Last active
June 8, 2020 19:57
-
-
Save virtualhobbit/6b01eb2a2ad34099d2d55e4560245397 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Uploads freshly minted certs to Horizon UAG | |
.DESCRIPTION | |
Generates an SSL certificate from Let's Encrypt, then connects to each UAG using the REST API and applies the certificate to the Internet interface. The Admin interface (port 9443) is unaffected. | |
.PARAMETER dnsName | |
The public DNS name of the UAG | |
.PARAMETER uags | |
Comma-seperated list of UAGs | |
.EXAMPLE | |
Update-UAGCerts.ps1 <DNS name> <UAGs> | |
.NOTES | |
Author: Mark Brookfield (@virtualhobbit) | |
#> | |
param( | |
[Parameter(Position=0,Mandatory=$true)] | |
[string]$dnsName, | |
[Parameter(Position=1,Mandatory=$true)] | |
[string[]]$uags | |
) | |
if (!$dnsName) { | |
Write-Error "No DNS name supplied - aborting" | |
exit | |
} | |
if (!$uags) { | |
Write-Error "No UAGs supplied - aborting" | |
exit | |
} | |
# Define Lets Encrypt parameters | |
$psMod = "Posh-ACME" | |
$dnsPlugin = "Route53" | |
$r53Params = @{R53AccessKey='YOURACCESSKEY'; R53SecretKey='YOURSECRETKEY'} | |
$email = "you@youremail.com" | |
# Define UAG credentials | |
$user = 'admin' | |
Write-Host "Please enter the UAG admin password. Please note this must be the same for all UAGs." | |
$pass = Read-Host -AsSecureString "Admin password" -Force | |
$pass = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pass)) | |
$creds = "$($user):$($pass)" | |
# Encode credentials | |
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($creds)) | |
if (!(Get-InstalledModule -Name $psMod)) { | |
# Install the Posh-ACME module | |
Install-Module -Name $psMod -Scope CurrentUser -Force | |
} | |
# Set Let's Encrypt server | |
Set-PAServer LE_PROD | |
# Order the certificate | |
New-PACertificate $dnsName -AcceptTOS -DnsPlugin $dnsPlugin -PluginArgs $r53Params -Contact $email -Verbose -Force | |
$newCert = Get-PACertificate | |
# Convert private key to one-liner | |
$privKey = [IO.File]::ReadAllText($newCert.KeyFile) | |
$privKeyReplace = $privKey.Replace("`n",'\n') | |
# Convert SSL certificate to one-liner | |
$cert = [IO.File]::ReadAllText($newCert.FullChainFile) | |
$certReplace = $cert.Replace("`n",'\n') | |
# Create JSON body | |
$json = '{"privateKeyPem":"' + $privKeyReplace + '","certChainPem":"' + $certReplace + '"}' | |
# Define API parameters | |
$params = @{ | |
Headers = @{ 'Authorization' = "Basic $encodedCreds" } | |
Method = 'PUT' | |
Body = $json | |
ContentType = 'application/json' | |
} | |
ForEach ($uag in $uags){ | |
# Define the URI | |
$Uri = "https://" + $uag + ':9443/rest/v1/config/certs/ssl' | |
# Display UAG | |
Write-Host "UAG is: " $uag | |
# Connect to each UAG and replace SSL certificate and private key | |
Invoke-RestMethod $uri @params | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment