Question - Problems loading bouncy castle

[sqlegan]

Hi, more of a question. I've used the script for a while now with no problem. But yesterday was the first time I ran on a new Windows 11 machine, I had a few problems which I sorted out but then got stuck on the Bouncy Castle assemblies, "Unable to find type [Org.BouncyCastle.Security.SecureRandom]." was the first of quite a few. I obvious read the Wiki here and checked .net version, which according to DotNetVersions.exe is Currently installed "classic" .NET Versions in the system: 4.0.0.0 4.8.09032

I then tried forcing the loading of the assembly in, this is my script

Add-Type -Path .\BC.Crypto.1.8.8.2-netstandard2.0.dll;

$pArgs = @{WRPath='C:\inetpub\Pauls\'
APIToken = $APIKey 
    userName = $user
    CPanelHost = $CPanelHost  }
New-PACertificate 'domains' -Verbose -Plugin WebRoot, CPanel -PluginArgs $pArgs -Force -DnsSleep 30;

And it all worked fine.

I was just wondering why I needed to use the Add-Type and whether it might be my setup or Win 11 etc.

Thanks Paul

[rmbolger]

Hi @sqlegan, thanks for reaching out. It's been a while since I've seen this, but historically the reason Bouncy Castle doesn't get loaded is either because of restrictive PowerShell execution policies or because the module was installed directly via zip extract and the extracted files inherited the Mark of the Web tag from the downloaded zip. You can check a file by opening its properties dialog. If it's tagged, there should be a note at the bottom and an Unblock check box like this:

I just checked on a relatively clean Win 11 box installing the module from PSGallery using Install-Module and it seems to load fine there.

[sqlegan]

Thanks for your reply. No the file isn't flagged as above. I don't think I used Install-Module, I wonder if that has something to do with it. I can't remember exactly what I did as I had a few setup problems, but I think I just downloaded the release from github and extracted to the file system. It works fine when I do the add-type so best not to spend too long thinking about it. Thanks for your help & work.

[rmbolger]

With the zip file install, it may very well be that MotW tag on the files. Here's a PowerShell one-liner you can use to strip it off the files if it happens to exist. It assumes the module has already been imported.

Get-ChildItem (Get-Module Posh-ACME).ModuleBase -Recurse | Unblock-File

Give that a try, then open a fresh PowerShell session, import the module, and try to use it without the explicit Add-Type call.

[sqlegan]

Thanks Ryan, I think that has fixed it, although I was surprised it worked when I ran it against the staging server.

The reason for my surprise was I use dyn.org, I've had a paid account for years. I have an alias to my home network.

So to get my certificate for the dnsalias via dyn.org I have NAT setup on my router to take it to my local IIS instance and I use the webroot plug-in, but the NAT rule on the router was disabled and IIS stopped and it still worked. So I can't see how the ACME server can validate the challenge via http or does it not bother to challenge every time or does staging not validate every time?

I think everything is fine now, so please feel free to ignore so as to not waste anymore of your time.

[rmbolger]

Both Staging and Prod (separately) cache previously successful validations for 30 days. So if you had previously gotten a cert for www.example.com and example.com and then a few days later from the same ACME account tried to get a new cert with the same names, it wouldn't need to re-validate those challenges and just go straight through to giving you the new cert.

[sqlegan]

Thanks for the info Ryan, that explains everything. Thanks for your help. Cheers Paul.