Hello all,
I wanted to share my solution for easy certificate management. If you have a DNS service and a Windows machine, this may work for you.
First, check out Certify The Web. This tool runs a service on your machine that manages your certificates and auto-renews them by pushing TXT records out to many of the more common DNS providers. As a home user who has moved all my pet projects out to cloud services, this meant I could finally take down my last on-prem Linux VM that was running Apache for the sole purpose of hosting certbot.
If that works for you, the next step is to get your hands on a PowerShell script that will take the auto-renewed certificates and push them out to XG. Lucky for you, I read through all of the PowerShell scripting advice on this forum and put one together.
I've got a decent readme on the GitHub page, but as an overview the script will:
- push new certs to XG if they don't already exist
- scan for rules that use a cert and if any are found
- upload the renewed cert with a temporary name
- update the rules to use the temp cert
- update the real cert
- re-point the rules to the real cert
- fix any groups the rules were part of (API bug?)
- remove the temporary cert
There are also a few command line flags you can pass.
- skip the rule check for certs you know aren't used in FW rules
- send e-mail after script completion
- flag to "dry run" which will log the API XML instead of sending it
- probably something else I'm forgetting.
You can run this script stand-alone or as part of any other process, but my GitHub repo also includes a “bridge” script allowing you to trigger it as a post-renewal action right from the Certify The Web client. Basically a “set it and forget it” process.
Hope this helps someone,
Gary
This thread was automatically locked due to age.
