Felix Palmen 📯Mar 27, 2024

Goal: Get some #letsencrypt certificate obtained with #uacme deployed on some #Windows box

Step 1: Ok, this probably works best with #Powershell (which I don't really like ...)

Step 2: There's no #FreeBSD port ... but hey, there's now a FreeBSD port of #dotnet, let's try to "just" build Powershell using that.

Step 3: Hell why does it fail to build. Oh, System.Security.Cryptography.Native doesn't play well with #LibreSSL

Patch and retry, I guess I'll take some sleep now first. Bah!

(there's some irony in running into OpenSSL/LibreSSL issues when trying to deploy TLS certificates ...)

Show threadRyan BolgerMar 28, 2024
@zirias I'm confused. Are you trying to get the certs on Windows or FreeBSD? If PowerShell on Windows, why not use a PowerShell native client like Posh-ACME? If uacme on FreeBSD, why build PowerShell there?
https://poshac.me/docs/v4/
Home

Documentation for the Posh-ACME PowerShell module

Show threadFelix Palmen 📯Mar 28, 2024
@rmbolger Because I have a central certificate distribution where I have setup everything (including DNS challenges) and I don't want to allow the Windows machine to do DNS updates at all.
Show threadRyan BolgerMar 28, 2024
@zirias I think I understand. So the PowerShell on FreeBSD is merely to aid in the deployment of the uacme obtained cert?
Show threadFelix Palmen 📯Mar 28, 2024

@rmbolger The idea is to use "#powershell remoting" (which I have to really understand first) with #OpenSSH to remotely add the cert to the store, delete the old one, and do whatever service configurations (e.g. for the #RDP connector) are necessary.

For other hosts (#FreeBSD and #Linux), I just do such things with plain SSH and restricted SSH keys only allowed to execute what is necessary on the target machine. I'll have to find out how to do something similar with Powershell. But then, I'll first need Powershell 😉

Show threadRyan BolgerMar 28, 2024
@zirias Fair warning, whatever account you end up using to connect to the Windows machine will likely need local admin privs on that box in order to update the cert for system level services such as RDP. PowerShell remoting is the way to go though assuming you can get the bits working from the FreeBSD box.
Show threadFelix Palmen 📯

@rmbolger Yes .... with plain SSH, I can configure restrictions on the key used for authentication, so although privileges are needed on the target boxes, it's only possible to do whatever is needed to replace the cert. Guess it won't be that easy with powershell 😞

But so far, I'm still fighting with its build system anyways. First horror: it refuses to work without git.

Mar 28, 2024 at 4:16pmWeb