Automatically provisions new Lets Encrypt SSL certificate (using AWS Route 53 DNS verification) and adds to Windows Local Machine certificate store. Route 53 IAM Role required.

acmecert.ps1

###
# References:
#    - https://github.com/RobBiddle/ACMESharpRoute53Automation
#    - https://github.com/ebekker/ACMESharp/wiki/Quick-Start
#    - https://pkisharp.github.io/ACMESharp-docs/Quick-Start
#    - https://www.frankysweb.de/exchange-2016-lets-encrypt-zertifikat-erneuern/
###

$BaseDomain = "clancampbell.id.au"
$FedServiceName = "sts.$BaseDomain"
$CertSANs = "$FedServiceName","enterpriseregistration.$BaseDomain"
$R53HostedZone = "XXXX"
$ChallengeParams = @{"HostedZoneId" = "$R53HostedZone"; "AwsIamRole" = "*"}
$InstallerParams = @{"StoreLocation" = "LocalMachine"}
$FedServiceAlias = ''
$ACMEAliasArray = $null

Set-PSRepository -InstallationPolicy Trusted -Name "PSGallery"
Install-Module ACMESharp -AllowClobber
Import-Module ACMESharp
Install-Module ACMESharp.Providers.AWS
Install-Module ACMESharp.Providers.Windows
Enable-ACMEExtensionModule ACMESharp.Providers.AWS
Enable-ACMEExtensionModule ACMESharp.Providers.Windows
Get-ACMEChallengeHandlerProfile -ReloadProviders
Get-ACMEInstallerProfile -ReloadProviders
Initialize-ACMEVault -BaseService LetsEncrypt
New-ACMERegistration -Contacts "mailto:[email protected]" -AcceptTos

foreach ($CertSAN in $CertSANs) {
    $AliasDate = Get-Date -Format FileDateTime
    $ACMEAlias = "$CertSAN-$AliasDate"
    if ($CertSAN -match $FedServiceName) {
        $FedServiceAlias = $ACMEAlias
    }
    Write-Output "New ACMEIdentifier: $CertSAN - $ACMEAlias"
    New-ACMEIdentifier -Dns $CertSAN -Alias $ACMEAlias
    Write-Output "Complete ACMEChallenge: $ACMEAlias"
    Complete-ACMEChallenge -ChallengeType dns-01 -Handler aws-route53 -IdentifierRef $ACMEAlias -HandlerParameters $ChallengeParams -Force
    [Array]$ACMEAliasArray += $ACMEAlias
}

foreach ($ACMEAlias in $ACMEAliasArray) {
    Write-Output "Submit ACMEChallenge: $ACMEAlias"
    Submit-ACMEChallenge $ACMEAlias -ChallengeType dns-01
    (Update-ACMEIdentifier $ACMEAlias -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}
    Update-ACMEIdentifier $ACMEAlias

    # use exponential backoff until challenge is valid
    $BackOffSeconds = $null
    foreach ($n in (1 .. 10)) {
        $BackOffSeconds = [Math]::Pow(2, $n)
        if (!(Get-ACMEIdentifier | Where-Object Status -like "pending" | Where-Object Alias -match "$ACMEAlias")) {
            Return
        } else {            
            (Update-ACMEIdentifier $ACMEAlias -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}            
        }
        if ($BackOffSeconds -gt 600) {
            Throw "Timed out waiting for Domain Validation"
        } else {
            Write-Output "Domain Verification for $ACMEAlias is still pending..."
            Write-Output "Waiting for $BackOffSeconds Seconds"
            Start-Sleep -Seconds $BackOffSeconds
        }
    }            
}

$AliasDate = Get-Date -Format FileDateTime
$CertAlias = "Cert-$FedServiceName-$AliasDate"
Write-Output "New ACMECertificate: $CertAlias"
New-ACMECertificate $FedServiceAlias -Generate -AlternativeIdentifierRefs $ACMEAliasArray -Alias $CertAlias
Write-Output "Submit ACMECertificate: $CertAlias"
Submit-ACMECertificate $CertAlias
$ACMECert = Update-ACMECertificate $CertAlias
$ACMEThumbprint = $ACMECert.Thumbprint
Write-Output "ACMECertificate Thumbprint: $ACMEThumbprint"
Write-Output "Install ACMECertificate: $CertAlias"
Install-ACMECertificate -CertificateRef $CertAlias -Installer win-cert -InstallerParameters $InstallerParams