SSL Certificates are a great thing. However, for lab and test gear it can get expensive when you are generating new certificates for different usages. Using internal certificates are great for internal testing, but are a pain if you want to use them externally from multiple machines. Luckily there are Let’s Encrypt certificates. With their certificates you can generate 3 month certificates for not just A records, but for full wildcards as well.
With just 3 months available, this means you will be updating them every 3 months to keep your gear working. That is where these scripts come into play. By combining a couple of community products and some Windows Scheduled Tasks you can have this setup in an afternoon.
Godaddy April 2024 limitations
So in April Godaddy decided that people with less than 50 domains were not allowed to use their API anymore. So this stopped my scripts in their tracks. Since I am using Azure for hosting this website, I figured I would migrate my DNS Zones over there as well, since Posh-ACME supports automation with them. I will include the code I used to generate this, you will only need to modify the name of the Resource Zone that is holding your DNS Zones.
Install Pre-requisites on your updating system
From an admin PowerShell run the following commands. Accepting the install prompts as they come up. The section after the Install-Modules will fix an SSH syntax error that prevents the script from running. Make sure to close all admin PowerShell windows and IDEs after running these commands.
Install-Module -Name Posh-ACME -Scope AllUsers
Install-Module -Name Posh-ssh -Scope AllUsers
Install-Module -Name Az -AllowClobber -Scope AllUsers
# Switch to Traditional Browser Based Authentication
Update-AzConfig -EnableLoginByWam $false
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\2.2\Assembly\Renci.SshNet.dll");
Create an encrypted password file for automating the process
On the machine that you will be running the update scripts from, login with the user account that you will be executing the scripts as, and then open an admin PowerShell prompt. Run the following command to generate an encrypted text file. Modify the path to where the password file will be generated, just ensure that the folder exists before executing. On the pop-up box that appears enter the NetScaler username and password with permission to upload files and modify the certificates.
(get-credential).password | ConvertFrom-SecureString | set-content "C:\CertUpdates\password.txt"
Configure Azure Roles and Authentication tokens
# On Windows, this will pop up a web-GUI to login with. On other OSes,
# it will ask you to open a browser separately with a code for logging in.
$az = Connect-AzAccount
# Save the subscription/tentant ID for later
$subscriptionID = $az.Context.Subscription.Id
$tenantID = $az.Context.Subscription.TenantId
$roleDef = Get-AzRoleDefinition -Name "DNS Zone Contributor"
$roleDef.Id = $null
$roleDef.Name = "DNS TXT Contributor"
$roleDef.Description = "Manage DNS TXT records only."
$roleDef.Actions.RemoveRange(0,$roleDef.Actions.Count)
$roleDef.Actions.Add("Microsoft.Network/dnsZones/TXT/*")
$roleDef.Actions.Add("Microsoft.Network/dnsZones/read")
$roleDef.Actions.Add("Microsoft.Authorization/*/read")
$roleDef.Actions.Add("Microsoft.Insights/alertRules/*")
$roleDef.Actions.Add("Microsoft.ResourceHealth/availabilityStatuses/read")
$roleDef.Actions.Add("Microsoft.Resources/deployments/read")
$roleDef.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
$roleDef.AssignableScopes.Clear()
$roleDef.AssignableScopes.Add("/subscriptions/$($az.Context.Subscription.Id)")
$role = New-AzRoleDefinition $roleDef
$role
# Setup Service Principal for API Access
$notBefore = Get-Date
$notAfter = $notBefore.AddYears(5)
$spParams = @{
DisplayName = 'PoshACME'
StartDate = $notBefore
EndDate = $notAfter
}
$sp = New-AzADServicePrincipal @spParams
$spPass = $sp.PasswordCredentials.SecretText | ConvertTo-SecureString -AsPlainText -Force
$appCred = [pscredential]::new($sp.AppId,$spPass)
Azure Security Certificate logins
# Configure Certificate for Cert based authentication
# Keep in mind that this certificate will be created in the current user's certificate
# store. If you intend to use it from another account, you will need to either create it
# there or export it and re-import it there.
$certParams = @{
CertStoreLocation = 'Cert:\CurrentUser\My'
Subject = 'CN=Azure App PoshACME'
HashAlgorithm = 'SHA256'
Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
NotBefore = $notBefore
NotAfter = $notAfter
}
$cert = New-SelfSignedCertificate @certParams
$certData = [System.Convert]::ToBase64String($cert.GetRawCertData())
$spParams = @{
DisplayName = 'PoshACME'
CertValue = $certData
StartDate = $cert.NotBefore
EndDate = $cert.NotAfter
}
$sp = New-AzADServicePrincipal @spParams
$appUser = $sp.AppId
$thumbprint = $cert.Thumbprint
Add the security roles to the DNS Zone Resource Group
# Modify the ResourceGroupName as appropriate for your environment
$raParams = @{
ApplicationId = $sp.AppId
ResourceGroupName = 'DNS'
RoleDefinitionName = 'DNS TXT Contributor'
}
New-AzRoleAssignment @raParams
Create your Posh-Acme Renewal Script
Create a Cert_Renewal.ps1 script on the update machine. I usually will place it in the same folder that I generated the password.txt file in the previous step. In that Cert_Renewal.ps1 script place the following code. You will need to modify the plugin arguments line to match your environment and provider. Refer to the Posh-ACME site for additional details. My example below is based on Azure. To get the username you can use this command in the same PowerShell window you used above to generate the roles.
write-host $sp.Appid
The Subscription and Tenant ID you can get from the gui. And the Certificate Thumbprint is in the properties of the certificate stored in the user’s personal store as part of this process. Make sure to run either run the update jobs under the same account you ran these processes, or copy that cert to the user store that will be running the scheduled tasks.
$pArgs = @{
AZSubscriptionId = 'asdfas'
AZTenantId = 'asdfasdf'
AZAppUsername = 'asdfasdf'
AZCertThumbprint = 'adsfasdf'
}
submit-renewal -allaccounts -PluginArgs $pArgs -force
Download and Modify the SSL_Cert_Update.ps script for your environment
I have worked to comment this PowerShell file as much as I can to hopefully make it clear. Feel free to modify and build from this to best fit your environment. The first time you run this, you will see some red messages, but these should just be the cleanup of previous certificate uploads. On subsequent runs you shouldn’t see those messages again. If you do, then check the message itself for troubleshooting steps.
Based on the vanilla template provided, the important lines to modify are the following;
3-5 Names of the Certificates as they appear on the NetScaler. These are case sensitive. Use similar syntax for uploading multiple certificates to your environment.
9 Enter the NetScaler user that will be used to upload the files and modify the certificate bindings
11 Enter the path to the Password.txt file you generated above
16 Enter the IP Address of the NetScaler you will be uploading data to
18-20 Enter the paths to the certificates that your Cert_Renewal.ps1 updated in the previous step
Automating the script process
I will recommend running these manually first, to make sure they work. If they are working correctly create a couple of Scheduled Tasks to run every 3 months. You want them to be 2 separate scripts, because you may have multiple NetScalers to send these cert files too, but you don’t want to regenerate the certificate files for each process. So just renew them once, then upload them to all your NetScalers.
Also, the renewal process has some built-in delay to it. This is to allow your DNS host to update it’s necessary Let’s Encrypt token. So if you have lots of certificates to renew, make sure to separate the renewal and upload process with enough of a gap to ensure they upload.
So create scheduled tasks on the same machine that you did all the above on, and set it to run as that same user that you logged in as to generate the password.txt file. The scheduled task should be set to powershell.exe with -file C:\CertUpdates\Cert_Renewal.ps1 -executionpolicy bypass for the arguments line. Modify the -file section to line up with your PowerShell scripts that you created above.
You can create 4 triggers on the Scheduled Tasks to line up with the 3 month expirations of your certificates, for full automated execution.