bc-on-docker-letsencrypt

AdditionalSetup.ps1

# Invoke default behavior
. (Join-Path $runPath $MyInvocation.MyCommand.Name)

. (Join-Path $PSScriptHost 'Deploy-LetsEncrypt.ps1')

Deploy-LetsEncrypt.ps1

# Use Lets encrypt
# This script is not perfect because it doesn't check if the certificate is being created and valid
# and also it doesn't include its update once the expire date is very close.

$ContactEMailForLetsEncrypt = $env:ContactEMailForLetsEncrypt
$dnsAlias = $env:dnsAlias

$certAlias = "certAlias"
$certPassword = [GUID]::NewGuid().ToString()
$certPfxFilename = "c:\ProgramData\nav-on-docker\certificate.pfx"
$certPemFilename = "c:\ProgramData\nav-on-docker\certificate.pem"

# $publicDnsName

try {
    Log "Installing ACMESharp PowerShell modules"
    Install-Module -Name ACMESharp -AllowClobber -force -ErrorAction SilentlyContinue
    Install-Module -Name ACMESharp.Providers.IIS -force -ErrorAction SilentlyContinue
    Import-Module ACMESharp
    Enable-ACMEExtensionModule -ModuleName ACMESharp.Providers.IIS -ErrorAction SilentlyContinue

    Log "Initializing ACMEVault"
    Initialize-ACMEVault

    Log "Register Contact EMail address and accept Terms Of Service"
    New-ACMERegistration -Contacts "mailto:$ContactEMailForLetsEncrypt" -AcceptTos

    Log "Creating new dns Identifier"
    $dnsAlias = "dnsAlias"
    New-ACMEIdentifier -Dns $publicDnsName -Alias $dnsAlias

    Log "Performing Lets Encrypt challenge to default web site"
    Complete-ACMEChallenge -IdentifierRef $dnsAlias -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'Default Web Site' }
    Submit-ACMEChallenge -IdentifierRef $dnsAlias -ChallengeType http-01
    sleep -s 60
    Update-ACMEIdentifier -IdentifierRef $dnsAlias

    Log "Requesting certificate"
    Remove-Item -Path $certPfxFilename -Force -ErrorAction Ignore
    New-ACMECertificate -Generate -IdentifierRef $dnsAlias -Alias $certAlias
    Submit-ACMECertificate -CertificateRef $certAlias
    Update-ACMECertificate -CertificateRef $certAlias
    Get-ACMECertificate -CertificateRef $certAlias -ExportPkcs12 $certPfxFilename -CertificatePassword $certPassword

    Remove-Item -Path $certPemFilename -Force -ErrorAction Ignore
    Get-ACMECertificate -CertificateRef $certAlias -ExportKeyPEM $certPemFilename

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfxFilename, $certPassword)
    $certificateThumbprint = $cert.Thumbprint
    Write-Host "Certificate File Thumbprint $certificateThumbprint"
    if (!(Get-Item Cert:\LocalMachine\my\$certificateThumbprint -ErrorAction SilentlyContinue)) {
        Write-Host "Import Certificate to LocalMachine\my"
        Import-PfxCertificate -FilePath $certPfxFilename -CertStoreLocation cert:\localMachine\my -Password (ConvertTo-SecureString -String $certPassword -AsPlainText -Force) | Out-Null
    }
    $dnsidentity = $cert.GetNameInfo("SimpleName",$false)
    if ($dnsidentity.StartsWith("*")) {
        $dnsidentity = $dnsidentity.Substring($dnsidentity.IndexOf(".")+1)
    }
} catch {
    Log -color Red $_.ErrorDetails.Message
    Log -color Red "Reverting to Self Signed Certificate"
}