ACMESharp
ACMESharp copied to clipboard
Problem starting over with renewal
I am trying to implement an auto-renewal cert on my Azure Application Gateway using the info from the blog post below:
https://intelequia.com/blog/post/1012/automating-azure-application-gateway-ssl-certificate-renewals-with-let-s-encrypt-and-azure-automation
When trying to implement the actual auto-renewal piece which is done using an Azure Automation Runbook (PowerShell), I ran into an issue. I tried using the Runbook as is and while the test run Completed
it actually failed to do the job. In an effort to figure out why it had failed, I copied the Runbook locally and stepped thru the code a section at a time. Below is the block of code that I worked thru:
Initialize-ACMEVault
New-ACMERegistration -Contacts mailto:$EmailAddress -AcceptTos
$AliasDns = "certificateAlias"
New-ACMEIdentifier -Dns $domain -Alias $AliasDns
(Complete-ACMEChallenge $AliasDns -ChallengeType http-01 -Handler manual).Challenge
$http01 = (Update-ACMEIdentifier $AliasDns -ChallengeType http-01).Challenges | Where- Object {$_.Type -eq "http-01"}
# Add file blob to check DNS
$tmpPath = $env:TEMP + "\"
$pfxfile = $tmpPath + "certificate.pfx"
$FileContentStrIndex = $http01.HandlerHandleMessage.IndexOf("File Content:")
$FileContentSegments = $http01.HandlerHandleMessage.Substring($FileContentStrIndex + 15).Split(".")
$FileContentSegments[1] = $FileContentSegments[1].Substring(0,
$FileContentSegments[1].IndexOf("]"))
$filePath = $tmpPath + $FileContentSegments[0]
$fileContent = $FileContentSegments[0] + "." + $FileContentSegments[1]
Set-Content -Value $fileContent -Path $filePath
$blobName = ".well-known\acme-challenge\" + $FileContentSegments[0]
$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName
$STResourceGroupName -Name $storageName
$ctx = $storageAccount.Context
set-azurestorageblobcontent -File $filePath -Container "public" -Context $ctx -Blob $blobName
Submit-ACMEChallenge $AliasDns -ChallengeType http-01 -Force
Update-ACMEIdentifier $AliasDns
When I ran the last line, the resultant output showed a Status
of invalid
. Looking thru the code, I checked to make sure the file did get created and uploaded to the Azure Storage Account. I also checked that I could access the file from a browser using the URL that LE would use. The only thing I though was maybe the file was not in ASCII format and that was causing the issue. Being a newbie to LE and ACME...I tried to re-create the file ensuing it was in ASCII format and re-run the Update-ACMEIdentifier
line again. Doing that I learned that once an Identifier goes invalid
...it's lifespan is over and I need to start over. I just don't know how to start over from here. When I try to run the New-ACMEIdentifier
line again...it give me the error An item with the same key has already been added
.
For additional information, below is an image of the error thrown when I tested the Runbook using the Automation Account:
Unfortunately, once an Identifier is marked invalid, that particular instance can't be revived (this is a limitation of LE and the ACME protocol), as you discovered. You need to create a new Identifier (starting with the New-ACMEIdentifier
step in your code).
The reason you're getting an error about the same key already being added is that you're reusing the same Alias
parameter, which is essentially a unique ID for the Identifier. You should come up with a scheme to compute a unique alias (since you'll need to do this every 3 months anyway), so based on your code, something like...
$AliasDns = "certificateAlias-$([datetime]::Now.ToString("yyyyMMdd-HHmm"))"
New-ACMEIdentifier -Dns $domain -Alias $AliasDns
Would give you unique aliases each time this code is run. So to address your original issue, pby want to stop after the call to Complete-ACMEChallenge
and validate the response is correct.
NOTE, if you still have the response from the previous challenge, you can still validate it was correct, because the challenge response file should still be where it was placed.
@ebekker thanks for the great info. I think I still have everything from the first try...can you give me some detail on how to validate the response?