j81blog / GenLeCertForNS

This script helps you to create a Let's Encrypt certificate for your NetScaler
GNU General Public License v3.0
39 stars 16 forks source link

Having issue with config file for 3 certs, dns plugin and autorun. #16

Open olsonnn opened 1 year ago

olsonnn commented 1 year ago

Using godaddy dns validation

cert1 is going fine. also with wildcard cert2: NOTE: -CN or -SAN contains a wildcard entry, continuing with the "dns" validation method! -CN........................: mydomain.eu -SAN(s)....................: *.mydomain.eu -Wildcard..................: A wildcard was found while also using the -AutoRun parameter. Only HTTP validation (no Wildcard) is allowed!

when running:

powershell -File "c:\LE\GenLeCertForNS.ps1" -AutoRun -ConfigFile 'c:\LE\GenLe-Config.json' -Production

Scratching my head for hours already...

olsonnn commented 1 year ago

Doh, 2nd cert was not created initially. I'm still not sure what happens if the cert has to be renewed after 60d. with this config file.

olsonnn commented 10 months ago

happens again,,,

Request 001 / 003

NOTE: -CN or -SAN contains a wildcard entry, continuing with the "dns" validation method! -CN........................: company.eu -SAN(s)....................: *.company.eu -Wildcard..................: A wildcard was found while also using the -AutoRun parameter. Only HTTP validation (no Wildcard) is allowed!

Finished!

using: GenLeCertForNS.ps1 -AutoRun -ConfigFile '.\GenLe-Config.json' -Production

with a config file that has dns section for godaddy and 3 certs. any ideas what could be wrong? "You cannot use the dns validation method with the -AutoRun parameter!" when i remove -autorun it does not use the config file as its asking for params.

j81blog commented 10 months ago

Hi, can you set the logging on Debug and email me the full logfile? You can replace all the sensitive information.

olsonnn commented 10 months ago

Hi John,

So before i waste you time, why is this not possible: You cannot use the dns validation method with the -AutoRun parameter! I just don't understand this part.

running in taskscheduler: powershell.exe -File "c:\LE\GenLeCertForNS.ps1" -AutoRun -ConfigFile "c:\LE\GenLe-Config.json" -Production

genle-conf.json contains 3 domains in proper format but it stops already on the first one:

Thanks! Olaf

debug:

INFO [CERTLOOP-001] **** 001 / 003 **** 2023-12-23 15:33:55:5265 DEBUG [CERTREQVARIABLES] Setting session DATE/TIME variable. 2023-12-23 15:33:55:5265 DEBUG [CERTREQVARIABLES] Session DATE/TIME variable value: "20231223-153355". 2023-12-23 15:33:55:5265 DEBUG [CERTREQVARIABLES] Session ID value: "20231223-153355_mydomain_eu". 2023-12-23 15:33:55:5421 INFO [DNSPRECHECK] -CN or -SAN contains a wildcard entry, continuing with the "dns" validation method! 2023-12-23 15:33:55:5577 INFO [DNSPRECHECK] CN: mydomain.eu 2023-12-23 15:33:55:5577 INFO [DNSPRECHECK] SAN(s): "*.mydomain.eu" 2023-12-23 15:33:55:5733 INFO [DNSPRECHECK] Continuing with the "dns" validation method! 2023-12-23 15:33:55:5733 DEBUG [DNSPRECHECK] ValidationMethod is set to: "dns". 2023-12-23 15:33:55:5733 ERROR [DNSPRECHECK] You cannot use the dns validation method with the -AutoRun parameter! 2023-12-23 15:33:55:5890 DEBUG [FINAL-ACTIONS] No ConfigFile was defined, nothing will be saved. 2023-12-23 15:33:55:5890 INFO [FINAL] Script Terminated, ExitCode: 0

j81blog commented 9 months ago

Ah, without extra settings (be able to change/add/remove TXT records) on your DNS provider account, -autorun doesn't make sense. HTTP validation (the fully automated one) only works with named records, not wildcards. When specifying wildcards, DNS validation must be used. And without the settings or options for automating settings for your DNS provider. You must create the TXT records your self. And this requires interaction with the script. The script pauses at a certain time it will present you with TXT records. You first have to create them and than continue the script. This is not possble with autorun. The script makes use of PoSH-Acme for interacting with LE, and PoSH-Acme supports a number of DNS providers (https://poshac.me/docs/v4/Plugins/AcmeDns/) if yours is in the list, it can be configured to run automatically.

olsonnn commented 9 months ago

John, thanks for your reply. My 'manual' batch file works with option: SET OPTIONS=%OPTIONS% -DNSParams .

Solution then is to use 3 scheduled batch files (for each domain) with the condition that it only runs if current cert expire date is <30 days. Then is there is no need to use the config file or autorun option.