KareemMAX/cerbotRenew.ps1

## cerbotRenew.ps1
# check this https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection

echo "Attempting renew";
iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew';

$wasRunning = $False;
if ($LASTEXITCODE -ne 0) {
    echo "Docker not running, attempting to run deamon";

    $wasRunning = $True;
    Start-Process "C:\Program Files\Docker\Docker\Docker Desktop.exe";
    Start-Sleep -Seconds 90;
    iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew';
}

echo "Creating pfx file";
iex 'docker run -it --rm --name openssl -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\:/cert" alpine/openssl pkcs12 -export -out /cert/rdp.pfx -inkey /etc/letsencrypt/live/kreemmorsy.ddns.net/privkey.pem -in /etc/letsencrypt/live/kreemmorsy.ddns.net/fullchain.pem -certfile /etc/letsencrypt/live/kreemmorsy.ddns.net/cert.pem --password pass:';

if ($wasRunning) {
    Stop-Process -name "Docker Desktop";
    iex "wsl --shutdown";
}

echo "Importing certificate";
$certs = Import-PfxCertificate -FilePath "C:\Users\Kreem\Documents\letsencrypt\rdp.pfx" -CertStoreLocation Cert:\LocalMachine\My;

echo $certs | fl;

echo "Adding user permissions";
$certs |%{
    $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($_);
    $fileName = $rsaCert.key.UniqueName;
    $path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$fileName";

    $permissions = Get-Acl -Path $path;
    $sid = [Security.Principal.SecurityIdentifier]'S-1-5-20';
    $acct = $sid.Translate([Security.Principal.NTAccount]).Value;
    $access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct, 'Read', 'None', 'None', 'Allow');
    $permissions.AddAccessRule($access_rule);

    Set-Acl -Path $path -AclObject $permissions;
    echo $permissions | fl;
}

echo "Updating registry";
$fingerprintBytes = [System.Convert]::FromHexString($certs[0].Thumbprint);
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash" -Type Binary -Value $fingerprintBytes;
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash";

echo "Restarting RDP";
Restart-Service -Name TermService -Force
Get-Service -Name TermService | fl
	# check this https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection

	echo "Attempting renew";
	iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew';

	$wasRunning = $False;
	if ($LASTEXITCODE -ne 0) {
	echo "Docker not running, attempting to run deamon";

	$wasRunning = $True;
	Start-Process "C:\Program Files\Docker\Docker\Docker Desktop.exe";
	Start-Sleep -Seconds 90;
	iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew';
	}

	echo "Creating pfx file";
	iex 'docker run -it --rm --name openssl -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\:/cert" alpine/openssl pkcs12 -export -out /cert/rdp.pfx -inkey /etc/letsencrypt/live/kreemmorsy.ddns.net/privkey.pem -in /etc/letsencrypt/live/kreemmorsy.ddns.net/fullchain.pem -certfile /etc/letsencrypt/live/kreemmorsy.ddns.net/cert.pem --password pass:';

	if ($wasRunning) {
	Stop-Process -name "Docker Desktop";
	iex "wsl --shutdown";
	}

	echo "Importing certificate";
	$certs = Import-PfxCertificate -FilePath "C:\Users\Kreem\Documents\letsencrypt\rdp.pfx" -CertStoreLocation Cert:\LocalMachine\My;

	echo $certs \| fl;

	echo "Adding user permissions";
	$certs \|%{
	$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($_);
	$fileName = $rsaCert.key.UniqueName;
	$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$fileName";

	$permissions = Get-Acl -Path $path;
	$sid = [Security.Principal.SecurityIdentifier]'S-1-5-20';
	$acct = $sid.Translate([Security.Principal.NTAccount]).Value;
	$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct, 'Read', 'None', 'None', 'Allow');
	$permissions.AddAccessRule($access_rule);

	Set-Acl -Path $path -AclObject $permissions;
	echo $permissions \| fl;
	}

	echo "Updating registry";
	$fingerprintBytes = [System.Convert]::FromHexString($certs[0].Thumbprint);
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash" -Type Binary -Value $fingerprintBytes;
	Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash";

	echo "Restarting RDP";
	Restart-Service -Name TermService -Force
	Get-Service -Name TermService \| fl