Public/Submit-Renewal.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
function Submit-Renewal {
    [CmdletBinding()]
    param(
        [Parameter(ParameterSetName='Specific',Position=0,ValueFromPipeline,ValueFromPipelineByPropertyName)]
        [string]$MainDomain,
        [Parameter(ParameterSetName='Specific',Position=1,ValueFromPipelineByPropertyName)]
        [ValidateScript({Test-ValidFriendlyName $_ -ThrowOnFail})]
        [string]$Name,
        [Parameter(ParameterSetName='AllOrders',Mandatory)]
        [switch]$AllOrders,
        [Parameter(ParameterSetName='AllAccounts',Mandatory)]
        [switch]$AllAccounts,
        [switch]$Force,
        [switch]$NoSkipManualDns,
        [hashtable]$PluginArgs
    )

    Begin {
        # make sure we have an account if renewing all or a specific order
        if ($PSCmdlet.ParameterSetName -in 'Specific','AllOrders') {
            if (-not (Get-PAAccount)) {
                try { throw "No ACME account configured. Run Set-PAAccount or New-PAAccount first." }
                catch { $PSCmdlet.ThrowTerminatingError($_) }
            }
        }
    }

    Process {

        switch ($PSCmdlet.ParameterSetName) {

            'Specific' {

                # grab the order object
                $orderArgs = @{}
                if ($MainDomain) { $orderArgs.MainDomain = $MainDomain }
                if ($Name)       { $orderArgs.Name       = $Name }
                if (-not ($order = Get-PAOrder @orderArgs)) {
                    try { throw "No order found for the specified parameters." }
                    catch { $PSCmdlet.ThrowTerminatingError($_) }
                }

                # skip if the renewal window hasn't been reached and no -Force
                if (-not $Force -and $null -ne $order.RenewAfter -and (Get-DateTimeOffsetNow) -lt ([DateTimeOffset]::Parse($order.RenewAfter))) {
                    Write-Warning "Order '$($order.Name)' is not recommended for renewal yet. Use -Force to override."
                    return
                }

                # skip orders with no plugin (likely because they were created using custom processes)
                if ($null -eq $order.Plugin) {
                    Write-Warning "Skipping renewal for order '$($order.Name)' due to null plugin."
                    return
                }

                # skip orders with a Manual DNS plugin by default because they require interactivity
                if (-not $NoSkipManualDns -and 'Manual' -in @($order.Plugin)) {
                    Write-Warning "Skipping renewal for order '$($order.Name)' due to Manual DNS plugin. Use -NoSkipManualDns to avoid this."
                    return
                }

                Write-Verbose "Renewing certificate for order '$($order.Name)'"

                # If new PluginArgs were specified, store these now.
                if ($PluginArgs) {
                    Export-PluginArgs -Order $order -PluginArgs $PluginArgs
                }

                # Build the parameter list we're going to send to New-PACertificate
                $certParams = @{}

                if ([String]::IsNullOrWhiteSpace($order.CSRBase64Url)) {
                    # FromScratch param set
                    $certParams.Domain         = @($order.MainDomain);
                    if ($order.SANs.Count -gt 0) { $certParams.Domain += @($order.SANs) }
                    $certParams.CertKeyLength  = $order.KeyLength
                    $certParams.AlwaysNewKey   = $order.AlwaysNewKey
                    $certParams.OCSPMustStaple = $order.OCSPMustStaple
                    $certParams.FriendlyName   = $order.FriendlyName
                    $certParams.PfxPass        = $order.PfxPass
                    if (Test-WinOnly) { $certParams.Install = $order.Install }
                } else {
                    # FromCSR param set
                    $reqPath = Join-Path $order.Folder "request.csr"
                    $certParams.CSRPath = $reqPath
                }

                # common params
                $certParams.Plugin              = $order.Plugin
                $certParams.PluginArgs          = $order | Get-PAPluginArgs
                $certParams.DnsAlias            = $order.DnsAlias
                $certParams.UseSerialValidation = $order.UseSerialValidation
                $certParams.Force               = $Force.IsPresent
                $certParams.DnsSleep            = $order.DnsSleep
                $certParams.ValidationTimeout   = $order.ValidationTimeout
                $certParams.PreferredChain      = $order.PreferredChain

                # now we just have to request a new cert using all of the old parameters
                New-PACertificate @certParams

                break
            }

            'AllOrders' {

                # get all existing orders on this account
                $orders = @(Get-PAOrder -List -Refresh)

                if ($orders.Count -gt 0) {

                    $renewParams = @{
                        Force = $Force.IsPresent
                        NoSkipManualDns = $NoSkipManualDns.IsPresent
                    }

                    # If new PluginArgs were specified use them
                    if ($PluginArgs) {
                        $renewParams.PluginArgs = $PluginArgs
                    }

                    # recurse to renew these orders
                    $orders | Submit-Renewal @renewParams

                } else {
                    Write-Verbose "No orders found for account $($script:Acct.id)."
                }

                break
            }

            'AllAccounts' {

                # save the current account so we can switch back when we're done
                $oldAcct = Get-PAAccount

                # get the list of valid accounts
                $accounts = Get-PAAccount -List -Status 'valid' -Refresh

                foreach ($acct in $accounts) {

                    # set it as current
                    $acct | Set-PAAccount

                    $renewParams = @{
                        AllOrders = $true
                        Force = $Force.IsPresent
                        NoSkipManualDns = $NoSkipManualDns.IsPresent
                    }

                    # If new PluginArgs were specified use them
                    if ($PluginArgs) {
                        $renewParams.PluginArgs = $PluginArgs
                    }

                    # recurse to renew all orders on it
                    Submit-Renewal @renewParams
                }

                # restore the old current account
                if ($oldAcct) { $oldAccount | Set-PAAccount }

                break
            }

        }

    }
}