Improved Powershell script for Let’s Encrypt certificate renewals

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×
In my previous article about Let’s Encrypt certificates Use Let’s Encrypt free certificates in Windows for Veeam Cloud Connect I explained the basics of Let’s Encrypt technology, and how to use its certificates on a Windows machine using ACMEsharp libraries with Powershell. I found out that the previous script had a problem with renewals, so I went on to fix it.
UPDATE 2019-01-29: If you are looking for complete automation using AWS Route53 DNS services, read the blog post about Version 3 of this script here.

Certificate renewal and identifier renewal

The simple renewal of the certificate itself is not enough. In fact, I found out that not just the certificate expires in 90 days, but also the domain ownership proof at LetsEncrypt expires every 30 days, so its identifier and its related challenge expire too and we have to renew them, otherwise the challenge for the certificate will be never completed. To do so, I added a new part in the code:


So, what we do now? In the variables, we have a new dynamic “Alias” instead of a fixed name. This is because a new identifier has to be created each time, so we use the date as a dynamic value to create a unique alias. This alias is then used to create a new identifier, pointing to the same dns record. Once executed, we receive in the output the new dns txt record:
We have to pause the script and go to our DNS server to update the Resource Record. As you may notice, the RR name is the same of the previous article, but it has a new value. This is going to change each time a new challenge is started. Once the DNS has been updated, the script can be completed. But because any try to copy the RR Value from the PowerShell interface would have required hitting ENTER to copy the highlighted text, the press of the enter button would have restarted the script, and this would lead to a failure because we have not updated the DNS record yet. So I added a different solution using these lines:
(Update-ACMEIdentifier $alias -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq “dns-01”} > challenge.txt
$RRtext = Select-String challenge.txt -Pattern “RR “ -CaseSensitive | select Line | Out-String
$msgBoxInput =  [System.Windows.Forms.MessageBox]::Show($RRtext,‘Update your DNS with this TXT record, Use CTRL+C to get the text’,‘OK’,‘Information’)
The records are recorded in a text file, which is then parsed to grab the “RR ” pattern, so that only the three lines we need are shown in the popup box:
In this way, with a simple CTRL+C we can grab the text and use it to update our DNS record, and then we just go back to the script and hit OK, and the rest of the script is executed.