Created
October 4, 2022 00:23
-
-
Save KareemMAX/827a97226cab147a2ca99fbae3217b1c to your computer and use it in GitHub Desktop.
Certbot renewal script, ready to add with task scheduler
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# check this https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection | |
echo "Attempting renew"; | |
iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew'; | |
$wasRunning = $False; | |
if ($LASTEXITCODE -ne 0) { | |
echo "Docker not running, attempting to run deamon"; | |
$wasRunning = $True; | |
Start-Process "C:\Program Files\Docker\Docker\Docker Desktop.exe"; | |
Start-Sleep -Seconds 90; | |
iex 'docker run -it --rm --name certbot -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\var:/var/lib/letsencrypt" -p 0.0.0.0:8080:80 certbot/certbot renew'; | |
} | |
echo "Creating pfx file"; | |
iex 'docker run -it --rm --name openssl -v "C:\Users\Kreem\Documents\letsencrypt\etc:/etc/letsencrypt" -v "C:\Users\Kreem\Documents\letsencrypt\:/cert" alpine/openssl pkcs12 -export -out /cert/rdp.pfx -inkey /etc/letsencrypt/live/kreemmorsy.ddns.net/privkey.pem -in /etc/letsencrypt/live/kreemmorsy.ddns.net/fullchain.pem -certfile /etc/letsencrypt/live/kreemmorsy.ddns.net/cert.pem --password pass:'; | |
if ($wasRunning) { | |
Stop-Process -name "Docker Desktop"; | |
iex "wsl --shutdown"; | |
} | |
echo "Importing certificate"; | |
$certs = Import-PfxCertificate -FilePath "C:\Users\Kreem\Documents\letsencrypt\rdp.pfx" -CertStoreLocation Cert:\LocalMachine\My; | |
echo $certs | fl; | |
echo "Adding user permissions"; | |
$certs |%{ | |
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($_); | |
$fileName = $rsaCert.key.UniqueName; | |
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$fileName"; | |
$permissions = Get-Acl -Path $path; | |
$sid = [Security.Principal.SecurityIdentifier]'S-1-5-20'; | |
$acct = $sid.Translate([Security.Principal.NTAccount]).Value; | |
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct, 'Read', 'None', 'None', 'Allow'); | |
$permissions.AddAccessRule($access_rule); | |
Set-Acl -Path $path -AclObject $permissions; | |
echo $permissions | fl; | |
} | |
echo "Updating registry"; | |
$fingerprintBytes = [System.Convert]::FromHexString($certs[0].Thumbprint); | |
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash" -Type Binary -Value $fingerprintBytes; | |
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash"; | |
echo "Restarting RDP"; | |
Restart-Service -Name TermService -Force | |
Get-Service -Name TermService | fl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment