Skip to main content
John Billekens | Notes from the field

GenLeCertForNS New Update

··2 mins
ADC Citrix Let's Encrypt Netscaler PowerShell Uncategorized ADC Citrix ADC Let's Encrypt NetScaler PowerShell
Author
John Billekens
Technical Consultant | End User Computing
Table of Contents

A lot of new users used my script after writing  my first blog article for Citrix. Since then I made some improvements and continuing to add new features. Today I released the latest version of my “GenLeCertForNS” script. Within this version I solved some issues and improved the overall speed (especially with larger orders).

Release Notes
#

  • FIXED: “ERROR: Could not create the order.”; While testing (thanks to RogerJulianErik and Andrew) we saw that updating the script wasn’t always the complete solution. Specifying the parameter “-CleanPoshACMEStorage” after updating the script helped fixing this issue completely. This will cleanup the %LOCALAPPDATA%\Posh-ACME directory.
  • CHANGED: Removed the verbose logging; I didn’t liked the output to screen. Therefore I added a logging function to write everything to a log file. Resulting in a cleaner output to the screen. Specifying the “-Verbose” option has no particular use anymore.
  • CHANGED: Overall speed; Changed internal process of configuring the Citrix ADC thus improving the speed.
  • NEW: Version check to notify you if there is a new (dev) version available:

Sometimes I get the question, which name must I specify with the “-NSCertNameToUpdate” parameter? The name you need to specify is the name you entered when adding the certificate for the first time “Certificate-Key Pair Name”, now you can reuse this name by updating this object. By updating this certificate you don’t have to change the binding on each VIP.

Get the new version
#

Get the new version here: v2.6.3

Development
#

I’m still developing the script to add new features an improve it. If you experience issues let me know, you can also check the dev channel and verify if you still experience it. The upcoming features currently in dev (v2.7.x):

  • NEW: Email functionality; The option to send a mail after the script is finished. Activated by specifying the “-SendMail” parameter and the following are also required: “-SMTPTo, -SMTPFrom, SMTPServer and optionally if required -SMTPCredential
  • IMPROVED: “-NSCertNameToUpdate”; In previous versions you could only specify this parameter if you had an existing certificate you wanted to update. With newer version you can specify this parameter. If the certificate name doesn’t yet exists it will be created.

Related

Let's Encrypt Certificates on a NetScaler

··39 mins
For a while now it’s possible to use Let’s Encrypt certificates, they are trusted (cross signed), secure and most of all FREE! There are already a lot of tools available to generate these certificates. I haven’t come across a tool or script to generate these certificates and upload them to a Citrix NetScaler. So I thought why not build it myself. I already tried it in a previous attempt, but I wanted more automation and thus I created this version. To learn more about the Let’s Encrypt, check how it works.. What my script does in very basic steps (for example you want a certificate for www.domain.com): Ask LE (Let’s Encrypt) to validate “www.domain.com” (1) LE returns data (2) among them:

Generate an Let's Encrypt certificate what can be used on the NetScaler

··1 min
Edit 07-04-2017: Check out my new and updated version! I’m trying to create an (PowerShell) script to automate the Let’s Encrypt certificate creation. Specifically for the Citrix NetScaler. Currently still Work In Progress… It’s not yet finished. The prerequisite is that you have a configured NetScaler (http) Content Switch vServer. The script will present you with the required configuration rules (it will also be copied to your clipboard so you only have to copy it in the cli of the NetScaler) For the meantime you can find it on GitHub: GenCertForNS on GitHub More soon (I hope)…

Office Online apparently only supports TLS 1.0

·2 mins
Recently I had to configure a new NetScaler Citrix ADC for a new ShareFile Citrix Files deployment. Two Storage Zone Controllers load balanced via a Citrix ADC with a Content switch. Nothing out of the ordinary. It was when I activated the Office Online functionality on the Storage Zone Controller configuration page the error messages appeared. Each time as we tried to open an office document we got an error “Sorry, there was a problem and we can’t open this document. If this happens again, try opening the document in Microsoft Word.” for Word documents and “We couldn’t find the file you wanted. It’s possible the file was renamed, moved or deleted.” for Excel documents. I followed all the necessary checks as described in a Citrix Files Article. But everything turned out okay, it worked as expected. What could it be? As it turned out to be the NetScaler SSL configuration was configured to high!? I always want that A+ on SSL Labs, the same with this setup. It was when I reverted the Content Switch to it’s default SSL parameters (TLS1.0 and the default Cipher suite) that Office Online started functioning. It could not retrieve the documents from the Storage Zone Controllers and thus it gave me this error messages. Luckily I had a separate Content Switch for internal and external traffic. I only had to lower the SSL settings on the internal Content Switch, this is the Content Switch the Office Online server was communicating with. So I hope Microsoft will add support for TLS 1.2 in Office Online (and give it some updates)