Binding an SSL Cert to an FTP site using a Post-request PS Script

swinster · April 28, 2018, 12:05am

Hi All,

I have a simple PS Script that checks the Certificate store for a specific certificate (the Let’s Encrypt Cert) and returns the Thumbprint, then assigns the cert to an FTP site (as Certify cannot do this). The script works fine from PowerShell, but when I click “Test” is see this error:

Powershell Output

Set-ItemProperty: Cannot retrieve the dynamic parameters for the cmdlet. Retrieving the COM class factory for component with CLSID {688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG)).
At C:\Users\Administrator\Desktop\Set-FTPCert.ps1:6 char:1

Set-ItemProperty -Path $FTPsite -Name ftpServer.security.ssl.serverCertHash -Val …

OK

The PS Script is:

Import-Module -Name webadministration

$FTPsite = 'IIS:\Sites\ftp.example.com'
$Thumbprint = (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -Property Subject -eq "CN=ftp.example.com").Thumbprint

Set-ItemProperty -Path $FTPsite -Name ftpServer.security.ssl.serverCertHash -Value $Thumbprint

webprofusion · April 28, 2018, 12:33am

Hi,

I think this is 32-bit vs 64-bit issue. v3 of the app currently launches a 32-bit process, the upcoming v4 will launch a 64-bit process. You can wrap your powershell in a 64-bit call as per this example:

github.com

webprofusion/certify/blob/development/docs/Request Script Hooks.md#using-64-bit-modules

# Request Script Hooks

Certify is extendable via PowerShell scripts which can be configured to run before or after the Certificate Request. The scripts are provided a parameter `$result` which contains the status and details of the site whose certificate is being requested. You may execute any commands that the user running the test script has access to, including creating new processes, or using other command line tools.

A common use for script hooks is to use your new certificate for services other than IIS websites, such as Microsoft Exchange, RDP Gateway, FTP servers and other services.

## Script Basics

Here is a sample script which demonstrates a few commonly accessed pieces of information:

```PowerShell
param($result)   # required to access the $result parameter

# either $true or $false
$result.IsSuccess

# object containing all information Certify has about the saved Site
$result.ManagedItem

# the IIS site ID

This file has been truncated. show original

Note that you don’t have to do this work to get the thumbprint, it’s already in the Post-request object now (see https://github.com/webprofusion/certify/blob/development/docs/Request%20Script%20Hooks.md#script-basics):

# the certificate thumbprint
$result.ManagedItem.CertificateThumbprintHash # ex: "78b1080a1bf5e7fc0bbb0c0614fc4a18932db5f9"

swinster · April 28, 2018, 1:00am

Awesome, thanks. I will look at this in the morning.

I had started looking at v4 and might continue to do so for this particular site/server as wildcards could well be a thing. I was hoping to see DNS Made Easy integration, especially given it is part of ACME Sharp, but nothing as yet.

webprofusion · April 28, 2018, 4:47am

Thanks, yes v4 doesn’t currently use ACMESharp however we are building (and others are contributing) more DNS providers, we just wanted to get things stable with a few providers to start with.

webprofusion · April 30, 2018, 6:24am

Just as an update, integration with DNS Made Easy (and GoDaddy) will be in the next alpha release.

swinster · April 30, 2018, 9:29am

Excellent, I saw the update and will give this a go ASAP.

FWIW, the wrapper you mentioned above appears to do the trick for v3 on 64 bit 2012 R2 server.

webprofusion · April 30, 2018, 10:50am

Awesome, glad you got the 64-bit script working.

New alpha version with added DNS providers is still in the works, so not released yet but shouldn’t be too long.