search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 184 forks source link

issue with -AlternativeIdentifierRefs #104

Open stanthewizzard opened 8 years ago

stanthewizzard commented 8 years ago

Hello

I have Update-ACMEIdentifier dns1 Update-ACMEIdentifier dns2

Working

But with this line: New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs dns2 -Alias multiNameCert

I got this

New-ACMECertificate : Cannot bind parameter 'AlternativeIdentifierRefs'. Cannot convert the "dns2" value of type "System.String" to type "System.Collections.Generic.IEnumerable`1[System.Object]". At line:1 char:63

Any clue ?

Thanks

bseddon commented 8 years ago

It's expecting an IEnumerable type for the AlternativeIdentifierRefs parameter value. You are passing only a string. Try:

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs ([array]$('dns2')) -Alias multiNameCert

The syntax '$(dns2)' creates a PowerShell array. The [array] cast makes sure it's marshaled to .NET as an ArrayList which implements IEnumerable. The outer parentheses may be redundant but ensures the scope of the cast is not ambiguous.

I've not tested this code but successfully use this idea in a script I created to step through all the commands needed to generate a certificate. If this syntax suggested above doesn't work, take a look at the New-ACMECertificate command in the script at about line 540.

If you have more that one additional alias you don't need to worry about this syntactical contortion as this works just fine:

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs dns2,dn3 -Alias multiNameCert

When more than one alias is passed, PowerShell will recognize there is an array to process and package it up correctly. It's only when there is a single extra alias this is an issue. The syntax shown also works for more than one alias but it is only necessary when there is a single alias.

JulesWebb commented 8 years ago

@stanthewizzard did this work for you?

I'm having a similar problem.

I ran the cmdlet below and got an error, but it did create YBAcdn_cert---Just didn't get any thing added to the AlternativeIdentifierDns line. I waited a bit and ran the update cmdlet and all the info came in but the AlternativeIdentifierDns.

ps> New-ACMECertificate YBA -Generate -AlternativeIdentifierRefs ([array]$(cdn)) -Alias YBAcdn_cert

The term 'cdn' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:72

Anyone have any helpful feedback?

Thanks in advance Jules

bseddon commented 8 years ago

Yes, that's right. In the original example, dns1 is known to be a string. So the correct use of my example should be:

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs ([array]$('dns2')) -Alias multiNameCert

or in your case:

New-ACMECertificate YBA -Generate -AlternativeIdentifierRefs ([array]$('cdn')) -Alias YBAcdn_cert

The change here is to put quotes (single or double it doen't matter) around the alias name. I've corrected the example in my original reply.

It could equally be:

$cdn = cdn New-ACMECertificate YBA -Generate -AlternativeIdentifierRefs ([array]$($cdn)) -Alias YBAcdn_cert

JulesWebb commented 8 years ago

@bseddon Thank you for the response.

Below if the cmd and new error I received. This is all very new to me so I appreciate your time and patience. Can you explain what is going on?

ps> New-ACMECertificate YBA -Generate -AlternativeIdentifierRefs ([array]$('cdn')) -Alias YBAcdn_cert

New-ACMECertificate : The given key was not present in the dictionary.At line:1 char:1

bseddon commented 8 years ago

Have you created the aliases 'YBA' and 'cdn'? That is, have you run through the sequence of commands for both 'YBA' and 'cdn':

New-ACMEIdentifier Complete-ACMEChallenge Submit-ACMEChallenge Update-ACMEChallenge

The error says a key value is missing. This is likely to be because either the alias 'YBA' does not exist or the alias 'cdn' does not exist (so they do not appear as keys in the ACMESharp identifiers collection). At the risk of stating something you already know, it's necessary that all domains that will appear in a single certificate have been separately validated using the sequence of commands above.

stanthewizzard commented 8 years ago

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs ([array]$('dns2')) -Alias multiNameCert

Worked perfectly for me If I have more is this syntax correct ?

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs ([array]$('dns2'),('dns3'),('dns4')) -Alias multiNameCert

Thanks

bseddon commented 8 years ago

It's just using standard PowerShell array syntax so that would be:

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs ([array]$('dns2','dns3','dns4')) -Alias multiNameCert

Of course if you are typing this in by hand then when there is more than one you don't need this extra syntax as the following will work:

New-ACMECertificate dns1 -Generate -AlternativeIdentifierRefs dns2,dns3,dns4 -Alias multiNameCert

PowerShell knows that more than one 'thing' separated by a comma is an array of things and will pass this array to the command. The problem with just one alternative identifier is that PowerShell assumes that the value passed is a string which caused the original failure.

stanthewizzard commented 8 years ago

OK thanks :)

JulesWebb commented 8 years ago

@bseddon RE: Have you created the aliases 'YBA' and 'cdn'?

That was it. I didn't understand I would need to go through the same steps for 'cdn'

I thought that AlternativeIdentifierRefs were for subdomains. Is this assumption incorrect?

Below is an example from the certificate. I was surprised to see that the AlternativeIdentifierRefs was a repeat of the domain name. I thought they were a way to accomplish the same idea as a wildcard ssl.

IdentifierDns : mysite.com AlternativeIdentifierDns : {mysite.com}

Appreciate your help understanding how it all works! Jules

bseddon commented 8 years ago

@JulesWebb Let's Encrypt does not support wildcard certificates. Each additional domain that will appear in the certificate must be verified separately and then included as an alternative reference. The additional domains may be sub-domains or they may be completely different domains.

The certificate for one of my sites (www.wproute.com) also has an alternative (www.wproute.co.uk) so I'm able to use one valid certificate. The main domain (www.wproute.com) also appears in the AlternativeIdentifierDns field with the additional domain.

JulesWebb commented 8 years ago

@bseddon Okay, so I should have set up my cdn New-ACMEIdentifier similar to below

New-ACMEIdentifier -Dns cdn.mysite.com -Alias cdn

Since I've made a couple of New-ACMEIdentifier incorrectly, is there a way to revise or delete the ones done incorrectly?

Thank you for taking the time to clarify things for me! Jules

bseddon commented 8 years ago

There is no way to remove existing identifiers (see this thread #102). The reason is that the local aliases are copies of the information held on the Let's Encrypt servers. If you really, really want to delete the existing aliases, at least locally, your best best is to delete the vault and start over. However, it's not really necessary. Just use a different alias. You have to regenerate certificates every 60 days anyway and you do that by using new, unique, aliases so you will need a new set of aliases then.

I use the date to make a unique alias. This doesn't work so well when you are getting started and need many unique aliases on the same day (I know I did)! You can see an example in the note about my script to automate the whole process (#76), In the description there's an example of using PowerShell to generate a usable date string.

JulesWebb commented 8 years ago

@bseddon Thank you for all your feedback. Your youtube video is how I found ACMESharp.

I was able to successfully create and export the certs for my domain with the cdn subdomain.

Thank you! jules

nickg8osh commented 8 years ago

I have come to this thread a few hours too late! My get-a-round is to duplicate the one alternative identifier reference I need as below: New-ACMECertificate dns4 -Generate -AlternativeIdentifierRefs dns2,dns2 -Alias myMultiNameCert104

Thanks Nick

ghost commented 8 years ago

@bseddon I'm having issues: when I validate the first one is find, but when i validate the second and third dns identifier.. it says invalid. im not sure what's going on or am i doing it wrong.

  1. Import-Module ACMESharp
  2. Import-Module ACMESharp\ACMESHARP-IIS
  3. Initialize-ACMEVault
  4. New-ACMERegistration -Contacts mailto:soemting@email.com -AcceptTos
  5. New-ACMEIdentifier -Dns www.ichirolu.com -Alias dns1-07182016
  6. Complete-ACMEChallenge dns1-07182016 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'ichirolu.com' }
  7. Submit-ACMEChallenge dns1-07182016 -ChallengeType http-01
  8. Update-ACMEIdentifier dns1-07182016 -ChallengeType http-01
  9. Update-ACMEIdentifier dns1-07182016 Valid
  10. New-ACMEIdentifier -Dns panel.ichirolu.com -Alias dns2-07182016
  11. Complete-ACMEChallenge dns2-07182016 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'ichirolu.com' }
  12. Submit-ACMEChallenge dns2-07182016 -ChallengeType http-01
  13. Update-ACMEIdentifier dns2-07182016 -ChallengeType http-01
  14. Update-ACMEIdentifier dns2-07182016 INVALID
  15. New-ACMEIdentifier -Dns mysql.ichirolu.com -Alias dns3-07182016
  16. Complete-ACMEChallenge dns3-07182016 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'ichirolu.com' }
  17. Submit-ACMEChallenge dns3-07182016 -ChallengeType http-01
  18. Update-ACMEIdentifier dns3-07182016 -ChallengeType http-01
  19. Update-ACMEIdentifier dns3-07182016 Invalid
  20. New-ACMECertificate www.ichirolu.com -Generate -AlternativeIdentifierRefs ([array]$('dns2-07182016','dns3-07182016')) -Alias multiNameCert
  21. Update-ACMECertificate multiNameCert