Install-ACMECertificate and centralized Certificate store

[frapps]

When installing a certificate into IIS using Install-ACMECertificate with the force parameter set to true, the require SNI And use centralized Certificate store values get set to try and the certificate itself is not used.

The actual certificate is install, so I just need to untick these values and select the ssl certifcate in iis. But how do I create this effect without manual intervention.

WIthout using force, there is a conflicting binding.

[JohnLBevan]

The issue seems to be down to this line:

ACMESharp/ACMESharp/ACMESharp.Providers.IIS/IisHelper.cs

Line 126 in eb11021

b.SetAttributeValue("sslFlags", 3);

I'm not sure what the logic is behind that, so haven't submitted a pull request. Perhaps simply changing this:

if (binding.BindingHostRequired.GetValueOrDefault() && GetIisVersion().Major >= 8)
    b.SetAttributeValue("sslFlags", 1);
else
    b.SetAttributeValue("sslFlags", 3);

to this would work though (without knowing why this was implemented I wouldn't want to make a pull request though).

if (binding.BindingHostRequired.GetValueOrDefault() && GetIisVersion().Major >= 8)
{
    b.SetAttributeValue("sslFlags", 1);
}
else
{
    int sslFlags = 3;
    int.TryParse(binding.GetAttributeValue("sslFlags") , out sslFlags);
    if (certStore.Equals(binding.CertificateStoreName))
        b.SetAttributeValue("sslFlags", sslFlags);
    else
        b.SetAttributeValue("sslFlags", 3);
}

Likely something even simpler could be used; the above is just attempting to minimize side effects as I don't know the requirement driving this logic.

[JohnLBevan]

(actually - I've made a non-breaking change; adding a parameter so people not hitting this issue can use as they do today, but those of us wishing to bypass this issue can add the KeepExistingSslFlags = $true property to the InstallerParameters hashtable to keep the original binding's values.)

[RagingAlphaWalrus]

I'm still experiencing this issue, even following updating the module to the latest build. I have multiple bindings to a single site, each binding with a different SSL Certs. After I execute the following command:

Install-ACMECertificate -CertificateRef atc -Installer iis -InstallerParameters @{ WebSiteRef = 'IIS Site Name'; KeepExistingSslFlags = $true; Force = $true}

My other bindings stop working, & when I look at them, I see the following error (see below image).

Am I doing something wrong? Is there something different that I should be doing? Thank you so much!!

[JohnLBevan]

That looks correct, though you've not specified values for the BindingAddress, BindingPort, or BindingHost installer parameters, which differs from what I've got. Have you tried specifying those options?

Please can you take a look at: C:\Windows\System32\inetsrv\config\applicationHost.config
View the binding information for the site (under path: /configuration/system.applicationHost/sites/site/bindings/binding).
What value does the sslFlags attribute have / does it change after the script's run?

I've not had a chance to look closer, but hopefully answers to the above will help determine where the issue is.

[JohnLBevan]

Actually this is my fault... just tried the version from the PS Gallery and realised it behaved differently to my local copy / after digging around found I'd not included one of the files when staging for commit. This is now fixed via this commit; though will not be available in the module until the pull request's accepted: JohnLBevan@370024c