private bool PerformCertRequestAndIISBinding(string certDomain, string[] alternativeNames) { // ACME service requires international domain names in ascii mode certDomain = _idnMapping.GetAscii(certDomain); //create cert and binding it //Typical command sequence for a new certificate //Initialize-ACMEVault -BaseURI https://acme-staging.api.letsencrypt.org/ // Get-Module -ListAvailable ACMESharp // New-ACMEIdentifier -Dns test7.examplesite.co.uk -Alias test7_examplesite_co_uk636213616564101276 -Label Identifier:test7.examplesite.co.uk // Complete-ACMEChallenge -Ref test7_examplesite_co_uk636213616564101276 -ChallengeType http-01 -Handler manual -Regenerate // Submit-ACMEChallenge -Ref test7_examplesite_co_uk636213616564101276 -Challenge http-01 // Update-ACMEIdentifier -Ref test7_examplesite_co_uk636213616564101276 // Update-ACMEIdentifier -Ref test7_examplesite_co_uk636213616564101276 // New-ACMECertificate -Identifier test7_examplesite_co_uk636213616564101276 -Alias cert_test7_examplesite_co_uk636213616564101276 -Generate // Update-ACMEIdentifier -Ref test7_examplesite_co_uk636213616564101276 // Update-ACMEIdentifier -Ref test7_examplesite_co_uk636213616564101276 // Get-ACMECertificate -Ref = ac22dbfe - b75f - 4cac-9247-b40c1d9bf9eb -ExportPkcs12 C:\ProgramData\ACMESharp\sysVault\99-ASSET\ac22dbfe-b75f-4cac-9247-b40c1d9bf9eb-all.pfx -Overwrite //get info on existing IIS site we want to create/update SSL binding for IISManager iisManager = new IISManager(); var iisSite = iisManager.GetSiteBindingByDomain(certDomain); var certConfig = new CertRequestConfig() { PrimaryDomain = certDomain, PerformChallengeFileCopy = true, WebsiteRootPath = Environment.ExpandEnvironmentVariables(iisSite.PhysicalPath) }; var certifyManager = new VaultManager(Properties.Settings.Default.VaultPath, LocalDiskVault.VAULT); certifyManager.UsePowershell = false; //init vault if not already created certifyManager.InitVault(staging: true); //domain alias is used as an ID in both the vault and the LE server, it's specific to one authorization attempt and cannot be reused for renewal var domainIdentifierAlias = certifyManager.ComputeIdentifierAlias(certDomain); //NOTE: to support a SAN certificate (multiple alternative domains on one site) the domain validation steps need to be repeat for each name: //register identifier with LE, get http challenge spec back //create challenge response answer file under site .well-known, auto configure web.config for extenstionless content, mark challenge prep completed var authState = certifyManager.BeginRegistrationAndValidation(certConfig, domainIdentifierAlias); //ask LE to check our answer to their authorization challenge (http), LE will then attempt to fetch our answer, if all accessible and correct (authorized) LE will then allow us to request a certificate if (authState.Identifier.Authorization.IsPending()) { //prepare IIS with answer for the LE challenege certifyManager.PerformIISAutomatedChallengeResponse(certConfig, authState); //ask LE to validate our challenge response certifyManager.SubmitChallenge(domainIdentifierAlias, "http-01"); } //now check if LE has validated our challenge answer bool validated = certifyManager.CompleteIdentifierValidationProcess(domainIdentifierAlias); if (validated) { var certRequestResult = certifyManager.PerformCertificateRequestProcess(domainIdentifierAlias, alternativeIdentifierRefs: null); if (certRequestResult.IsSuccess) { string pfxPath = certRequestResult.Result.ToString(); //Install certificate into certificate store and bind to IIS site //TODO, match by site id? if (iisManager.InstallCertForDomain(certDomain, pfxPath, cleanupCertStore: true, skipBindings: false)) { //all done System.Diagnostics.Debug.WriteLine("Certificate installed and SSL bindings updated for " + certDomain); return(true); } else { System.Diagnostics.Debug.WriteLine("Failed to install PFX file for Certificate."); return(false); } } else { System.Diagnostics.Debug.WriteLine("LE did not issue a valid certificate in the time allowed."); return(false); } } else { System.Diagnostics.Debug.WriteLine("Validation of the required challenges did not complete successfully."); return(false); } }
public async Task <CertificateRequestResult> PerformCertificateRequest(VaultManager vaultManager, ManagedSite managedSite, IProgress <RequestProgressState> progress = null) { // FIXME: refactor into different concerns, there's way to much being done here return(await Task.Run(async() => { try { ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.GeneralInfo, Message = "Beginning Certificate Request Process: " + managedSite.Name }); bool enableIdentifierReuse = false; if (vaultManager == null) { vaultManager = GetVaultManager(); } //enable or disable EFS flag on private key certs based on preference vaultManager.UseEFSForSensitiveFiles = Properties.Settings.Default.EnableEFS; //primary domain and each subject alternative name must now be registered as an identifier with LE and validated if (progress != null) { progress.Report(new RequestProgressState { IsRunning = true, CurrentState = RequestState.Running, Message = "Registering Domain Identifiers" }); } await Task.Delay(200); //allow UI update var config = managedSite.RequestConfig; List <string> allDomains = new List <string> { config.PrimaryDomain }; if (config.SubjectAlternativeNames != null) { allDomains.AddRange(config.SubjectAlternativeNames); } bool allIdentifiersValidated = true; if (config.ChallengeType == null) { config.ChallengeType = "http-01"; } List <PendingAuthorization> identifierAuthorizations = new List <PendingAuthorization>(); var distinctDomains = allDomains.Distinct(); foreach (var domain in distinctDomains) { var identifierAlias = vaultManager.ComputeIdentifierAlias(domain); //check if this domain already has an associated identifier registerd with LetsEncrypt which hasn't expired yet //await Task.Delay(200); //allow UI update ACMESharp.Vault.Model.IdentifierInfo existingIdentifier = null; if (enableIdentifierReuse) { existingIdentifier = vaultManager.GetIdentifier(domain.Trim().ToLower()); } bool identifierAlreadyValid = false; if (existingIdentifier != null && existingIdentifier.Authorization != null && (existingIdentifier.Authorization.Status == "valid" || existingIdentifier.Authorization.Status == "pending") && existingIdentifier.Authorization.Expires > DateTime.Now.AddDays(1)) { //we have an existing validated identifier, reuse that for this certificate request identifierAlias = existingIdentifier.Alias; if (existingIdentifier.Authorization.Status == "valid") { identifierAlreadyValid = true; } // managedSite.AppendLog(new ManagedSiteLogItem { EventDate = // DateTime.UtcNow, LogItemType = LogItemType.CertificateRequestStarted, // Message = "Attempting Certificate Request: " + managedSite.SiteType }); System.Diagnostics.Debug.WriteLine("Reusing existing valid non-expired identifier for the domain " + domain); } ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.CertificateRequestStarted, Message = "Attempting Domain Validation: " + domain }); //begin authorization process (register identifier, request authorization if not already given) if (progress != null) { progress.Report(new RequestProgressState { Message = "Registering and Validating " + domain }); } //TODO: make operations async and yeild IO of vault /*var authorization = await Task.Run(() => * { * return vaultManager.BeginRegistrationAndValidation(config, identifierAlias, challengeType: config.ChallengeType, domain: domain); * });*/ var authorization = vaultManager.BeginRegistrationAndValidation(config, identifierAlias, challengeType: config.ChallengeType, domain: domain); if (authorization != null && authorization.Identifier != null && !identifierAlreadyValid) { if (authorization.Identifier.Authorization.IsPending()) { if (managedSite.ItemType == ManagedItemType.SSL_LetsEncrypt_LocalIIS) { if (progress != null) { progress.Report(new RequestProgressState { Message = "Performing Challenge Response via IIS: " + domain }); } //ask LE to check our answer to their authorization challenge (http), LE will then attempt to fetch our answer, if all accessible and correct (authorized) LE will then allow us to request a certificate //prepare IIS with answer for the LE challenege authorization = vaultManager.PerformIISAutomatedChallengeResponse(config, authorization); //if we attempted extensionless config checks, report any errors if (config.PerformAutoConfig && !authorization.ExtensionlessConfigCheckedOK) { ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.CertficateRequestFailed, Message = "Failed prerequisite configuration (" + managedSite.ItemType + ")" }); siteManager.StoreSettings(); var result = new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = false, Message = "Automated configuration checks failed. Authorizations will not be able to complete.\nCheck you have http bindings for your site and ensure you can browse to http://" + domain + "/.well-known/acme-challenge/configcheck before proceeding." }; if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Error, Message = result.Message, Result = result }); } return result; } else { if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Running, Message = "Requesting Validation from Lets Encrypt: " + domain }); } //ask LE to validate our challenge response vaultManager.SubmitChallenge(identifierAlias, config.ChallengeType); bool identifierValidated = vaultManager.CompleteIdentifierValidationProcess(authorization.Identifier.Alias); if (!identifierValidated) { if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Error, Message = "Domain validation failed: " + domain }); } allIdentifiersValidated = false; } else { if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Running, Message = "Domain validation completed: " + domain }); } identifierAuthorizations.Add(authorization); } } } } else { if (authorization.Identifier.Authorization.Status == "valid") { identifierAuthorizations.Add(new PendingAuthorization { Identifier = authorization.Identifier }); } } } else { if (identifierAlreadyValid) { //we have previously validated this identifier and it has not yet expired, so we can just reuse it in our cert request identifierAuthorizations.Add(new PendingAuthorization { Identifier = existingIdentifier }); } } } //check if all identifiers validates if (identifierAuthorizations.Count == distinctDomains.Count()) { allIdentifiersValidated = true; } if (allIdentifiersValidated) { string primaryDnsIdentifier = identifierAuthorizations.First().Identifier.Alias; string[] alternativeDnsIdentifiers = identifierAuthorizations.Where(i => i.Identifier.Alias != primaryDnsIdentifier).Select(i => i.Identifier.Alias).ToArray(); if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Running, Message = "Requesting Certificate via Lets Encrypt" }); } //await Task.Delay(200); //allow UI update var certRequestResult = vaultManager.PerformCertificateRequestProcess(primaryDnsIdentifier, alternativeDnsIdentifiers); if (certRequestResult.IsSuccess) { if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Success, Message = "Completed Certificate Request." }); } string pfxPath = certRequestResult.Result.ToString(); if (managedSite.ItemType == ManagedItemType.SSL_LetsEncrypt_LocalIIS && config.PerformAutomatedCertBinding) { if (progress != null) { progress.Report(new RequestProgressState { CurrentState = RequestState.Running, Message = "Performing Automated Certificate Binding" }); } //await Task.Delay(200); //allow UI update var iisManager = new IISManager(); //Install certificate into certificate store and bind to IIS site if (iisManager.InstallCertForRequest(managedSite.RequestConfig, pfxPath, cleanupCertStore: true)) { //all done ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.CertificateRequestSuccessful, Message = "Completed certificate request and automated bindings update (IIS)" }); //udpate managed site summary try { var certInfo = new CertificateManager().GetCertificate(pfxPath); managedSite.DateStart = certInfo.NotBefore; managedSite.DateExpiry = certInfo.NotAfter; managedSite.DateRenewed = DateTime.Now; managedSite.CertificatePath = pfxPath; } catch (Exception) { ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.GeneralWarning, Message = "Failed to parse certificate dates" }); } siteManager.UpdatedManagedSite(managedSite); var result = new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = true, Message = "Certificate installed and SSL bindings updated for " + config.PrimaryDomain }; if (progress != null) { progress.Report(new RequestProgressState { IsRunning = false, CurrentState = RequestState.Success, Message = result.Message }); } return result; } else { return new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = false, Message = "An error occurred installing the certificate. Certificate file may not be valid: " + pfxPath }; } } else { //user has opted for manual binding of certificate try { var certInfo = new CertificateManager().GetCertificate(pfxPath); managedSite.DateStart = certInfo.NotBefore; managedSite.DateExpiry = certInfo.NotAfter; managedSite.DateRenewed = DateTime.Now; managedSite.CertificatePath = pfxPath; } catch (Exception) { ManagedSiteLog.AppendLog(managedSite.Id, new ManagedSiteLogItem { EventDate = DateTime.UtcNow, LogItemType = LogItemType.GeneralWarning, Message = "Failed to parse certificate dates" }); } siteManager.UpdatedManagedSite(managedSite); return new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = true, Message = "Certificate created ready for manual binding: " + pfxPath }; } } else { return new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = false, Message = "The Let's Encrypt service did not issue a valid certificate in the time allowed. " + (certRequestResult.ErrorMessage ?? "") }; } } else { return new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = false, Message = "Validation of the required challenges did not complete successfully. Please ensure all domains to be referenced in the Certificate can be used to access this site without redirection. " }; } } catch (Exception exp) { System.Diagnostics.Debug.WriteLine(exp.ToString()); return new CertificateRequestResult { ManagedItem = managedSite, IsSuccess = false, Message = managedSite.Name + ": Request failed - " + exp.Message }; } })); }
public ProcessStepResult PerformCertificateRequestProcess(string primaryDnsIdentifier, string[] alternativeDnsIdentifiers) { return(_vaultManager.PerformCertificateRequestProcess(primaryDnsIdentifier, alternativeDnsIdentifiers)); }