do-know
Can't extract DNS values from first part
I have created a PS script to create the certificates, update the DNS (through the GoDaddy API) and import the PFX file to IIS, and although I still have a few things to tidy I can see how it can all work...
...Except, how do you get the DNS TXT values from the first command into variables?
Essentially, when you run the first part (with the --delayed argument) it outputs several (one for each sub domain specified) keys that need to be put in to the DNS TXT records. I can copy and paste these in to the following commands that set them using the GoDaddy API, but how can I have them output in to variables so I can automate this?
There is nothing in the documentation, but without this I don't see how I can automate the whole thing?
Thanks.
What is the 'first command' and the 'following commands'?
I tried to do the same thing and had to abandon it. I had trouble with getting GoDaddy's API to work but also had the same issue you are asking with the DNS TXT values. The only way I could see it work was output a log from LE then find the value in the log file. I was chasing Log::Log4perl stuff. Gave me a headache. I was so close, too.
I hope the developer can supply a more straight-forward way.
If you had trouble with the GoDaddy DNS, the below is what I did to get it working, in case that helps:
So run this to start the process: ./le64.exe -email "[email protected]" -key domain.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "domain.co.uk,www.domain.co.uk" -generate-missing -live --handle-as dns --export-pfx "PASSWORD" --tag-pfx "domain.co.uk" --delayed
then this to create the DNS entries (note the "OUTPUT FROM ABOVE HERE" bit, which is the bit I want to automate:
Invoke-RestMethod -Method PUT -Uri "https://api.godaddy.com/v1/domains/domain.co.uk/records/TXT/_acme-challenge" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"} -ContentType "application/json" -Body "[{"data": "OUTPUT FROM ABOVE HERE","ttl": 600}]";
Invoke-RestMethod -Method PUT -Uri "https://api.godaddy.com/v1/domains/domain.co.uk/records/TXT/_acme-challenge.www" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"} -ContentType "application/json" -Body "[{"data": "OUTPUT FROM ABOVE HERE","ttl": 600}]";
then this to complete the certificate generation: ./le64.exe -email "[email protected]" -key domain.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "domain.co.uk,www.domain.co.uk" -generate-missing -live --handle-as dns --export-pfx "PASSWORD" --tag-pfx "domain.co.uk"
And finally, to clear up the DNS entries afterwards: Invoke-RestMethod -Method DELETE -Uri "https://api.godaddy.com/v1/domains/domain.co.uk/records/TXT/_acme-challenge" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"} Invoke-RestMethod -Method DELETE -Uri "https://api.godaddy.com/v1/domains/domain.co.uk/records/TXT/_acme-challenge.www" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"}
I then imported the certificate to IIS with this: $thumb=(Import-PfxCertificate -FilePath "domain.pfx" -CertStoreLocation "Cert:\LocalMachine\WebHosting" -Password (ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force)).Thumbprint
Which gave me the thumbprint to the add it to the bindings, which I didn't quite finish, because I didn't see the point unless I could automate that earlier step...
Just to answer my own question, I ended up with this:
./le64.exe -key domain.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "domain.com,www.domain.com" -generate-missing -live --handle-as dns --export-pfx "PASSWORD" --delayed 2>&1> .\domain.txt
$codes = New-Object System.Collections.Generic.List[System.Object]
foreach ($line in get-content .\domain.txt) {if ($line -like "*Host: _acme-challenge.*") {$codes.Add($line.Substring($line.IndexOf("value:")+7))}}
$code0=$codes[0]
$code1=$codes[1]
Invoke-RestMethod -Method PUT -Uri "https://api.godaddy.com/v1/domains/domain.com/records/TXT/_acme-challenge.domain.com" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"} -ContentType "application/json" -Body "[{`"data`": `"$code0`",`"ttl`": 600}]";
Invoke-RestMethod -Method PUT -Uri "https://api.godaddy.com/v1/domains/domain.com/records/TXT/_acme-challenge.www.domain.com" -Headers @{ Authorization="sso-key GODADDYKEY:GODADDYSECRET"} -ContentType "application/json" -Body "[{`"data`": `"$code1`",`"ttl`": 600}]";
Which works and answers my original question. But, considering Crypt-LE is supposed to be used to reach the dream of automated certificate renewals, why on earth doesn't it output the keys in a better way than forcing you to parse a text file!!!
Then, having finally found a way of getting this part working, I re-run the le64.exe command without the --delayed parameter and it starts off and then says: "When you see a text record returned, press Enter" WHAT!!!!!! "Press Enter"!!!! This is supposed to be an automated tool; who exactly is going to be there to press enter?!?!
Am I missing something, but this seems to be like pushing water up a hill?
Sorry that I can't help with le64, but was wondering if you have more than 5 domains? GoDaddy told me I couldn't use the API because I don't have enough domains.
Sorry that I can't help with le64, but was wondering if you have more than 5 domains? GoDaddy told me I couldn't use the API because I don't have enough domains.
Yes, welcome to the next of the many, many pointless hurdles preventing the promised dream of automated certificates! As it happens, I do have about 20 domains, and I also pay for their domain club membership thing, which I have also seen mentions of as being needed. So, in short, it works for me, but I don't know if its because I have more than 10 domains or because I pay their membership subscription. But I am starting to think the dream is unreachable, as after you overcome each hurdle, another will pop up! Like the above "Press Enter" prompt from an automated tool!