Certificate Generation/Validation is failing From June 2024 #144
Description
Please provide some information about your script:
- Where should it run (On-Prem, Azure, Windows, Linux, Full / Desktop)?
- Windows PowerShell (Azure Functions)
- Which Version are you running (make sure to use the latest)
- So far, using 1.5.0 but also tried with latest version.
- What is your level of PowerShell expertise?
- Good.
We are generating LetsEncrypt Certs so far without issues using Azure Function and importing into Azure KeyVault. But the function stops working from June 2024 which I assume seems to be due to this https://letsencrypt.org/certificates/
This is our code:
We generate the cert:
# As soon as the url shows up we can create the PFX
Export-ACMECertificate -State $acmeStateDir `
-Order $order `
-Path $certExportPath `
-Password $securePassword `
-UseAlternateChain
We split the Cert into Key and CRT due to this Error:
##"Correcting Certificate Order Due to a bug in LetsEncrypt Cert with InCorrect Order"
##There is a issue in roadmap to be fixed with AzureKeyVault so that it always keeps the order in the certifcate correct even if the certificate is uploaded in the wrong order.
## But Until then we wil mannually correct the order
## https://github.com/Azure/azure-rest-api-specs/issues/10637
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -nocerts -out "${certExportPath}.key" -passin pass:$CERT_PASS -passout pass:$CERT_PASS
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -clcerts -nokeys -out "${certExportPath}.crt" -passin pass:$CERT_PASS
##We download the Root and Intermediate CERTS manually
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/lets-encrypt-r3.pem", "$acmeStateDir\Certificates\lets-encrypt-r3.pem") ## INTERMEDIATE CA
Get-Content "$acmeStateDir\Certificates\isrgrootx1.pem" >> "$acmeStateDir\Certificates\ca.crt" ## ROOT CA
Get-Content "$acmeStateDir\Certificates\r10.pem" > "$acmeStateDir\Certificates\ca.crt" ## INTERMEDIATE CA
Get-Content "$acmeStateDir\Certificates\ca.crt"
##Rebuild pfx
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -export -out "${certExportPath}.rebuilt.pfx" -inkey "${certExportPath}.key" -in "${certExportPath}.crt" -certfile "$acmeStateDir\Certificates\ca.crt" -passin pass:$CERT_PASS -passout pass:$CERT_PASS
when trying to test this rebuild pfx:
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -nodes -in "${certExportPath}" -out "${certExportPath}.crt" -passin pass:$CERT_PASS
$Attime = (New-TimeSpan -Start (Get-Date "01/01/1970") -End (Get-Date).AddDays(+60)).TotalSeconds ## Checking with -attime 6 months in advance so that we know 6 months before if any certificate in the chain is expiring within 6 months
$Attime = ($Attime -Split("\."))[0].Trim() #Ignore MilliSeconds
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" verify -attime $Attime -x509_strict -CAfile "$acmeStateDir\Certificates\ca.crt" -verbose "${certExportPath}.crt"
I get this Error
error 20 at 0 depth lookup: unable to get local issuer certificate
I also tried with new Intermediate CERTS to no luck
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/2024/r10.pem", "$acmeStateDir\Certificates\r10.pem") ## INTERMEDIATE CA
Am I missing anything? Please suggest. Thanks.,