Automated "manual" DNS verification

[emc...@gmail.com]

After our upgrade to Exchange 2016 we realised that it now forces you to use a single server for both Exchange and IIS for the web client.

Our Exchange server is not normally internet facing on HTTP/HTTPS and so we had to use IIS ARR and web server farms to forward the requests, which broke our powershell routines using ACMESharp.

So, I have now automated the manual DNS verification to help us and wanted to share :)

The additional sections are below including the change to the Register-FQDN routine, you need to set $dnsserver to point to your DNS server.

function Register-FQDN
{
 $FQDN = $args[0]


 echo "`n Creating a new identifier for $FQDN ..."
    echo "`n $FQDN"
 New-ACMEIdentifier -Dns $FQDN -Alias $FQDN | select status, Expires
 Get-ACMEIdentifier -IdentifierRef $FQDN


 echo "`n Completing the challenge for the new identifier for $FQDN ..."
    $challenge = Complete-ACMEChallenge $FQDN -Verbose -Regenerate -ChallengeType dns-01 -Handler manual -HandlerParameters @{ WebSiteRef = $FQDN } #| select Identifier, status, Expires *>&1 >> $acmelog
 
    $rec = ($challenge.Challenges | Where-Object {$_.type -eq "dns-01"}).challenge.recordname
    $data = ($challenge.Challenges | Where-Object {$_.type -eq "dns-01"}).challenge.recordvalue


    Store-DNS $rec $data


 echo "`n Submitting the new identifier for $FQDN ..."
 Submit-ACMEChallenge $FQDN -ChallengeType dns-01 | select Identifier, status, Expires *>&1 >> $acmelog


    do
    {
        $auth = ((Update-ACMEIdentifier $FQDN -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}).status
        if($auth -eq "invalid") {break}
        echo "`n Waiting for a valid authorization ... Current status is $auth"
    Start-Sleep -s 3        
    }until ($auth -eq "valid")
    Update-ACMEIdentifier $FQDN | select Identifier, status, Expires *>&1 >> $acmelog
}


function Find-Zone
{
    $z = $args[0]


    $za = $z.Split('.')


    $c = 0
    $zt = $za[$c..$za.Length]


     while ((Get-DnsServerZone -ComputerName $dnsserver |  Where-Object {$_.ZoneName -like '*'+($zt -join '.') } | Measure-Object).Count -ne 1)
            {
                $c += 1
                $zt = $za[$c..$za.Length]
            }


    return ($zt -join '.'),((Compare-Object $za $zt -PassThru) -join '.')
}




function Store-DNS
{
    $rec = $args[0]
    $data = $args[1]


    $zones = Find-Zone $rec
    $zone = $zones[0]
    $rr = $zones[1]


    # Ensure that the old record isn't there still
    Remove-DnsServerResourceRecord -ComputerName $dnsserver -ZoneName $zone -Name $rr -RRType Txt
    Add-DnsServerResourceRecord -ComputerName $dnsserver -ZoneName $zone -Name $rr -Txt -DescriptiveText $data
}


#NOTE: Uncoment and edit the lines below
#---------------------------------------
$dnsserver = "server02"

[Joseph Flynn]

I am trying to better automate the process I am using for a homebrew windows server application (not IIS).  I had previously been manually executing the steps from the QuickStart guide but that is getting old.

Your function looks interesting to me.  Totally a newb though here with PowerShell scripting in general and this library in particular.

I am using

Complete-ACMEChallenge -VaultProfile my-vault -IdentifierRef my-
domain-com -ChallengeType http-01 -Handler manual -HandlerParameters
@{WriteOutPath = "c:\Users\me\inst.txt&"}

which I then go follow the instructions in the instruction.txt file to populate a key file in the .well-known/acme-challenge/key path for confirmation.  I see that your method is saving dns records where as I am using the .well-known path method.

1) it looks like maybe I can use your code above to pull the $rec and $data and add some steps to automatically save the file for authentication.  Yes??
2) I seem to keep having to use new identifiers each time I run through the script and generate new keys.  Is there a way for me to reuse identifiers so I can rerun the script?

Thanks!