Skip to content

Instantly share code, notes, and snippets.

@Koubek
Created May 15, 2018 06:22
Show Gist options
  • Save Koubek/e1b0703b98df865c912dc2583984c15a to your computer and use it in GitHub Desktop.
Save Koubek/e1b0703b98df865c912dc2583984c15a to your computer and use it in GitHub Desktop.
bc-on-docker-letsencrypt
# Invoke default behavior
. (Join-Path $runPath $MyInvocation.MyCommand.Name)
. (Join-Path $PSScriptHost 'Deploy-LetsEncrypt.ps1')
# Use Lets encrypt
# This script is not perfect because it doesn't check if the certificate is being created and valid
# and also it doesn't include its update once the expire date is very close.
$ContactEMailForLetsEncrypt = $env:ContactEMailForLetsEncrypt
$dnsAlias = $env:dnsAlias
$certAlias = "certAlias"
$certPassword = [GUID]::NewGuid().ToString()
$certPfxFilename = "c:\ProgramData\nav-on-docker\certificate.pfx"
$certPemFilename = "c:\ProgramData\nav-on-docker\certificate.pem"
# $publicDnsName
try {
Log "Installing ACMESharp PowerShell modules"
Install-Module -Name ACMESharp -AllowClobber -force -ErrorAction SilentlyContinue
Install-Module -Name ACMESharp.Providers.IIS -force -ErrorAction SilentlyContinue
Import-Module ACMESharp
Enable-ACMEExtensionModule -ModuleName ACMESharp.Providers.IIS -ErrorAction SilentlyContinue
Log "Initializing ACMEVault"
Initialize-ACMEVault
Log "Register Contact EMail address and accept Terms Of Service"
New-ACMERegistration -Contacts "mailto:$ContactEMailForLetsEncrypt" -AcceptTos
Log "Creating new dns Identifier"
$dnsAlias = "dnsAlias"
New-ACMEIdentifier -Dns $publicDnsName -Alias $dnsAlias
Log "Performing Lets Encrypt challenge to default web site"
Complete-ACMEChallenge -IdentifierRef $dnsAlias -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'Default Web Site' }
Submit-ACMEChallenge -IdentifierRef $dnsAlias -ChallengeType http-01
sleep -s 60
Update-ACMEIdentifier -IdentifierRef $dnsAlias
Log "Requesting certificate"
Remove-Item -Path $certPfxFilename -Force -ErrorAction Ignore
New-ACMECertificate -Generate -IdentifierRef $dnsAlias -Alias $certAlias
Submit-ACMECertificate -CertificateRef $certAlias
Update-ACMECertificate -CertificateRef $certAlias
Get-ACMECertificate -CertificateRef $certAlias -ExportPkcs12 $certPfxFilename -CertificatePassword $certPassword
Remove-Item -Path $certPemFilename -Force -ErrorAction Ignore
Get-ACMECertificate -CertificateRef $certAlias -ExportKeyPEM $certPemFilename
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfxFilename, $certPassword)
$certificateThumbprint = $cert.Thumbprint
Write-Host "Certificate File Thumbprint $certificateThumbprint"
if (!(Get-Item Cert:\LocalMachine\my\$certificateThumbprint -ErrorAction SilentlyContinue)) {
Write-Host "Import Certificate to LocalMachine\my"
Import-PfxCertificate -FilePath $certPfxFilename -CertStoreLocation cert:\localMachine\my -Password (ConvertTo-SecureString -String $certPassword -AsPlainText -Force) | Out-Null
}
$dnsidentity = $cert.GetNameInfo("SimpleName",$false)
if ($dnsidentity.StartsWith("*")) {
$dnsidentity = $dnsidentity.Substring($dnsidentity.IndexOf(".")+1)
}
} catch {
Log -color Red $_.ErrorDetails.Message
Log -color Red "Reverting to Self Signed Certificate"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment