Initial working version

README.md

+# GSC Autocert
+
+This set of scripts and instructions will automatically retrieve SSL certificates on a scheduled basis from the ACME cert renewal server.
+
+There is one piece of information required to make this work that has been deliberately omitted from this repository, and that is the password for the `autocert` user. It can of course be reset if you have root access to the ACME server, but bear in mind this will then need to be updated on servers which currently run these scripts.
+
+## For Windows Servers Running IIS
+
+Download a .zip file of this repository, and copy to the server. Ensure the `iis.ps1` PowerShell script and the `pscp.exe` binary are in a suitable location - `C:\autocert` is a good choice - and edit the placeholder password in the PS1 script to have the correct value (see LastPass).
+
+Set the script to run on a schedule using Task Scheduler. It will need to run as `administrator`, but shouldn't need to run more frequently than once a week - say at 5am every Thursday.
+
+The script takes one parameter - the port to bind SSL to. If this is omitted it will default to 443, but e.g. the Gamma server serves SSL on port 5729. This would be set by running `iis.ps1 -Port 5729`.
+
+The script will give useful log output which you can redirect to a file by scheduling the task with appropriate arguments - for example, set the command to be `powershell.exe` with arguments `-file iis.ps1 -Port 5729 > log.txt 2>&1`.
+
+## For Windows Servers Running Exchange 2010
+
+This process is the same as for IIS servers, but instead use the `exchange2010.ps1` PowerShell script. There is no need to specify a port number in this case.
+
+## For Linux Servers Running Docker and Nginx-Proxy
+
+Create a new SSH key pair, named cert-retrieval, using e.g. `ssh-keygen`.
+
+Add the public key to `authorized_keys` for the ACME server's `autocert` user with e.g.
+
+```bash
+ssh-copy-id -i cert-retrieval autocert@acme.gsc.org.uk
+```
+
+Retrieve the keys on a schedule with cron, by setting a crontab entry like the following:
+
+```bash
+# m h  dom mon dow    command
+  0 5  *   *   Thu    scp -i /home/administrator/nginx-proxy/cert-retrieval autocert@acme.gsc.org.uk:certs/gsc.org.uk.* /home/administrator/nginx-proxy/certs/ && docker restart nginx
+# The restart ensures that fresh certificates are actually deployed!
+```
+
+This will need tweaked depending on the specific certificates required by the server you are pulling them to.

exchange2010.ps1

+# Exchange Autocert Script
+# --Ben Galloway, 6 November 2019
+
+try {
+    Write-Output "Retrieving current certificate..."
+    .\pscp -pw REPLACEME autocert@acme.gsc.org.uk:certs/win/gsc.org.uk.pfx .
+}
+catch {
+    Write-Output "Could not retrieve certificate from the GSC certificate store."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+try {
+    Write-Output "Importing certificate to local store..."
+    echo "" | certutil -importpfx .\gsc.org.uk.pfx
+}
+catch {
+    Write-Output "Failed to import certificate."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+try {
+    $certInfo = (Get-PfxCertificate -FilePath gsc.org.uk.pfx)
+    Write-Output ""
+    Write-Output "========================="
+    Write-Output " CERTIFICATE INFO"
+    Write-Output "========================="
+    Write-Output $certInfo | Format-List Subject,Issuer,Thumbprint,NotAfter
+}
+catch {
+    Write-Output "Couldn't get the required info about the certificate."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+# FOR EXCHANGE
+try {
+    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
+}
+catch {
+    Write-Output "Couldn't import PowerShell snap-in for Exchange 2010."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+try {
+    Enable-ExchangeCertificate -Thumbprint $certInfo.Thumbprint -Services IIS,SMTP -Force
+}
+catch {
+    Write-Output "Couldn't enable the certificate for use by Exchange."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+Write-Output ""
+Write-Output "========================="
+Write-Output "SUCCESS!"
+Write-Output "The certificate with thumbprint $($certInfo.Thumbprint) was successfully installed"
+Write-Output "and will expire on $(($certInfo.NotAfter).ToString("dd MMMM yyyy"))"
+Write-Output "========================="
+Write-Output ""

iis.ps1

+# IIS Autocert Script
+# --Ben Galloway, 6 November 2019
+param([Int32]$Port=443)
+
+try {
+    Write-Output "Retrieving current certificate..."
+    .\pscp -pw REPLACEME autocert@acme.gsc.org.uk:certs/win/gsc.org.uk.pfx .
+}
+catch {
+    Write-Output "Could not retrieve certificate from the GSC certificate store."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+try {
+    Write-Output "Importing certificate to local store..."
+    echo "" | certutil -importpfx .\gsc.org.uk.pfx
+}
+catch {
+    Write-Output "Failed to import certificate."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+try {
+    $certInfo = (Get-PfxCertificate -FilePath gsc.org.uk.pfx)
+    Write-Output ""
+    Write-Output "========================="
+    Write-Output " CERTIFICATE INFO"
+    Write-Output "========================="
+    Write-Output $certInfo | Format-List Subject,Issuer,Thumbprint,NotAfter
+}
+catch {
+    Write-Output "Couldn't get the required info about the certificate."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+# FOR IIS
+try {
+    Import-Module WebAdministration
+    cd IIS:\SslBindings
+}
+catch {
+    Write-Output "Couldn't import IIS PowerShell module."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+try {
+    # This assumes a binding has previously been in place. To create a new binding, it would be New-Item 0.0.0.0!$Port
+    Get-Item "cert:\LocalMachine\My\$($certInfo.Thumbprint)" | Set-Item 0.0.0.0!$Port
+}
+catch {
+    Write-Output "Couldn't update the required SSL binding."
+    Write-Output "The error was as follows:"
+    throw $_
+}
+
+Write-Output ""
+Write-Output "========================="
+Write-Output "SUCCESS!"
+Write-Output "The certificate with thumbprint $($certInfo.Thumbprint) was successfully installed"
+Write-Output "and will expire on $(($certInfo.NotAfter).ToString("dd MMMM yyyy"))"
+Write-Output "========================="
+Write-Output ""