GenLeCertForNS New Update 12


A lot of new users used my script after writing  my first blog article for Citrix. Since then I made some improvements and continuing to add new features.

Today I released the latest version of my “GenLeCertForNS” script. Within this version I solved some issues and improved the overall speed (especially with larger orders).

Release Notes

  • FIXED: “ERROR: Could not create the order.”; While testing (thanks to RogerJulianErik and Andrew) we saw that updating the script wasn’t always the complete solution. Specifying the parameter “-CleanPoshACMEStorage” after updating the script helped fixing this issue completely. This will cleanup the %LOCALAPPDATA%\Posh-ACME directory.
  • CHANGED: Removed the verbose logging; I didn’t liked the output to screen. Therefore I added a logging function to write everything to a log file. Resulting in a cleaner output to the screen. Specifying the “-Verbose” option has no particular use anymore.
  • CHANGED: Overall speed; Changed internal process of configuring the Citrix ADC thus improving the speed.
  • NEW: Version check to notify you if there is a new (dev) version available:

Sometimes I get the question, which name must I specify with the “-NSCertNameToUpdate” parameter?

The name you need to specify is the name you entered when adding the certificate for the first time “Certificate-Key Pair Name“, now you can reuse this name by updating this object. By updating this certificate you don’t have to change the binding on each VIP.

Get the new version

Get the new version here: v2.6.3

Development

I’m still developing the script to add new features an improve it. If you experience issues let me know, you can also check the dev channel and verify if you still experience it.

The upcoming features currently in dev (v2.7.x):

  • NEW: Email functionality; The option to send a mail after the script is finished. Activated by specifying the “-SendMail” parameter and the following are also required: “-SMTPTo, -SMTPFrom, SMTPServer and optionally if required -SMTPCredential
  • IMPROVED: “-NSCertNameToUpdate”; In previous versions you could only specify this parameter if you had an existing certificate you wanted to update. With newer version you can specify this parameter. If the certificate name doesn’t yet exists it will be created.

Leave a Reply to Peter Cancel reply

Your email address will not be published. Required fields are marked *

12 thoughts on “GenLeCertForNS New Update

  • Peter

    Hi John,

    I found your excellent write up and powershell scripts to help automate SSL cert orders and renewals with LetsEncrypt. Despite the clear instructions, I ended up spending two whole days trying to get around below issue. Reaching out to you now to see if you can help decipher this:

    I have a valid domain that has public DNS A record.
    When I run the script, I get below error:
    VERBOSE: Using public DNS server (OpenDNS, 1.1.1.1) to verify dns records
    VERBOSE: Trying to get IP Address
    VERBOSE: Error Details: ERROR: No valid entry found for DNSName:”domain.com”

    When I run the script with ‘-DisableIPCheck’, it also fails with below error:
    ERROR CONFIGUREADC Failed to remove. Exception Message: The remote server returned an error: (409) Conflict.
    ERROR INVOKE-ADCRESTAPI Caught an error. Exception Message: The remote server returned an error: (409) Conflict.

    Appreciate any input to help get this resolved.

    Thanks.

    • John Billekens Post author

      Hi Peter,

      Can you send me the logfile, than I can take a closer look. john (at) j81.nl

  • Petr

    Dear John .
    I will use your script to generate certificates. Thank you for your work.
    My certificates are generated in the format (yeardaytime) 202003290035-name.domane.com, so you have to manually specify them again for each VIP. How can I fix this?

    Petr

    • John Billekens Post author

      Hi Petr,

      You can specify the -NSCertNameToUpdate parameter. Just specify this parameter with the name of an existing certificate entry (that is bound to the vips). The script will use configure this entry with the updated certificate. Ans wil the latest version of the script. If the name does not exists it will create a new entry with the name specified.

  • Konstantin

    Hi John,
    Thank you so much for your work!
    Your scripts help a lot. I also use your script for the ADC backup.
    When using the current script, I noticed that if AAAA DNS is used, the validation of the domain fails.
    2020-06-09 21:23:20:5908 INFO ORDERVALIDATION Retrieving validation status.
    2020-06-09 21:23:27:1102 INFO ORDERVALIDATION Still 0 “pending” items left. Waiting an extra 5 seconds.
    2020-06-09 21:23:27:9097 ERROR ORDERVALIDATION Unfortunately there are invalid items.
    2020-06-09 21:23:27:9209 ERROR ORDERVALIDATION Failed Records:
    fqdn status expires HTTP01Status DNS01Status
    —- —— ——- ———— ———–
    address.ru invalid 2020-06-16T18:23:12Z invalid
    http://www.address.ru invalid 2020-06-16T18:23:12Z invalid

    2020-06-09 21:23:28:0937 INFO FINAL There are some items invalid
    2020-06-09 21:23:28:0957 INFO FINAL Script Terminated, ExitCode: 1
    As soon as I remove the DNS AAAA record then the certificate is created successfully. Do I understand correctly that this is a limitation of let’sencrypt service and IPv6 address or can this difficulty be corrected?

    Thanks.

  • David

    Hi John – this looks great.

    We are not using content switching, and just using Gateway virtual servers for simple deployment.

    In principle can we stick a similar responder policy on the gateway VS’s to respond to the LetsEncrypt validation request?

    Or will we need to have a content switch put in front of the gateway VS’s?

    Thanks.

    David

    • John Billekens Post author

      Hi David,
      thank you.
      Great question!
      This isn’t normally an issue as the gateway is a SSL vip and for LE you’ll need a HTTP vip. Those can just exist next to each other. So what I would suggest is that you create a separate content switch vip with the same IP as your Gateway vip but on HTTP (80). You then can use this CS vip (specify this exact name in de commandline of the script) for your LE requests. (Added bonus for a http vip with same IP as gateway, you can also use this CS vip for redirection http to https by applying a responder policy/action)

  • Petr

    Dear John
    How setup parameters -SMTPTo, -SMTPFrom, -SMTPServer ,-SMTPCredential for using gmail smtp.gmail.com ?
    Thanks
    Petr

    • John Billekens Post author

      I had to make a change to allow changing of the (defautl) port and to use SSL. I’ve tested it with Gmail. These parameters should help.
      Please use my latest dev version for this
      $Credential = Get-Credential
      "-SendMail -SMTPTo userto@gmail.com -SMTPFrom userfrom@gmail.com -SMTPServer smtp.gmail.com -SMTPUseSSL -SMTPCredential $Credential -SMTPPort 587"