RepairNewACMEOrder - RIT-ITS/CertifiCat-PS GitHub Wiki

Synopsis

Attempts to re-finalize an ACME certificate order that has been validated but timed out.

Syntax

Repair-NewACMEOrder  [-MainDomain <string>] 
    [-UpdateBindings] [-BindingPorts <string[]>]
    [-SkipImport] [-StoreLocation <string>] [-StoreName <string>]
    [-SkipCentralize] [-CentralDirectory <string>]
    [-debugEnabled] [-debugLogDirectory <string>] [-debugMode <string>]

Description

In certain situations, Sectigo may take an extended period of time (more than 60 seconds) to issue a new certificate. When this happens, the Posh-ACME New-PACertificate command, which is run by our Initialize-NewACMECertificate function will timeout, and any downstream actions will suspend.

This function will analyze the current ACME order and, as long as the status is "valid," will attempt to complete the order, obtain the certificate, and perform any additional downstream steps that may be needed.

🏷️ Note that any downstream steps are based on the parameters specified in this function, rather than those that may have been specified when Initialize-NewACMECertificate was initially run.

⚠️ Warning: Certain parameter combinations cannot be run on versions of PowerShell above 6 at this time. For more information, see the PowerShell Requirements section in the System Requirements page.

If the function detects that it is being used in a PowerShell 7+ console, it will suspend, and output a command that can be run in a legacy PowerShell console instead. See the Parameters list below for affected parameters and parameter values (generically, this applies to anything related to IIS or bindings).

Examples

Example 1: Complete Open Order and Perform Default Actions

Repair-NewACMEOrder -MainDomain app.example.com

This command will finalize the order, download the certificate, import it into the LocalMachine\WebHosting store in the Windows Certificate store and copy the certificate files to the directory specified by the -CentralDirectory parameter.

Example 2: Complete Open Order, Updating IIS Bindings, and Perform Default ACtions

Repair-NewACMEOrder -MainDomain app.example.com -UpdateBindings

This command will finalize the order, download the certificate, import it into the LocalMachine\WebHosting store in the Windows Certificate store, copy the certificate files to the directory specified by the -CentralDirectory parameter, and then update all IIS HTTPS bindings with the new certificate.

Parameters

-MainDomain

The primary domain associated with the certificate in the order

Type: String
Position: Named
Default Value: False
Required: True

-UpdateBindings

When present, IIS bindings will be updated after the certificate is imported.

Type: SwitchParameter
Position: Named
Default Value: False
Required: False

⚠️ Warning: The switch cannot be run on versions of PowerShell above 6 at this time. For more information, see the PowerShell Requirements section in the System Requirements page.

If the function detects this parameter value being used in a PowerShell 7+ console, it will suspend, and output a command that can be run in a legacy PowerShell console instead.

-BindingPorts

Specifies the server which Posh-ACME will connect to and interact with.

Type: String[]
Position: Named
Default Value: False
Required: False

⚠️ Warning: The parameter cannot be run on versions of PowerShell above 6 at this time. For more information, see the PowerShell Requirements section in the System Requirements page.

If the function detects this parameter value being used in a PowerShell 7+ console, it will suspend, and output a command that can be run in a legacy PowerShell console instead.

-SkipImport

When applied, the resulting certificate file will not be imported into the Windows Certifiate Store

Type: Switch
Position: Named
Default Value:  False
Required: False

-StoreLocation

Specifies the server which Posh-ACME will connect to and interact with.

Type: String
Position: Named
Default Value: LocalMachine
Required: False

-StoreName

Specifies the server which Posh-ACME will connect to and interact with.

Type: String
Position: Named
Default Value: WebHosting
Required: False

-SkipCentralize

When applied, the resulting certificate files will not be copied from the Posh-ACME working directory to a central location.

Type: Switch
Position: Named
Default Value:  False
Required: False

-CentralDirectory

When the -SkipCentralize parameter is omitted, this directory specifies where the new certificate files will be copied.

Type: String
Position: Named
Default Value: %PROGRAMDATA%\certificat-ps\certificates\<main domain>\<date as: MM-dd-yyyy-HH-mm-ss>
Required: False

-debugEnabled

This switch must be present to cause the function in question to output the contents of the object to a file or event log

Type: Switch
Position: Named
Required: False

-debugLogDirectory

Specifies where the CertifiCat-PS debug logs are written, when the debugMode option is EVT or Both.

Type: String
Position: Named
Required: False

-debugMode

Controls where the CertifiCat-PS debug informaiton is written: EVT (the windows event log), File (a text file on disk), or Both (a text file on disk and the Windows Event Log)

Type: String
Position: Named
Required: False
Default Value: EVT
ValidateSet: EVT, File, Both

Outputs

Returns a custom PowerShell object with properties about the function and the account that was set up. The object has the following properties:

Property Details
FunctionName Name of the function that was run
RunningPSVersion The version of the PowerShell console used to run the function
PS5Command A full string containing the commands needed to run the same command in PowerShell 5
FunctionArguments A list of the arguments passed to the function
FunctionSuccess True/False indicating if the function succeeded. When false, this typically indicates a larger issue (e.g. no admin rights, etc)
Errors A string containing details about any errors that were encountered
Certificate An array of certificate object that either were found to be ineligible for renewal, or the certificate that was issued new by Posh-ACME
Bindings An array of IIS binding objects that were found (either all HTTPs bindings, or only those as specified by the -BindingPorts parameter)
CertificateImported True/False indicating whether or not the certificate was successfully imported into the Windows certificate store
BindingsUpdated True/False indicating whether or not the corresponding IIS site bindings were successfully updated or not
StoreLocation The Windows Certificate Store location into which the new certificate was imported
StoreName he Windows Certificate Store location into which the new certificate was imported
PFXPath The full path to the PFX file that was imported
CertificateCentralized True/False indicating whether or not the new certificate was copied to the Central directory, below.
CentralDirectory The location of the central directory into which the new certificate files were copied.
CertificateFriendlyName The FriendlyName of the new certificate (based on what was specified or calculated when the Initialize-NewACMECertificate function was run)
debugEnabled Boolean indicating whether debug logging was enabled
debugLogDirectory String indicating the location of the debug log file, if file logging mode is enabled
debugMode String indicating the logging mode (i.e. EVT, File, or Both)

Related Links

Broken links? Is something missing or incorrect with the documentation? Submit an issue and we'll take a look!

Want to help with more than bug fixes or ideas? Contact the project owners at [email protected].

⚠️ **GitHub.com Fallback** ⚠️