Devolutions ForumDevolutions Forum

Renewing Cert - Token Has Expired

avatar
(user deleted)
Disabled

We wrote a quick script to try and automate the server SSL cert and it started throwing an error:
forum image

The install instructions referenced if something like this happened to restart the session or reboot the server but nether of those worked. How do you remove the old token?

All Comments (7)

avatar
Marc-André Moreau

Hi,

Can you provide us with the script you have made to handle the renewal? I see you are using Posh-ACME. How are you authenticating with Azure in this case? We did have a quick & dirty script in the docs to use an access token from an azure login, but this technique is not suitable for automation.

Best regards,

Marc-André Moreau

avatar

We are connecting to the subscription manually but this is what we have in the PS script which is run after connecting to azure via powershell

$az = Get-AzContext
$token = Get-AzAccessToken
$AzParams = @{
AZSubscriptionId=$az.Subscription.Id;
AZAccessToken=$token.Token;
}
$CommonName = "somedomain.com"

New-PACertificate $CommonName -AcceptTOS -Contact certs@someone.com

$Certificate = New-PACertificate $CommonName -DnsPlugin Azure -PluginArgs $AzParams
$CertPath = Split-Path -Path $Certificate.PfxFile -Parent

Import-WaykDenCertificate -CertificateFile $CertPath\fullchain.pfx -Password 'poshacme' -debug
Restart-WaykBastion

avatar
Marc-André Moreau

The access token is valid only for two minutes maximum, so this technique can be a bit tricky. Is this a machine directly exposed on the internet, and is port 80 already taken by IIS? Posh-ACME now supports the HTTP challenge, which is much easier to deal with, except that you need to be able to the challenge on HTTP/80. I've documented the procedure in blog post about using letsencrypt for Secure LDAP, but it is the same thing for a web certificate. Just scroll down to the "Requesting Certificate from Let’s Encrypt" section.

If IIS is using TCP/80, the HTTP challenge can also be used by creating a site to host a ".well-known/acme-challenge" directory and point Posh-ACME to use the same directory on the file system to respond to the challenge: IIS would host the files for letsencrypt to use, and Posh-ACME will place the challenge files in the right location.

Marc-André Moreau

avatar

I gave it a shot, found that my poshacme PowerShell module was a bit out of date so I updated that. Afterwards I attempted to run the first comment to get the cert and got the following

forum image

avatar
Richard Boisvert

Hello,

If you use the plugin parameter, you need to specify the PluginArgs, even it is is empty
The command should look something like New-PACertificate example.com -Plugin WebSelfHost -PluginArgs @{}

source: https://github.com/rmbolger/Posh-ACME/blob/main/Posh-ACME/Plugins/WebSelfHost-Readme.md

Best regards,

Richard Boisvert

avatar

Thanks for continuing to help on this one! I ran a the command similar to above and got this...
forum image

avatar
Richard Boisvert

Hello Tyson,

We had a recent (March 2021) blog post that uses the same method you are trying to use. You can refer to https://blog.devolutions.net/2021/03/how-to-configure-secure-ldap-ldaps-in-active-directory-with-lets-encrypt, under Requesting Certificate from Let’s Encrypt

Best regards,

Richard Boisvert