Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
Ross Presser
(I don't keep backups)
Ludwig Behm
do you really need a vault?
Ross Presser
What do you mean? Of course I need a vault...
Ah, I need to write implementations for IVault and IVaultProvider, correct?
Ludwig Behm
@rpresser-aleyant I never understood why I need another huge storage to archive everything certificate related. On Windows I have already the Key Storage Provider and the Certificate Stores. And they aren't optional - to use my Certs in IIS I have to use them. Also I usually never need old CSRs or PEM files - there's no reason to store unencrypted private keys.
It is a nightmare to handle the security (ACLs) of PrivateKeys and yet we want another copy of that somewhere in public readable ProgramData or a separate DB?
ACME/LE only needs an AccountKey and AccountID (both static data), a list of Domains (few kb of config) and preferably existing certificates with private keys (in certificate stores anyway).
Ross Presser
I suppose I understand your point.
Nevertheless, yours is not the only situation. I cannot integrate directly into IIS. For one thing, I have to manage a web farm of at least seven IIS servers. For another, I have to use haproxy to terminate SSL, because I cannot throw a folder full of certificates at IIS and expect it to get the right cert according to SNI request. I would have to create a separate binding for each of the four thousand sites on a single IP address that we must manage in our enormously multitenant application. So the Windows KSP and Certificate Stores are thoroughly useless to me.
Instead, haproxy lets me do what I said, just point it at a folder full of PEM/KEY files, and anyone connecting to the IP address with an SNI request will be given the correct certificate, if it exists.
Ludwig Behm
I assume you run haproxy on a linux box. So you doesn't need Certificates at all on the Windows servers, right?
Eugene, again thanks for a great powershell module. Due to the complexities of my environment and extremely large number of certs, I am in need of a SQL vault provider. You pointed me in the direction of the iVault, unfortunately I am not a C# developer and my developers don't have the time to assist me with this. Any chance you could provide an ETA on a future SQL vault?
If anyone out there has taken on this task, tutorials or some documentation would be greatly appreciated. I manage thousands of certs and have scripted the automation of these to our F5s, including DNS validation, uploading to F5, etc. I just need a better vault solution for storage and reporting, renewal automation, etc.
Matej Drolc
Hello all. What would be the best way to support tls-sni-01 with IIS? I have been using https://github.com/whereisaaron/acmesharp-update-certificate for http-01 with IIS but by now it is probably outdated and not worth updating. Are there any examples of scripts that handle tls-sni-01 through IIS out there yet?
I'm trying to get ACMESharp to work with iis handling, but iis does not show up in the list of get-ACMEChallengeHandlerProfile -ListChallengeHandlers, it only shows manual. When I do get-ACMEExtensionModule | select Name, I do see that ACMESharp.Providers.IIS is installed. What am I missing here?
Ross Presser
@lbehm -- you are correct, I don't need certs on my Windows servers at all.
Ludwig Behm
@rpresser-aleyant then it would be advisable to handle them completely on your linux box. You should check out https://github.com/lukas2511/dehydrated - Small customizable bash script. Maybe already in the official package repo of your linux distro.
Ross Presser
@lbehm -- I respectfully but thoroughly disagree. There are important windows dependencies for my situation. IIS has to answer the challenge (haproxy can't do it on its own). The data on which domains are necessary comes from MS SQL Server. I could go on but you're not interested in anything but denigrating ACMESharp so why should I bother?
Ludwig Behm
@rpresser-aleyant I'm sorry I bothered you. I forgot your good reasons (it was more than 2 months ago). And I really do see some good use cases in ACMESharp. It's just good practice to keep security related stuff on as few systems as possible.
Nowadays I see to many strange and unnecessary configurations on the other boards (mainly community.letsencrypt.org). And as far as I know, haproxy can answer the challenges. (have a look at errorfile if you are interested)
any one call tell me the proces to install letsencrypt
Hi, Now that acmev2 is released officially i was wondering when ACMESharp will work with it? thanks!
Eugene Bekker
Regarding installing Let's Encrypt and getting IIS challenge handler, please start with the ACMESharp docs site: https://pkisharp.github.io/ACMESharp-docs/
Start with the Quick Start (which uses IIS as a sample handler) and move on to the User Guide for more detailed instruction
Regarding TLS-SNI -O1, support has never been implemented and it looks like that's not a bad thing, SNI-01 and -02 has been disabled by LE due to security issues, SNI-03 would be the version to implement now, but HTTP-01 and DNS-01 are definitely the more preferred approaches
Regarding ACMEv2 -- v2 support will be part of the "Core" version of the library which has been started but it will be very slow going due to other commitments , but as an OSS project all contributions are welcome.
Having a problem with the ACMESharp v0.9.1, with server 2012 r2 and iis 8.5, submit-acmechallenge section. Here's a picture of what's happening: https://imgur.com/aYeTj0A . But basically, when I do the submit-acmechallenge I get an error the challenge has not been decoded. When I run update-acmeidentifier the challenges values = :{, } (it should say {,,iis} or something similar. Any idea what's going on?
Eugene Bekker
@brockssn -- do you have more than one domain on the certificate? (i.e. a SAN cert)
Is there any documentation on how to use the ACMESharp nuget in .NET code directly?
Is there a planned date for publishing the update to the CloudFlare provider for TLS v1.2 to the POSH gallery?
Eugene Bekker
@mgoldencrown -- the CloudFlare provider should automatically work with TLS v1.2 as it simply relies on the SSL/TLS support built into the .NET Framework
Are you finding it giving you errors?
If you're running into problems still, you can force the platform to use TLS 1.2 in PowerShell by issuing the following command before using any of the ACMESharp cmdlets:
[System.Net.ServicePointManager]::SecurityProtocol = "tls12"
Eugene Bekker
@ForteUnited -- unfortunately, most of the documentation is geared toward usage of the ACMESharp PowerShell module,
What I would recommend is that you look at the few client samples that use ACMESharp themselves to see the general pattern and steps necessary to use the library in your own application
There are 3 samples, I would direct you to, the first is the Unit Tests that are specific to the client which you can find at: https://github.com/ebekker/ACMESharp/blob/master/ACMESharp/ACMESharp-test/AcmeClientUnitTests.cs
The tests are actually more like integration tests, as opposed to unit tests, because they actually interact with the Let's Encrypt STAGE servers and they are order dependent, but if you go through the test class, from top to bottom you'll see the steps that are necessary to interact with an ACME CA server.
Another good example is the win-acme project at https://github.com/PKISharp/win-acme
It's a CLI client that first uses ACMESharp to obtain certs and then installs the cert into IIS, but the first part is what's key
Finally, there is the https://github.com/webprofusion/Certify project which is a GUI app for managing ACME CA server certs
Eugene Bekker
Now, all that is for the original ACMESharp project, the 1.x and earlier versions. There is a new ACMESharpCore project at https://github.com/PKISharp/ACMESharpCore -- this is the new 2.x line which is based on ACME 2.0 and supports wild-cards and the newer Let's Encrypt servers.
It's also based on .NET Standard and works with .NET Framework or .NET Core platforms, including cross-platform (tested on Linux).
If you want to explore this library, there are a couple working samples here: https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples
Namely the CLI and Kestral examples. The other two are still works in progress.
Thomas Ottenhus

I did not want to "pollute" the GIT-Issue with opinions and discussion, so I moved here and perhaps, we could discuss some things, so I can finalize an early usable Version of the PS-Core module:

1) Regarding the Interface-Driven Approach - I agree with that, but I would not Interface the JwsTool, but an Wrapper around the algorithm itself. Besides beeing used for JWS RSA and ECDSA both are needed to create certificates as well. To make this possible it's feasable to use multiple algorithms wrapped by an Adapter, which translates the calls like sign() to the actual sign() call of the Algorithm. The JWSTool can use that Adapter to handle everything neccessary. I have a repostiory, where I implemented
that. It uses an Abstract base class, which is more or less equivalent to an interface. There's no strong reason for it to be a base class, so using an interface would be possible, too.

2) I think the Crypto-Bits should be an own Project, which can be included in the original one - thus allowing me to Import less Methods, which I do not Need in the PS-Module (the Client itself for example).

3) The base-Type I introduced works as static factory for the algorithm. To accomplish that I introduced types, to export the keys and a method which chooses the correct algorithm-type based on the key-export-type.

I'd like to hear your opinion.

The Repo, where I implemented the upper 3 approaches is here: https://github.com/glatzert/ACMESharpCore/tree/sharing-crypto-with-ps
Cooks B.
hi, a newbie here, try to learn ACMESharp to inject in my Windows Server 2012 R2 which has the Exchange 2013, I do not have a website but purchased a domain which will be using for Exchange 2013 and not sure if for example the certificate will work for subdomain.domain.com for example. If yes, do I need to create a new certificate which needs start as www.domain.com or it should start at subdomain.domain.com? TIA
Ludwig Behm
@cooksiecooks_twitter do you want to provide certificates for multiple services, like exchange and another website? Generally Exchange only listens on virtual directories like /owa and /ecp so you could technically serve your website on /index.html on the same domain and IIS site - but this can be confusing and isn't recommended. I would recommend you to serve your default exchange site on something like mail.domain.com and your website in a different IIS site on www.domain.com.
Cooks B.
Yes, for multiple services. For now I do not have a website running. So my setup now is the Exchange, the external I've set is mail.domain.com which is now able to see in public. I have follow the quick start guide which created as "New-ACMEIdentifier -Dns mail.domain.com -Alias exchange" then I'm having a problem running the next step which I've use the DNS Challenge. After completing the challenge for DNS, the status shows Invalid. I have updated the TXT record in my DNS Provider (GoDaddy). I'm not sure what I'm doing wrong. I also try to research if there's any in the forums about this T/S.
Ludwig Behm
@cooksiecooks_twitter maybe you have to wait some minutes between updating the dns and submitting/confirming the challenge. Confirm that your DNS provider shows the correct answer. Also check the error message of Let'sEncrypt for clues why it's denying your request
Hi Everyone
Is it possible to specify CA server other than LetsEncrypt CA in ACMEsharp PS cmdlets?
We have provided a URL to use as ACME compatible CA server 'https://api.xxxx.com/acme/directory'