Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Eugene Bekker
@ebekker
Yeah, if you want to preserve everything, then everything in that dir should be treated as a whole, since the core data file only stores meta data, while individual assets like private keys, CSR and certificates are all stored as separate files
Eugene Bekker
@ebekker
FYI, v0.9.1 has been released!
Ludwig Behm
@lbehm
FYI, if someone needs just a small acme client without huge configuration capabilities I did a thing
But be aware it's kinda beta
Eugene Bekker
@ebekker
@lbehm, very cool!
Eugene Bekker
@ebekker
I added a reference to your tool here
Ross Presser
@rpresser-aleyant
I really, really need a better solution handle thousands of domains. Where would I begin if I wanted to write an SQL-based vault implementation?
Ross Presser
@rpresser-aleyant
Even partitioned, I have 7 vaults over 10mb, and 65 vaults over 1mb
(I don't keep backups)
Ludwig Behm
@lbehm
do you really need a vault?
Ross Presser
@rpresser-aleyant
What do you mean? Of course I need a vault...
Ah, I need to write implementations for IVault and IVaultProvider, correct?
Ludwig Behm
@lbehm
@rpresser-aleyant I never understood why I need another huge storage to archive everything certificate related. On Windows I have already the Key Storage Provider and the Certificate Stores. And they aren't optional - to use my Certs in IIS I have to use them. Also I usually never need old CSRs or PEM files - there's no reason to store unencrypted private keys.
It is a nightmare to handle the security (ACLs) of PrivateKeys and yet we want another copy of that somewhere in public readable ProgramData or a separate DB?
ACME/LE only needs an AccountKey and AccountID (both static data), a list of Domains (few kb of config) and preferably existing certificates with private keys (in certificate stores anyway).
Ross Presser
@rpresser-aleyant
I suppose I understand your point.
Nevertheless, yours is not the only situation. I cannot integrate directly into IIS. For one thing, I have to manage a web farm of at least seven IIS servers. For another, I have to use haproxy to terminate SSL, because I cannot throw a folder full of certificates at IIS and expect it to get the right cert according to SNI request. I would have to create a separate binding for each of the four thousand sites on a single IP address that we must manage in our enormously multitenant application. So the Windows KSP and Certificate Stores are thoroughly useless to me.
Instead, haproxy lets me do what I said, just point it at a folder full of PEM/KEY files, and anyone connecting to the IP address with an SNI request will be given the correct certificate, if it exists.
Ludwig Behm
@lbehm
I assume you run haproxy on a linux box. So you doesn't need Certificates at all on the Windows servers, right?
techspecguy
@techspecguy
Eugene, again thanks for a great powershell module. Due to the complexities of my environment and extremely large number of certs, I am in need of a SQL vault provider. You pointed me in the direction of the iVault, unfortunately I am not a C# developer and my developers don't have the time to assist me with this. Any chance you could provide an ETA on a future SQL vault?
If anyone out there has taken on this task, tutorials or some documentation would be greatly appreciated. I manage thousands of certs and have scripted the automation of these to our F5s, including DNS validation, uploading to F5, etc. I just need a better vault solution for storage and reporting, renewal automation, etc.
Matej Drolc
@pingec
Hello all. What would be the best way to support tls-sni-01 with IIS? I have been using https://github.com/whereisaaron/acmesharp-update-certificate for http-01 with IIS but by now it is probably outdated and not worth updating. Are there any examples of scripts that handle tls-sni-01 through IIS out there yet?
Jeroen
@jertim_twitter
I'm trying to get ACMESharp to work with iis handling, but iis does not show up in the list of get-ACMEChallengeHandlerProfile -ListChallengeHandlers, it only shows manual. When I do get-ACMEExtensionModule | select Name, I do see that ACMESharp.Providers.IIS is installed. What am I missing here?
Ross Presser
@rpresser-aleyant
@lbehm -- you are correct, I don't need certs on my Windows servers at all.
Ludwig Behm
@lbehm
@rpresser-aleyant then it would be advisable to handle them completely on your linux box. You should check out https://github.com/lukas2511/dehydrated - Small customizable bash script. Maybe already in the official package repo of your linux distro.
Ross Presser
@rpresser-aleyant
@lbehm -- I respectfully but thoroughly disagree. There are important windows dependencies for my situation. IIS has to answer the challenge (haproxy can't do it on its own). The data on which domains are necessary comes from MS SQL Server. I could go on but you're not interested in anything but denigrating ACMESharp so why should I bother?
Ludwig Behm
@lbehm
@rpresser-aleyant I'm sorry I bothered you. I forgot your good reasons (it was more than 2 months ago). And I really do see some good use cases in ACMESharp. It's just good practice to keep security related stuff on as few systems as possible.
Nowadays I see to many strange and unnecessary configurations on the other boards (mainly community.letsencrypt.org). And as far as I know, haproxy can answer the challenges. (have a look at errorfile if you are interested)
krishna3691
@krishna3691
any one call tell me the proces to install letsencrypt
alphaz18
@alphaz18
Hi, Now that acmev2 is released officially i was wondering when ACMESharp will work with it? thanks!
Eugene Bekker
@ebekker
Regarding installing Let's Encrypt and getting IIS challenge handler, please start with the ACMESharp docs site: https://pkisharp.github.io/ACMESharp-docs/
Start with the Quick Start (which uses IIS as a sample handler) and move on to the User Guide for more detailed instruction
Regarding TLS-SNI -O1, support has never been implemented and it looks like that's not a bad thing, SNI-01 and -02 has been disabled by LE due to security issues, SNI-03 would be the version to implement now, but HTTP-01 and DNS-01 are definitely the more preferred approaches
Regarding ACMEv2 -- v2 support will be part of the "Core" version of the library which has been started but it will be very slow going due to other commitments , but as an OSS project all contributions are welcome.
brockssn
@brockssn
Having a problem with the ACMESharp v0.9.1, with server 2012 r2 and iis 8.5, submit-acmechallenge section. Here's a picture of what's happening: https://imgur.com/aYeTj0A . But basically, when I do the submit-acmechallenge I get an error the challenge has not been decoded. When I run update-acmeidentifier the challenges values = :{, } (it should say {,,iis} or something similar. Any idea what's going on?
Eugene Bekker
@ebekker
@brockssn -- do you have more than one domain on the certificate? (i.e. a SAN cert)
ForteUnited
@ForteUnited
Is there any documentation on how to use the ACMESharp nuget in .NET code directly?
mgoldencrown
@mgoldencrown
Is there a planned date for publishing the update to the CloudFlare provider for TLS v1.2 to the POSH gallery?
Eugene Bekker
@ebekker
@mgoldencrown -- the CloudFlare provider should automatically work with TLS v1.2 as it simply relies on the SSL/TLS support built into the .NET Framework
Are you finding it giving you errors?
If you're running into problems still, you can force the platform to use TLS 1.2 in PowerShell by issuing the following command before using any of the ACMESharp cmdlets:
[System.Net.ServicePointManager]::SecurityProtocol = "tls12"
Eugene Bekker
@ebekker
@ForteUnited -- unfortunately, most of the documentation is geared toward usage of the ACMESharp PowerShell module,
What I would recommend is that you look at the few client samples that use ACMESharp themselves to see the general pattern and steps necessary to use the library in your own application
There are 3 samples, I would direct you to, the first is the Unit Tests that are specific to the client which you can find at: https://github.com/ebekker/ACMESharp/blob/master/ACMESharp/ACMESharp-test/AcmeClientUnitTests.cs
The tests are actually more like integration tests, as opposed to unit tests, because they actually interact with the Let's Encrypt STAGE servers and they are order dependent, but if you go through the test class, from top to bottom you'll see the steps that are necessary to interact with an ACME CA server.
Another good example is the win-acme project at https://github.com/PKISharp/win-acme
It's a CLI client that first uses ACMESharp to obtain certs and then installs the cert into IIS, but the first part is what's key
Finally, there is the https://github.com/webprofusion/Certify project which is a GUI app for managing ACME CA server certs
Eugene Bekker
@ebekker
Now, all that is for the original ACMESharp project, the 1.x and earlier versions. There is a new ACMESharpCore project at https://github.com/PKISharp/ACMESharpCore -- this is the new 2.x line which is based on ACME 2.0 and supports wild-cards and the newer Let's Encrypt servers.
It's also based on .NET Standard and works with .NET Framework or .NET Core platforms, including cross-platform (tested on Linux).
If you want to explore this library, there are a couple working samples here: https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples
Namely the CLI and Kestral examples. The other two are still works in progress.
Thomas Ottenhus
@glatzert

I did not want to "pollute" the GIT-Issue with opinions and discussion, so I moved here and perhaps, we could discuss some things, so I can finalize an early usable Version of the PS-Core module:

1) Regarding the Interface-Driven Approach - I agree with that, but I would not Interface the JwsTool, but an Wrapper around the algorithm itself. Besides beeing used for JWS RSA and ECDSA both are needed to create certificates as well. To make this possible it's feasable to use multiple algorithms wrapped by an Adapter, which translates the calls like sign() to the actual sign() call of the Algorithm. The JWSTool can use that Adapter to handle everything neccessary. I have a repostiory, where I implemented
that. It uses an Abstract base class, which is more or less equivalent to an interface. There's no strong reason for it to be a base class, so using an interface would be possible, too.

2) I think the Crypto-Bits should be an own Project, which can be included in the original one - thus allowing me to Import less Methods, which I do not Need in the PS-Module (the Client itself for example).

3) The base-Type I introduced works as static factory for the algorithm. To accomplish that I introduced types, to export the keys and a method which chooses the correct algorithm-type based on the key-export-type.

I'd like to hear your opinion.

The Repo, where I implemented the upper 3 approaches is here: https://github.com/glatzert/ACMESharpCore/tree/sharing-crypto-with-ps