Comments (8)
glatzert
commented on July 22, 2024
This module is meant to support you in using ACME. It's no out-of-the-box magic thing, which just will do everything necessary. That's why the ReadMe starts with a synopsis.
If you need oobe just create a certificate, I'd recommend using https://github.com/rmbolger/Posh-ACME, which is also PowerShell-based, but way more automated.
from acme-ps.
ThorkilG12
commented on July 22, 2024
Allow me to remind you that you have this in the readMe as well:
Now you have a ready to use certificate containing the public and private keys. If any problems arise, feel free to open an issue.
And the problem is: I'm running apache and need the same certificate that ebekker provided when it was acmeV1
from acme-ps.
glatzert
commented on July 22, 2024
Sorry, if I was being hostile.
As I said before use openSSL to convert the PFX into the appropriate files you need.
If it asks for passwords, you'll need to provide the ones you used or make it work without password.
OpenSSL itself is a big product, but (since I'll always need to look it up myself, if needed) the internet will provide the necessary code snippets to convert PFX to PEM (aka CRT/KEY)
The certificate chain file is (as far as I understand Apache) whats referenced in SSLCACertificateFile. Just store it and point Apache to it.
from acme-ps.
ThorkilG12
commented on July 22, 2024
You said:
If you need oobe just create a certificate, I'd recommend using https://github.com/rmbolger/Posh-ACME, which is also PowerShell-based, but way more automated.
It looks as if it is all DNS-txt-record-based. I have to use HTTP for challange...
So... I'm still hoping for some help from one of you guys.
What is the purpose of your solution if apache-users can not use it ?
If you help me, i'm sure a lot of more apache-users would be happy, as well
from acme-ps.
glatzert
commented on July 22, 2024
There's no way around openSSL currently, so please use that.
You'll need the following commands:
For the private-key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
For the certfile: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
And for the SSLCA file download this (I think): https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
Nice writeup here: https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
from acme-ps.
ThorkilG12
commented on July 22, 2024
Well
The problem is the password inside the PFX file. Where does it come from ?
It is not in the PowerShell code, but where then ?
Is it on the Let'sEncrypt server ? I tried to use another email-address.
That did not help. Still the PFX file is protected by some password.
Is it on my server. Is it the windows operating system that your module
talks to ?
Is the password in a PFX file related to
a) The windows server ?
b) The windows user ?
c) The domain ?
d) The account at Let's Encrypt
In my situation where a have many sites running on one apache windows
machine... How many Private Keys do I need ?
One for every site og one for my server or one for myself ? Or ?
BTW:
After your sample code from
https://github.com/PKISharp/ACMESharpCore-PowerShell
I have added this:
$certdir = "c:\ApacheCerts"
cd $appath\bin
$opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -nocerts -out
$certdir\private.key"
Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs"
$opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -clcerts -nokeys
-out $certdir\certificate.crt"
Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs"
$opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -nodes -nokeys
-cacerts -out $certdir\ca.crt"
Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs"
*Venlig hilsen*
*Thorkil Johansen*
*Tel: +45 4070 6547*
Den tir. 15. okt. 2019 kl. 11.03 skrev Thomas Glatzer <
[email protected]>:
… There's no way around openSSL currently, so please use that.
You'll need the following commands:
For the private-key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out
[keyfile-encrypted.key]
For the certfile: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out
[certificate.crt]
And for the SSLCA file download this (I think):
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
Nice writeup here:
https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#41>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AC4PBVLGHT2WCWIAQ6FQXYDQOWBNLANCNFSM4JAULAXA>
.
from acme-ps.
glatzert
commented on July 22, 2024
If you did not explicitly call Export-ACMECertificate with -Password there should* be none.
Possibly openSSL will accept you pressing [Enter]?
Alternatively just call Export-ACMECertificate and set a password - then you can provide it to openSSL.
Also it might be openSSL wants to know the password it should use to protect the output files?
from acme-ps.
ThorkilG12
commented on July 22, 2024
Success. Now I'm back on track.
I do this:
cd $appath\bin # OpenSSL is part of the Apache installation
$procArg = "/k $appath\bin\openssl.exe " # Last space is nessesary. Change /k to /c to close CMD-window
$opensslArgs = "pkcs12 -in $stateDir\$dnsName.pfx -nocerts -out $certdir\privateKey.pem -passin pass: -passout pass:verySecret"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)
$opensslArgs = "rsa -in $certdir\privateKey.pem -out $certdir\private.key -passin pass:verySecret"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)
$opensslArgs = "pkcs12 -in $stateDir\$dnsName.pfx -clcerts -nokeys -out $certdir\certificate.crt -passin pass:"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$crossURL = Invoke-WebRequest -Uri "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt"
$crossURL.content | out-file "$certdir\ca_bundle.crt" -encoding ASCII
When I check the certificat in a browser i don't see anything that should be wrong.
I'm not sure if the error in this command should worry me ?
$opensslArgs = "verify -untrusted $certdir\ca_bundle.crt $certdir\certificate.crt"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)
Thanks a lot with your patience with me. Even though I often have the same old feeling of being outside the "Members Only Closed Linux Club"
Let's hope others can use my findings :-)
Have a nice evening, and thanks for your incredible work.
/T
from acme-ps.
Related Issues (20)
- [Improvement] Add state reference to order
- [BUG]? Full chain export seems to be exporting in the wrong order HOT 4
- [BUG] Chain not included for specific instance.. HOT 1
- [Improvement] Exporting x509 certs/keys as PEM HOT 4
- Exception calling "GetResult" with "0" argument(s): "An error occurred while sending the request." HOT 6
- Certificate not working on older Android after 29.9.2021 HOT 2
- New-AcmePSKey invalid ValidateSet for RSAKeySize HOT 1
- DNS-01 HOT 10
- New Order / Old Account HOT 5
- Are SHA-1 self signatures being used to issue CSRs? HOT 1
- HTTP-01 Challenge File Not Getting Created HOT 3
- Authorizations does not seem to be parsing correctly HOT 12
- [BUG] The certificate chain seems to be out of order in 1.5.2. Versions 1.5.3-beta, and 1.5.4 Fails to run. HOT 4
- [BUG] Some of the *ToExport keys are missing from the module manifest HOT 2
- [BUG] v1.5.6 Export-Certificate "value cannot be null" HOT 10
- Cannot export non-exportable private key HOT 1
- [BUG] When using New-ACMEAccount with previous AccountKey it errors with Get-Account HOT 1
- [BUG] The exported PFX certificate doesn't have the full Let's Encrypt chain HOT 4
- Issue Export-ACMECertificate HOT 2
- Certificate Generation/Validation is failing From June 2024 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-ps.