-
Notifications
You must be signed in to change notification settings - Fork 4
/
letsencrypt-cloudconnect-aws.ps1
199 lines (151 loc) · 6.15 KB
/
letsencrypt-cloudconnect-aws.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
##
## Let's Encrypt for Veeam Cloud Connect
##
## This script automates the creation and retrieval of Let's Encrypt certificates
## using AWS Route53 as a challenge mechanism, and then installs the certificates
## in Veeam Cloud Connect.
##
## Version 3.0 - 2019-01-28
##
## Author Luca Dell'Oca
##
## This script uses Powershell Gallery, so you need at least Powershell 5.0.
## This script has been developed with ACMESharp 0.9.1.326
## Please execute it on the Veeam Cloud Connect server.
### VARIABLES ###
# alias for the ACME request.
# As long as you don't run more than one request per day, this is correct.
# Otherwise, plan to add also hours and minutes to make your requests unique.
$alias = "vcc-$(get-date -format yyyyMMdd)"
# Let's Encrypt certificates expire after 90 days, so you will have many of them in the local
# certificate store after some time. It's easier to identify them if we give them a unique name.
# We use the date here to do so.
$certname = "vcc-$(get-date -format yyyyMMdd)"
# Give a name to the PFX file on disk, based on the certificate name
$pfxfile = "C:\ProgramData\ACMESharp\sysVault\$certname.pfx"
# Store the certificates into the Local Store of the Local Machine account
$certPath = "\localMachine\my"
# Configure the FQDN that the certificate needs to be binded to
$domain = "cc.virtualtothecore.com"
# Give a friendly name to the certificate so that it can be identified in the certificate store
$friendlyname = "letsencrypt-$(get-date -format yyyyMMdd)"
# Set the email used to register with Let's Encrypt service
$contactmail = "ldelloca@gmail.com"
### INITIALIZATION ###
Set-ExecutionPolicy unrestricted - Force
# Load Powershell modules
function Load-Module ($m) {
# If module is imported say that and do nothing
if (Get-Module | Where-Object {$_.Name -eq $m}) {
write-host "Module $m is already imported."
}
else {
# If module is not imported, but available on disk then import
if (Get-Module -ListAvailable | Where-Object {$_.Name -eq $m}) {
Import-Module $m -Verbose
}
else {
# If module is not imported, not available on disk, but is in online gallery then install and import
if (Find-Module -Name $m | Where-Object {$_.Name -eq $m}) {
Install-Module -Name $m -Force -Verbose -Scope CurrentUser
Import-Module $m -Verbose
}
else {
# If module is not imported, not available and not in online gallery then abort
write-host "Module $m not imported, not available and not in online gallery, exiting."
EXIT 1
}
}
}
}
Load-Module "ACMESharp"
Load-Module "AWSPowerShell"
# Change to the Vault folder. Create it if it doesn't exist.
$path = "C:\ProgramData\ACMESharp\sysVault"
If(!(test-path $path))
{
New-Item -ItemType Directory -Force -Path $path
}
cd $path
# Initialize the Vault if it's a fresh new install, otherwise move on
#Check if a vault already exists
write-host "Check if a vault already exists..."
$Vault = Get-ACMEVault
if (!$Vault)
{
write-host "No vault found, trying to create new vault..."
$CreateVault = Initialize-ACMEVault
sleep 1
$Vault = Get-ACMEVault
if (!$Vault)
{
write-host "Error: Vault could not be created" -foregroundcolor red
exit
}
}
#Check if Let's Encrypt registry is present
write-host "Check Let's Encrypt Registration..."
$Registration = Get-ACMERegistration
if (!$Registration)
{
write-host "Warning: No registration was found at Let's Encrypt, new registration is being performed" -foregroundcolor yellow
$Registration = New-ACMERegistration -Contacts mailto:$contactmail -AcceptTos
if (!$Registration)
{
write-host "Error: Could not register with Let's Encrypt" -foregroundcolor red
exit
}
else
{
write-host "Registration at Let's Encrypt was done" -foregroundcolor green
}
}
### PART 1: UPDATE THE IDENTIFIER ###
New-ACMEIdentifier -Dns $domain -Alias $alias
Complete-ACMEChallenge $alias -ChallengeType dns-01 -Handler manual
# Writes the new DNS challenge into a text file
(Update-ACMEIdentifier $alias -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"} > challenge.txt
# Get the new TXT record from Let's Encrypt
$RRtext = Select-String challenge.txt -Pattern "RR Value" -CaseSensitive | Out-String -Stream
$separator = "["
$RRtext = $RRtext.split($separator)
$RRtext = $RRtext[2]
$RRtext = $RRtext.trimend("]")
$RRtext = """$RRtext"""
# Update the TXT Resource Record in AWS Route53
$change = New-Object Amazon.Route53.Model.Change
$change.Action = "UPSERT"
$change.ResourceRecordSet = New-Object Amazon.Route53.Model.ResourceRecordSet
$change.ResourceRecordSet.Name = "_acme-challenge.cc.virtualtothecore.com."
$change.ResourceRecordSet.Type = "TXT"
$change.ResourceRecordSet.TTL = 300
$change.ResourceRecordSet.ResourceRecords = (New-Object Amazon.Route53.Model.ResourceRecord($RRtext))
$params = @{
HostedZoneId="ZQUSU6S6339VA"
ChangeBatch_Comment="Updated TXT record for cc.virtualtothecore.com. with new Let'sEncrypt challenge"
ChangeBatch_Change=$change
}
Edit-R53ResourceRecordSet @params
### PART 2: UPDATE THE CERTIFICATE ###
# Generate a new certificate
New-ACMECertificate ${alias} -Generate -Alias $certname
# Submit the certificate request
Submit-ACMECertificate $certname
# Wait until the certificate is available (has a serial number) before moving on
# as API work in async mode so the cert may not be immediately released.
$serialnumber = $null
$serialnumber = $(update-AcmeCertificate $certname).SerialNumber
# Export the new Certificate to a PFX file
Get-ACMECertificate $certname -ExportPkcs12 $pfxfile
# Import Certificate into Certificate Store
Import-PfxCertificate -CertStoreLocation cert:\localMachine\my -Exportable -FilePath $pfxfile
### PART 3: INSTALL THE CERTIFICATE INTO VEEAM CLOUD CONNECT
asnp VeeamPSSnapin
Connect-VBRServer -Server localhost
$certificate = Get-VBRCloudGatewayCertificate -FromStore | Where {$_.SerialNumber -eq $serialnumber}
Add-VBRCloudGatewayCertificate -Certificate $certificate
Disconnect-VBRServer
}
}
Return
### SCRIPT END ###