Question on Merge-PluginArgs.ps1 for non-windows OSes

[phil-ioniq]

Hi!

First, let me start by thanking you for this AWESOME LetsEncrypt client. I think you're the only one with azure dns integration out there and it saves a lot of headaches for automated deployments.

I'm now trying to run this inside a Docker container (based on mcr.microsoft.com/powershell:ubuntu-18.04, but tried multiple different base image with the same problem) and when the container starts I have an error about CRYPT32.dll (At /usr/local/share/powershell/Modules/Posh-ACME/3.0.1/Private/Merge-PluginArgs.ps1:59 char:15)

While doing some research I found this in the problematic file:

//# IMPORTANT: This function does not yet work on non-Windows OSes unless there is no
//# "secure" data in the hashtable. This is a known bug related to the SecureString
//# implementation (or lack thereof) on non-Windows. I'm tracking the issue via this
//# PowerShell issue:
//# PowerShell/PowerShell#1654

I was wondering if there was something you are aware of that could help me :)

Can you tell me what "hashtable" this is referring to?
Is this hashtable something I can clear before running the script to fix the problem?

If not, is there a flag I can pass to the request to bypass this and only use the plugin param values I provide in the command? (Didn't see any but you know that code better than I do :) )

Let me know if you need more info or if you know of something that could help me

-Thanks!

[rmbolger]

Unfortunately at the moment, the problem is that you can't use any "secure" plugin arguments on non-Windows platforms due to that bug I referenced in the code. Secure plugin arguments in this case are anything that is either a PSCredential or SecureString object. Most of the newer plugins have an "Insecure" equivalent which lets you pass the necessary data in as normal strings. The Azure plugin is complicated because there are multiple different ways to authenticate. But the one that uses AZAppCred is a PSCredential which is likely why you're hitting the problem and there's not currently an insecure equivalent.

However, adding it shouldn't be too hard. So I'll definitely do that.

Until that happens though, if your docker container is running within Azure, you might also try setting up a Managed Service Identity and then using the AZUseIMDS switch instead of AZAppCred. There are more details in the azure plugin readme.

[rmbolger]

Ok. So there's now AZAppUsername and AZAppPasswordInsecure params you can use instead of AZAppCred which should work just fine on non-Windows OSes. Feel free to test the dev version if you want to check it right away or I should be able to push a new release to the gallery in the next few days.

[phil-ioniq]

Tested your dev version and it works!

Thanks!