search

j81blog / GenLeCertForNS

This script helps you to create a Let's Encrypt certificate for your NetScaler
GNU General Public License v3.0
39 stars 16 forks source link

error when starting the program #2

Closed SBerg1980 closed 4 years ago

SBerg1980 commented 4 years ago

2020-04-10 12:22:15:1745 INFO SCRIPTBASICS Starting a new log 2020-04-10 12:22:15:2264 INFO DOTNETCHECK Checking if .NET Framework 4.7.1 or higher is installed. 2020-04-10 12:22:15:2454 INFO DOTNETCHECK .NET Framework 4.7.1 or higher is installed. 2020-04-10 12:22:15:2584 INFO SCRIPTVARIABLES ValidationMethod is set to: "http". 2020-04-10 12:22:15:2914 INFO SCRIPTVARIABLES PfxPassword was specified via parameter. 2020-04-10 12:22:15:3234 INFO SCRIPTVARIABLES Starting new session. 2020-04-10 12:22:15:3414 INFO VERSIONINFO Current script version: v2.6.3, checking if a new version is available. 2020-04-10 12:22:16:0710 INFO VERSIONINFO New version (v2.7.6) is available, check "https://github.com/j81blog/GenLeCertForNS/tree/dev". 2020-04-10 12:22:16:0867 INFO VERSIONINFO Version check finished. 2020-04-10 12:22:16:1023 INFO LOADMODULE Try loading the Posh-ACME v3.12.0 Modules. 2020-04-10 12:22:19:2131 INFO LOADMODULE v3.12.0 of Posh-ACME is installed, loading module. 2020-04-10 12:22:20:1022 INFO LOADMODULE Posh-ACME loaded successfully. 2020-04-10 12:22:20:1223 INFO ADC-CHECK Trying to login into the Citrix ADC. 2020-04-10 12:22:20:2743 INFO CONNECT-ADC Connecting to https://<**>... 2020-04-10 12:22:20:5505 INFO CONNECT-ADC Connected 2020-04-10 12:22:20:5715 INFO ADC-CHECK Connected to Citrix ADC https://<**>, as user nsroot, ADC Version NetScaler NS13.0: Build 52.24.nc 2020-04-10 12:22:20:6027 INFO CERTIFICATEPRECHECK Keysize: 2048 2020-04-10 12:22:20:6339 INFO DNSPRECHECK continuing with the "http" validation method! 2020-04-10 12:22:20:6831 INFO DNSPRECHECK Checking for double SAN values. 2020-04-10 12:22:20:7021 INFO DNSPRECHECK No double SAN values found. 2020-04-10 12:22:20:7718 INFO DNSPRECHECK Verifying Content Switch. 2020-04-10 12:22:20:8438 ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (404) Not Found. 2020-04-10 12:22:20:8598 ERROR DNSPRECHECK Error Verifying Content Switch. Details: The remote server returned an error: (404) Not Found. 2020-04-10 12:22:20:8868 ERROR DNSPRECHECK The Content Switch "cs_domain.com_http" does NOT exist! Please make sure a HTTP Content Switch is available. 2020-04-10 12:22:20:9018 INFO FINAL Script Terminated, ExitCode: 1

j81blog commented 4 years ago

Looks like you have not specified a correct content switch name, you have the default value "cs_domain.com_http".

2020-04-10 12:22:20:8868 ERROR DNSPRECHECK The Content Switch "cs_domain.com_http" does NOT exist! Please make sure a HTTP Content Switch is available.

Please enter the correct name of your content switch.

SBerg1980 commented 4 years ago

Thanks now i have got this: 2020-04-10 13:10:07:8683 INFO CHECKDNS DNS Validation & Verifying ADC config. 2020-04-10 13:10:07:8838 INFO CHECKDNS Testing if the Citrix ADC (Content Switch) is configured successfully by accessing URL: "http://start.vdbergfam.nl/.well-known/acme-challenge/XXXX" (via internal DNS). 2020-04-10 13:10:07:9150 ERROR CHECKDNS Internal check failed. Exception Message: The remote server returned an error: (403) Forbidden. 2020-04-10 13:10:07:9438 WARN CHECKDNS Test (Int. DNS): Not successful, maybe not resolvable externally? 2020-04-10 13:10:07:9638 INFO CHECKDNS Checking if Public IP is available for external DNS testing. 2020-04-10 13:10:07:9838 INFO CHECKDNS Testing if the Citrix ADC (Content Switch) is configured successfully by accessing URL: "http://start.vdbergfam.nl/.well-known/acme-challenge/XXXX" (via external DNS). 2020-04-10 13:10:08:0078 ERROR CHECKDNS External check failed. Exception Message: The remote server returned an error: (403) Forbidden. 2020-04-10 13:10:08:0238 WARN CHECKDNS Test (Ext. DNS): Not successful, maybe not resolvable externally? 2020-04-10 13:10:08:0448 INFO CHECKDNS Finished the tests, script will continue. 2020-04-10 13:10:08:0598 INFO ORDERVALIDATION Configuring the ADC Responder Policies/Actions required for the validation. 2020-04-10 13:10:08:0908 INFO ORDERVALIDATION New validation required for "start.vdbergfam.nl", Start configuring the ADC. 2020-04-10 13:10:08:1492 INFO ORDERVALIDATION Add Responder Action "rsa_letsencrypt_10" to return "HTTP/1.0 200 OK\r\n\r\naC4xRCiOXEBzp9s0NviJ1N8Sl1IZFxoworm2A7LcMxw.9h5MQV3BOHNrRrLz3rUtaKmtyaXTgGMoVY7NrV1RJcc". 2020-04-10 13:10:08:1804 INFO ORDERVALIDATION Responder Action added successfully. 2020-04-10 13:10:08:1961 INFO ORDERVALIDATION Add Responder Policy "rsp_letsencrypt_10" to: "HTTP.REQ.URL.CONTAINS(".well-known/acme-challenge/aC4xRCiOXEBzp9s0NviJ1N8Sl1IZFxoworm2A7LcMxw")" 2020-04-10 13:10:08:2273 INFO ORDERVALIDATION Responder Policy added successfully. 2020-04-10 13:10:08:2429 INFO ORDERVALIDATION Trying to bind the Responder Policy "rsp_letsencrypt_10" to LoadBalance VIP: "lb_letsencrypt_cert" 2020-04-10 13:10:08:3697 INFO ORDERVALIDATION Responder Policy successfully bound to Load Balance VIP. 2020-04-10 13:10:08:3837 INFO ORDERVALIDATION Sending acknowledgment to Let's Encrypt. 2020-04-10 13:10:08:6024 INFO ORDERVALIDATION Successfully send. 2020-04-10 13:10:08:6349 INFO ORDERVALIDATION Retrieving validation status. 2020-04-10 13:10:14:5398 INFO ORDERVALIDATION Still 0 "pending" items left. Waiting an extra 5 seconds. 2020-04-10 13:10:14:9775 ERROR ORDERVALIDATION Unfortunately there are invalid items. 2020-04-10 13:10:15:0047 ERROR ORDERVALIDATION Failed Records: fqdn status expires HTTP01Status DNS01Status

start.vdbergfam.nl invalid 2020-04-17T11:10:01Z invalid

2020-04-10 13:10:15:0884 INFO FINAL There are some items invalid 2020-04-10 13:10:15:1024 INFO FINAL Script Terminated, ExitCode: 1

j81blog commented 4 years ago

Is your content switch reachable via internet on port 80 (HTTP)? Looks like Let's Encrypt cannot validate the record.

SBerg1980 commented 4 years ago

Yes i have created a NAT rule that forward port 80 to the ip-adress of the netscaler. When i go to the page i see the netscaler login page. Or must i forward it to the Subnet IP.

j81blog commented 4 years ago

No, never the SNIP :-) You need to NAT port 80 to a Content Switch VIP IP on port 80 (HTTP). Looks like you only have a NAT for 443 (HTTPS) and not for 80 (HTTP) when I test the URL.

SBerg1980 commented 4 years ago

Thank you for you help i change the Content Switch to a VIP and now its working. It's correct that when you go to the URL it go's to HTTPS i had change the NAT.