New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IIS instructions #111

Open
Daniel15 opened this Issue Dec 1, 2018 · 2 comments

Comments

2 participants
@Daniel15

Daniel15 commented Dec 1, 2018

Thanks for working on this project!

Is there any documentation about how to use Posh-ACME with IIS? That is, automatically setting the certificate for the site on creation and renewal.

@rmbolger rmbolger self-assigned this Dec 1, 2018

@rmbolger rmbolger added the question label Dec 1, 2018

@rmbolger

This comment has been minimized.

Owner

rmbolger commented Dec 1, 2018

So I started a sister project to this one a while ago, Posh-ACME.Deploy intended to provide a bunch of functions that take the cert output objects from Posh-ACME and install them into various Windows services such as IIS. But I haven't gotten around to actually making an actual release yet. IIS TLS bindings in particular are annoyingly complicated and I'm gonna need a lot more documentation written I think to make it easy to use.

That said, what's in the repository right now technically works at least according to the limited testing I've done with it so far. There are 3 functions included at the moment:

  • Set-IISCertificate
  • Set-RDGWCertificate
  • Set-RDSHCertificate

There's no official release, so you can either download the zip from Github and copy it to your Modules folder. Or just use the development install instructions in the readme.

For IIS, you'd use it something like this:

 New-PACertificate site1.example.com <more params as necessary> | Set-IISCertificate -SiteName "My Website"

In your scheduled task for renewals, it's basically the same thing except using Submit-Renewal:

Submit-Renewal site1.example.com | Set-IISCertificate -SiteName "My Website"

The defaults create a * binding on port 443 with no host header and SNI not enabled. You can override those defaults with the rest of the optional parameters (Get-Help Set-IISCertificate for details). There's also a -RemoveOldCert switch that will eventually remove old certs so your Windows cert store isn't clogged up with old expired certs. But it looks like I didn't get around to implementing it yet. There's also no support for the Certificate Central Store (CCS) feature, but I'm guessing that would be a separate function anyway.

@Daniel15

This comment has been minimized.

Daniel15 commented Dec 3, 2018

Thanks, I'll try to take a look when I get some free time. I've been using win-acme which works well but doesn't have the DNS integrations your script has, or support for wildcard domains. I'm using acme-dns for my DNS challenges. That's why I'm looking at Post-ACME, since it supports that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment