Register-LetsEncryptCertificate.ps1
|
#requires -Modules AcmeSharp, Azure, AzureRM.Websites <#PSScriptInfo .VERSION 1.0 .GUID 446ce754-919d-44b2-84c9-1019893729ec .AUTHOR Lee Holmes .DESCRIPTION Assigns a new SSL certificate (issued by Let's Encrypt) to an Azure-hosted Website. #> param( ## The domain to generate a certificate for [Parameter(Mandatory)] [String] $Domain, ## The email used for Let's Encrypt registration [Parameter(Mandatory)] [String] $RegistrationEmail, ## The resource group that contains the web app [Parameter(Mandatory)] [String] $ResourceGroup, ## The web app name / ID [Parameter(Mandatory)] [String] $WebApp, ## True if hosting application is Unix-based, ## so we won't send the confirmation files to /key/index.html, but to /key directly [Switch] $UseUnixFileVerification ) Set-StrictMode -Version Latest function GetSafeFilename { param( $BasePath = ".", $Text, $Extension = ".txt" ) ## Remove invalid filesystem characters $invalidChars = [IO.Path]::GetInvalidFileNameChars() $invalidCharsRegex = "[" + (-join ($invalidChars | % { [Regex]::Escape($_) })) + "]" $baseFilename = $Text -replace $invalidCharsRegex,'_' ## Avoid reserved device names $reservedDeviceNames = -split "CON PRN AUX NUL COM1 COM2 COM3 COM4 COM5 COM6 COM7 COM8 COM9 LPT1 LPT2 LPT3 LPT4 LPT5 LPT6 LPT7 LPT8 LPT9" if($baseFilename -in $reservedDeviceNames) { $baseFilename = "_" + $baseFilename } ## Avoid path length issues $baseFilename = $baseFilename.Substring(0, [Math]::Min(50, $baseFilename.Length)) ## Avoid existing files $counter = 1 $fileName = $baseFilename + $Extension while(Test-Path (Join-Path $BasePath $fileName)) { $filename = $baseFilename + "_${counter}${Extension}" $counter++ } # Emit the result $fileName.Trim() } ## Helper function to use Azure Kudu to publish a file to a site function PublishWebsiteFile { param( [Parameter(Mandatory)] $ResourceGroup, [Parameter(Mandatory)] $WebApp, [Parameter(Mandatory)] $PublishSettingsFile, [Parameter(Mandatory)] $RemotePath, [Parameter(Mandatory)] $FileContent ) $RemotePath = $RemotePath.Trim("/\") ## Extract the publish settings credential from the publish settings file $publishSettings = [xml] (Get-Content $PublishSettingsFile -Raw) $ftpPublishSettings = $publishSettings.publishData.publishProfile | ? publishMethod -eq MSDeploy $username = $ftpPublishSettings.userName $password = $ftpPublishSettings.userPWD $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password))) ## Invoke the Kudu API $apiBaseUrl = "https://$WebApp.scm.azurewebsites.net/api" Invoke-RestMethod -Uri "$apiBaseUrl/vfs/site/wwwroot/$RemotePath" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo); 'If-Match' = '*'} -Method PUT -Body $FileContent } ## Store temporary files / certificates in ./<domain> $outputDirectory = GetSafeFilename -Text $Domain -Extension "" if(-not (Test-Path $outputDirectory)) { $null = New-Item -Type Directory $outputDirectory } Write-Progress "Creating Let's Encrypt registration" if(-not (Get-AcmeVault)) { $null = Initialize-ACMEVault -BaseURI https://acme-v01.api.letsencrypt.org/ } ## Create a new identifier for this request $identifier = -join (([int][char]'a'..[int][char]'z') | Get-Random -Count 10 | % { [char] $_ }) $null = New-ACMERegistration -Contacts mailto:$RegistrationEmail -AcceptTos $null = New-ACMEIdentifier -Dns $domain -Alias $identifier ## Get the challenge that Let's Encrypt will ask us to use and prove we own the domain Write-Progress "Receiving challenge" $completedChallenge = Complete-ACMEChallenge -Ref $identifier -Challenge http-01 -Handler manual -Regenerate $challengeAnswer = ($completedChallenge.Challenges | Where-Object { $_.HandlerName -eq "manual" }).Challenge $key = $challengeAnswer.FilePath $target = "$key/index.html" if($UseUnixFileVerification) { $target = $key } ## Upload the challenge to the website Write-Progress "Uploading key and challenge to $domain/$target" $null = Login-AzureRmAccount $tempFile = New-TemporaryFile try { $null = Get-AzureRmWebAppPublishingProfile -ResourceGroupName $ResourceGroup -Name $WebApp -OutputFile $tempFile PublishWebsiteFile -ResourceGroup $ResourceGroup -WebApp $WebApp -PublishSettingsFile $tempFile -RemotePath $target -FileContent $challengeAnswer.FileContent } finally { Remove-Item $tempFile } ## Tell Let's Encrypt that we've submitted the challenge, wait for its response $counter = 0 Write-Progress "Waiting for challenge verification" -PercentComplete ($counter++) $challenge = Submit-ACMEChallenge -Ref $identifier -ChallengeType http-01 while ($challenge.Status -eq "pending") { Start-Sleep -m 500 Write-Progress "Waiting for challenge verification" -PercentComplete ($counter++) $challenge = Update-ACMEIdentifier -Ref $identifier } ## Create a SSL certificate out of the completed challenge, and bind it to our website. if($challenge.Status -eq "valid") { $rawPassword = -join (([int][char]'a'..[int][char]'z') | Get-Random -Count 20 | % { [char] $_ }) $certIdentifier = -join (([int][char]'a'..[int][char]'z') | Get-Random -Count 10 | % { [char] $_ }) New-ACMECertificate -Identifier $identifier -Alias $certIdentifier -Generate $certificateInfo = Submit-ACMECertificate -Ref $certIdentifier Write-Progress "Waiting for IssuerSerialNumber to be issued" while(-not ((Test-Path variable:\certificate) -or $certificateInfo.IssuerSerialNumber)) { Start-Sleep -m 500 $certificateInfo = Update-ACMECertificate -Ref $certIdentifier } $outputFile = Join-Path $pwd cert1-all.pfx $null = Get-ACMECertificate -Ref $certIdentifier -ExportPkcs12 $outputFile -CertificatePassword $rawPassword Get-Item $outputFile New-AzureRmWebAppSSLBinding -ResourceGroupName $ResourceGroup -WebAppName $WebApp -CertificateFilePath $outputFile -CertificatePassword $rawPassword -Name $Domain } else { Write-Error (("Certificate generation failed. Status is '{0}', can't continue as it is not 'valid'. " + "Let's Encrypt could not retrieve the expected content from '$domain/$target'") -f $challenge.Status) $challenge } |