Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Ludwig Behm
@lbehm
@rpresser-aleyant I'm sorry I bothered you. I forgot your good reasons (it was more than 2 months ago). And I really do see some good use cases in ACMESharp. It's just good practice to keep security related stuff on as few systems as possible.
Nowadays I see to many strange and unnecessary configurations on the other boards (mainly community.letsencrypt.org). And as far as I know, haproxy can answer the challenges. (have a look at errorfile if you are interested)
krishna3691
@krishna3691
any one call tell me the proces to install letsencrypt
alphaz18
@alphaz18
Hi, Now that acmev2 is released officially i was wondering when ACMESharp will work with it? thanks!
Eugene Bekker
@ebekker
Regarding installing Let's Encrypt and getting IIS challenge handler, please start with the ACMESharp docs site: https://pkisharp.github.io/ACMESharp-docs/
Start with the Quick Start (which uses IIS as a sample handler) and move on to the User Guide for more detailed instruction
Regarding TLS-SNI -O1, support has never been implemented and it looks like that's not a bad thing, SNI-01 and -02 has been disabled by LE due to security issues, SNI-03 would be the version to implement now, but HTTP-01 and DNS-01 are definitely the more preferred approaches
Regarding ACMEv2 -- v2 support will be part of the "Core" version of the library which has been started but it will be very slow going due to other commitments , but as an OSS project all contributions are welcome.
brockssn
@brockssn
Having a problem with the ACMESharp v0.9.1, with server 2012 r2 and iis 8.5, submit-acmechallenge section. Here's a picture of what's happening: https://imgur.com/aYeTj0A . But basically, when I do the submit-acmechallenge I get an error the challenge has not been decoded. When I run update-acmeidentifier the challenges values = :{, } (it should say {,,iis} or something similar. Any idea what's going on?
Eugene Bekker
@ebekker
@brockssn -- do you have more than one domain on the certificate? (i.e. a SAN cert)
ForteUnited
@ForteUnited
Is there any documentation on how to use the ACMESharp nuget in .NET code directly?
mgoldencrown
@mgoldencrown
Is there a planned date for publishing the update to the CloudFlare provider for TLS v1.2 to the POSH gallery?
Eugene Bekker
@ebekker
@mgoldencrown -- the CloudFlare provider should automatically work with TLS v1.2 as it simply relies on the SSL/TLS support built into the .NET Framework
Are you finding it giving you errors?
If you're running into problems still, you can force the platform to use TLS 1.2 in PowerShell by issuing the following command before using any of the ACMESharp cmdlets:
[System.Net.ServicePointManager]::SecurityProtocol = "tls12"
Eugene Bekker
@ebekker
@ForteUnited -- unfortunately, most of the documentation is geared toward usage of the ACMESharp PowerShell module,
What I would recommend is that you look at the few client samples that use ACMESharp themselves to see the general pattern and steps necessary to use the library in your own application
There are 3 samples, I would direct you to, the first is the Unit Tests that are specific to the client which you can find at: https://github.com/ebekker/ACMESharp/blob/master/ACMESharp/ACMESharp-test/AcmeClientUnitTests.cs
The tests are actually more like integration tests, as opposed to unit tests, because they actually interact with the Let's Encrypt STAGE servers and they are order dependent, but if you go through the test class, from top to bottom you'll see the steps that are necessary to interact with an ACME CA server.
Another good example is the win-acme project at https://github.com/PKISharp/win-acme
It's a CLI client that first uses ACMESharp to obtain certs and then installs the cert into IIS, but the first part is what's key
Finally, there is the https://github.com/webprofusion/Certify project which is a GUI app for managing ACME CA server certs
Eugene Bekker
@ebekker
Now, all that is for the original ACMESharp project, the 1.x and earlier versions. There is a new ACMESharpCore project at https://github.com/PKISharp/ACMESharpCore -- this is the new 2.x line which is based on ACME 2.0 and supports wild-cards and the newer Let's Encrypt servers.
It's also based on .NET Standard and works with .NET Framework or .NET Core platforms, including cross-platform (tested on Linux).
If you want to explore this library, there are a couple working samples here: https://github.com/PKISharp/ACMESharpCore/tree/master/src/examples
Namely the CLI and Kestral examples. The other two are still works in progress.
Thomas Ottenhus
@glatzert

I did not want to "pollute" the GIT-Issue with opinions and discussion, so I moved here and perhaps, we could discuss some things, so I can finalize an early usable Version of the PS-Core module:

1) Regarding the Interface-Driven Approach - I agree with that, but I would not Interface the JwsTool, but an Wrapper around the algorithm itself. Besides beeing used for JWS RSA and ECDSA both are needed to create certificates as well. To make this possible it's feasable to use multiple algorithms wrapped by an Adapter, which translates the calls like sign() to the actual sign() call of the Algorithm. The JWSTool can use that Adapter to handle everything neccessary. I have a repostiory, where I implemented
that. It uses an Abstract base class, which is more or less equivalent to an interface. There's no strong reason for it to be a base class, so using an interface would be possible, too.

2) I think the Crypto-Bits should be an own Project, which can be included in the original one - thus allowing me to Import less Methods, which I do not Need in the PS-Module (the Client itself for example).

3) The base-Type I introduced works as static factory for the algorithm. To accomplish that I introduced types, to export the keys and a method which chooses the correct algorithm-type based on the key-export-type.

I'd like to hear your opinion.

The Repo, where I implemented the upper 3 approaches is here: https://github.com/glatzert/ACMESharpCore/tree/sharing-crypto-with-ps
Cooks B.
@cooksiecooks_twitter
hi, a newbie here, try to learn ACMESharp to inject in my Windows Server 2012 R2 which has the Exchange 2013, I do not have a website but purchased a domain which will be using for Exchange 2013 and not sure if for example the certificate will work for subdomain.domain.com for example. If yes, do I need to create a new certificate which needs start as www.domain.com or it should start at subdomain.domain.com? TIA
Ludwig Behm
@lbehm
@cooksiecooks_twitter do you want to provide certificates for multiple services, like exchange and another website? Generally Exchange only listens on virtual directories like /owa and /ecp so you could technically serve your website on /index.html on the same domain and IIS site - but this can be confusing and isn't recommended. I would recommend you to serve your default exchange site on something like mail.domain.com and your website in a different IIS site on www.domain.com.
Cooks B.
@cooksiecooks_twitter
Yes, for multiple services. For now I do not have a website running. So my setup now is the Exchange, the external I've set is mail.domain.com which is now able to see in public. I have follow the quick start guide which created as "New-ACMEIdentifier -Dns mail.domain.com -Alias exchange" then I'm having a problem running the next step which I've use the DNS Challenge. After completing the challenge for DNS, the status shows Invalid. I have updated the TXT record in my DNS Provider (GoDaddy). I'm not sure what I'm doing wrong. I also try to research if there's any in the forums about this T/S.
Ludwig Behm
@lbehm
@cooksiecooks_twitter maybe you have to wait some minutes between updating the dns and submitting/confirming the challenge. Confirm that your DNS provider shows the correct answer. Also check the error message of Let'sEncrypt for clues why it's denying your request
Ghost
@ghost~5a7ec891d73408ce4f8c87b2
Hello
HarMaximus
@HarMaximus
Hi Everyone
Is it possible to specify CA server other than LetsEncrypt CA in ACMEsharp PS cmdlets?
We have provided a URL to use as ACME compatible CA server 'https://api.xxxx.com/acme/directory'
Thomas Ottenhus
@glatzert
I cannot speak for the ACMESharp PSCmdlets V1, but there's a V2 compatible module available in PowerShellGallery called "ACME-PS", which I maintain and is part of PKISharp as well AND allows arbitrary ACME servers. I'm open for Issues and Feature Requests
HarMaximus
@HarMaximus
Thanks Thomas. I will check it now
HarMaximus
@HarMaximus
which cmdlet should I use to specify ACME CA server URI ?
Thomas Ottenhus
@glatzert
Get-AcmeServiceDirectory accepts either "well-known" names or an URI
In case you missed it, the repository has a walk through: https://github.com/PKISharp/ACMESharpCore-PowerShell and the Cmdlets should all be documented for Get-Help.
João Ernesto Arzamendia
@Jarzamendia
Hello! It is possible to upgrade certificates automatically, if they are less than one month to expire? Does a script or cmdlet exist?
tschmit
@tschmit
hello, is there a way to allow Get-ACMECertificate to overwrite existing files ?
tschmit
@tschmit
yes... with the -Overwrite switch
tschmit
@tschmit
why does Get-ACMEcertificate export to "home" and not to the current dir ?
Eugene Bekker
@ebekker
If you're running with elevated privs, then the ACMESharp PWSH cmdlets work with a system-wide directory, presumably the certs you are creating in this capacity are for securing system-wide services, and other admins would be able to access them.
If you're not running with elevated privs, then it defaults to a folder under your personal home directory.
All of this can be overridden using the various switches when you initialize the vault by creating a named profile that specifies the path to the vault storage directory. Then you need to specify the profile name whenever you invoke other ACMESharp PWSH cmdlets
gamlielalon1983
@gamlielalon1983
hi
i have auto renewal script that is working but is removing the intermediate data from the certificate and it makes some APIs trouble is there a way that auto renewal process will include also the intermidiate?
sayajirao-shinde28
@sayajirao-shinde28
Hello there, Is it not possible to issue a certificate for the localhost using win-acme/LE. I tried by updating the hosts file with a sample domain name and running the exe but its failing. Any help/direction will be greatly appreciated. Thank you