GenLeCertForNS New Update 6

A lot of new users used my script after writing  my first blog article for Citrix. Since then I made some improvements and continuing to add new features.

Today I released the latest version of my “GenLeCertForNS” script. Within this version I solved some issues and improved the overall speed (especially with larger orders).

Release Notes

  • FIXED: “ERROR: Could not create the order.”; While testing (thanks to RogerJulianErik and Andrew) we saw that updating the script wasn’t always the complete solution. Specifying the parameter “-CleanPoshACMEStorage” after updating the script helped fixing this issue completely. This will cleanup the %LOCALAPPDATA%\Posh-ACME directory.
  • CHANGED: Removed the verbose logging; I didn’t liked the output to screen. Therefore I added a logging function to write everything to a log file. Resulting in a cleaner output to the screen. Specifying the “-Verbose” option has no particular use anymore.
  • CHANGED: Overall speed; Changed internal process of configuring the Citrix ADC thus improving the speed.
  • NEW: Version check to notify you if there is a new (dev) version available:

Sometimes I get the question, which name must I specify with the “-NSCertNameToUpdate” parameter?

The name you need to specify is the name you entered when adding the certificate for the first time “Certificate-Key Pair Name“, now you can reuse this name by updating this object. By updating this certificate you don’t have to change the binding on each VIP.

Get the new version

Get the new version here: v2.6.3


I’m still developing the script to add new features an improve it. If you experience issues let me know, you can also check the dev channel and verify if you still experience it.

The upcoming features currently in dev (v2.7.x):

  • NEW: Email functionality; The option to send a mail after the script is finished. Activated by specifying the “-SendMail” parameter and the following are also required: “-SMTPTo, -SMTPFrom, SMTPServer and optionally if required -SMTPCredential
  • IMPROVED: “-NSCertNameToUpdate”; In previous versions you could only specify this parameter if you had an existing certificate you wanted to update. With newer version you can specify this parameter. If the certificate name doesn’t yet exists it will be created.

Leave a comment

Your email address will not be published. Required fields are marked *

6 thoughts on “GenLeCertForNS New Update

  • Peter

    Hi John,

    I found your excellent write up and powershell scripts to help automate SSL cert orders and renewals with LetsEncrypt. Despite the clear instructions, I ended up spending two whole days trying to get around below issue. Reaching out to you now to see if you can help decipher this:

    I have a valid domain that has public DNS A record.
    When I run the script, I get below error:
    VERBOSE: Using public DNS server (OpenDNS, to verify dns records
    VERBOSE: Trying to get IP Address
    VERBOSE: Error Details: ERROR: No valid entry found for DNSName:””

    When I run the script with ‘-DisableIPCheck’, it also fails with below error:
    ERROR CONFIGUREADC Failed to remove. Exception Message: The remote server returned an error: (409) Conflict.
    ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (409) Conflict.

    Appreciate any input to help get this resolved.


    • John Billekens Post author

      Hi Peter,

      Can you send me the logfile, than I can take a closer look. john (at)

  • Petr

    Dear John .
    I will use your script to generate certificates. Thank you for your work.
    My certificates are generated in the format (yeardaytime), so you have to manually specify them again for each VIP. How can I fix this?


    • John Billekens Post author

      Hi Petr,

      You can specify the -NSCertNameToUpdate parameter. Just specify this parameter with the name of an existing certificate entry (that is bound to the vips). The script will use configure this entry with the updated certificate. Ans wil the latest version of the script. If the name does not exists it will create a new entry with the name specified.

  • Konstantin

    Hi John,
    Thank you so much for your work!
    Your scripts help a lot. I also use your script for the ADC backup.
    When using the current script, I noticed that if AAAA DNS is used, the validation of the domain fails.
    2020-06-09 21:23:20:5908 INFO ORDERVALIDATION Retrieving validation status.
    2020-06-09 21:23:27:1102 INFO ORDERVALIDATION Still 0 “pending” items left. Waiting an extra 5 seconds.
    2020-06-09 21:23:27:9097 ERROR ORDERVALIDATION Unfortunately there are invalid items.
    2020-06-09 21:23:27:9209 ERROR ORDERVALIDATION Failed Records:
    fqdn status expires HTTP01Status DNS01Status
    —- —— ——- ———— ———– invalid 2020-06-16T18:23:12Z invalid invalid 2020-06-16T18:23:12Z invalid

    2020-06-09 21:23:28:0937 INFO FINAL There are some items invalid
    2020-06-09 21:23:28:0957 INFO FINAL Script Terminated, ExitCode: 1
    As soon as I remove the DNS AAAA record then the certificate is created successfully. Do I understand correctly that this is a limitation of let’sencrypt service and IPv6 address or can this difficulty be corrected?