName = "CleanADC", Mandatory = $false)]
    [ValidateNotNullOrEmpty()]
    [alias("NSCsVipName")]
    [String[]]$CsVipName,

BTW: I add function to use autodns / internetx direct api to do the dns changes

function Remove-AutoDNSRecord($user,$pass,$zone,$name,$type='TXT',$pref,$ttl=300,$value) {
    $ns="a.ns14.net"
    $style="rr_rem"
    $xmlpost ='<?xml version="1.0" encoding="utf-8"?>
    <request>
    <auth>
    <user>'+$user+'</user>
    <password>'+$pass+'</password>
    <context>4</context>
    </auth>
    <task>
    <code>0202001</code>
    <default>
    <'+$style+'>
    <name>'+$name+'</name>
    <type>'+$type+'</type>
    <pref>'+$pref+'</pref>
    <ttl>'+$ttl+'</ttl>
    <value>'+$value+'</value>
    </'+$style+'>
    </default>
    <zone>
    <name>'+$zone+'</name>
    <system_ns>'+$ns+'</system_ns>
    </zone>
    </task>
    </request>'
    $result = Invoke-RestMethod -URI https://gateway.autodns.com -body $xmlpost -Method post
    return $result.response.result.msg.text
}



function Add-AutoDNSRecord($user,$pass,$zone,$name,$type='TXT',$ttl=300,$pref,$value) {
    $ns="a.ns14.net"
    $style="rr_add"
    $xmlpost ='<?xml version="1.0" encoding="utf-8"?>
    <request>
    <auth>
    <user>'+$user+'</user>
    <password>'+$pass+'</password>
    <context>4</context>
    </auth>
    <task>
    <code>0202001</code>
    <default>
    <'+$style+'>
    <name>'+$name+'</name>
    <type>'+$type+'</type>
    <pref>'+$pref+'</pref>
    <ttl>'+$ttl+'</ttl>
    <value>'+$value+'</value>
    </'+$style+'>
    </default>
    <zone>
    <name>'+$zone+'</name>
    <system_ns>'+$ns+'</system_ns>
    </zone>
    </task>
    </request>'
    $result = Invoke-RestMethod -URI https://gateway.autodns.com -body $xmlpost -Method post
    return $result.response.result.msg.text
}

Hi John,

I hope I'm posting this appropriately in github.

I run Netscaler NS12.1 57.18.nc and the 2.6.3 production release of your code has been problematic - it can never properly unbind the rsp_letsencrypt_10 policy:

2020-11-12 06:27:02:1305	INFO  	CONFIGUREADC	LB Service binding is OK
2020-11-12 06:27:02:5335	INFO  	CONFIGUREADC	Checking if policy "rsp_letsencrypt_test" is bound to Load Balance VIP.
2020-11-12 06:27:02:6245	INFO  	CONFIGUREADC	Trying to unbind "".
2020-11-12 06:27:02:7505	ERROR 	INVOKE-ADCRESTAPI	Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:7995	ERROR 	CONFIGUREADC	Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:8455	INFO  	CONFIGUREADC	Trying to remove the Responder Policy "rsp_letsencrypt_test".
2020-11-12 06:27:02:9535	ERROR 	INVOKE-ADCRESTAPI	Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:9955	ERROR 	CONFIGUREADC	Failed to remove. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:0325	INFO  	CONFIGUREADC	Checking if policy "rsp_letsencrypt_10" is bound to Load Balance VIP.
2020-11-12 06:27:03:1305	INFO  	CONFIGUREADC	Trying to unbind "".
2020-11-12 06:27:03:2315	ERROR 	INVOKE-ADCRESTAPI	Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:2755	ERROR 	CONFIGUREADC	Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.

According to the v.12 Citrix API documentation, all that's needed is the policy name when dealing with an unbind. The URI that's constructed needs to be of TYPE lbvserver_service_binding, not TYPE responderpolicy_binding, so I changed lines 1767-1769 as follows:

Write-ToLogFile -I -C ConfigureADC -M "Trying to unbind `"$($ResponderBinding.name)`"."
$arguments = @{"policyname" = "$($ResponderBinding.name)"; }
$response = Invoke-ADCRestApi -Session $ADCSession -Method DELETE -Type lbvserver_service_binding -Arguments $arguments -Resource $NSLbName

I took a look at your DEV branch which seems to be a significant rewrite. I don't see the syntax that's been problematic for me in there, so perhaps you've already revised this.

This has been a phenomenal script that's let me move to LE on our Netscaler - thanks!

Hello!
It should be possible to set Traffic Domain for ADC CS vserver, LB vserver, LB service and server.

I was able to make it work with additional payload parameter:
line 1912
$payload = @{"name" = "$($Parameters.settings.SvcName)"; "ip" = "$($Parameters.settings.SvcDestination)"; "servicetype" = "HTTP"; "port" = "80"; "healthmonitor" = "NO"; "td" = "###";}

line 1932
$payload = @{"name" = "$($Parameters.settings.LbName)"; "servicetype" = "HTTP"; "ipv46" = "0.0.0.0"; "Port" = "0"; "td" = "###"; }

Is it possible to add Traffic Domain as part of Parameters list?

It should be possible to delegate _acme-challenge.<YOUR_DOMAIN> to the ADC and through the script generate the challenge DNS response automatically.

Using the new -UseLbVip function of the script. It works aside from one little weirdness. What we are seeing is if the svc_letsencrypt_cert_dummy is left bound to the LBVip (We are using a production LBVip for http to https redirection), in Edge only (which is also super odd), the http to https redirection doesn't work. Everything works fine in Chrome/Firefox. Do you tihnk you should add a quick function to unbind that svc_letsencrypt_cert_dummy from the LBVip when it's done doing it's thing?

Is it possible to deploy the same certificate to more than one Netscaler?
We have a GSLB setup with a couple of Netscalers with identical configs.

Hello

when I request
-CN "*.domain.tld" -SAN "domain.tld"
with DNS
It will try to add to different TXT Records to the same DNS - so one will fail.

When I only request -CN "domain.tld"
the validation will also fail.

So please on DNS make sure only one TXT will be added and that domains without host will work.
Thanks.

(tested with 2.84)

Hello.
We are using this with "ValidationMethod": "http" for 2 certificates.
The renewal works fine and as expected, but after each renewal we have to link the new certs using

link ssl certKey $CertKeyNameToUpdate "Let’s Encrypt R3"

Are we missing something in our config ore is there a post run hook we can configure?
Thank you for the great script and your support

On the ADCs the "name" entries are quite long (long FQDN). Why is the paramater "CertKeyNameToUpdate" quite short?

[ValidateLength(1, 31)]
[String]$CertKeyNameToUpdate

The spec says up to 128, if I'm reading it right?

https://developer-docs.netscaler.com/en-us/citrix-adm-nitro-api-reference/configuration/device-ssl-certificates/ns_ssl_certkey.html

certkeypair_name | | Read-write | Cert Key Pair Name.Minimum length = 1Maximum length = 128

Hi,
Isn't it possible to use Posh-ACME's DnsAlias parameter (https://poshac.me/docs/v4/Functions/Publish-Challenge/#-dnsalias) with your script?
We use CNAME records to delegate answering the challenge to separate DNS zone.