Mastodawn

Felix Palmen 📯Mar 27, 2024

Goal: Get some #letsencrypt certificate obtained with #uacme deployed on some #Windows box

Step 1: Ok, this probably works best with #Powershell (which I don't really like ...)

Step 2: There's no #FreeBSD port ... but hey, there's now a FreeBSD port of #dotnet, let's try to "just" build Powershell using that.

Step 3: Hell why does it fail to build. Oh, System.Security.Cryptography.Native doesn't play well with #LibreSSL

Patch and retry, I guess I'll take some sleep now first. Bah!

(there's some irony in running into OpenSSL/LibreSSL issues when trying to deploy TLS certificates ...)

Show thread

Ryan Bolger Mar 28, 2024

@zirias I'm confused. Are you trying to get the certs on Windows or FreeBSD? If PowerShell on Windows, why not use a PowerShell native client like Posh-ACME? If uacme on FreeBSD, why build PowerShell there?
https://poshac.me/docs/v4/

Home

Documentation for the Posh-ACME PowerShell module

Show thread

Felix Palmen 📯Mar 28, 2024

@rmbolger Because I have a central certificate distribution where I have setup everything (including DNS challenges) and I don't want to allow the Windows machine to do DNS updates at all.

Show thread

Ryan Bolger Mar 28, 2024

@zirias I think I understand. So the PowerShell on FreeBSD is merely to aid in the deployment of the uacme obtained cert?

Show thread

Felix Palmen 📯Mar 28, 2024

@rmbolger The idea is to use "#powershell remoting" (which I have to really understand first) with #OpenSSH to remotely add the cert to the store, delete the old one, and do whatever service configurations (e.g. for the #RDP connector) are necessary.

For other hosts (#FreeBSD and #Linux), I just do such things with plain SSH and restricted SSH keys only allowed to execute what is necessary on the target machine. I'll have to find out how to do something similar with Powershell. But then, I'll first need Powershell 😉