IONOS DNS API Plugin für Win-ACME Client


PowerShell Script zum bearbeiten der IONOS DNS API
PowerShell Script zum bearbeiten der IONOS DNS API

Vor einiger Zeit wurden Zertifikate von Let’s Encrypt bei einem Kunden benötigt und dabei war die HTTP-01 Challenge leider nicht möglich. Glücklicherweise gibt es mittlerweile eine IONOS DNS API, die sich ganz gut per PowerShell in der Win-ACME Client als DNS Plugin integrieren lässt. Hier passte quasi die Faust aufs Auge, da die DNS Zone der Domain bei IONOS lag. 🙂

Damit die DNS API von IONOS genutzt werden kann, muss man sich im ersten Step für die Nutzung anmelden und die DNS API Funktionen (gratis) „kaufen“. Im Anschluss wird ein API Key zur Authentifizierung erstellt. Der Key besteht dabei aus einem öffentlichen Prefix und dem Secret. Anbei die Links zur Dokumentation der API bei IONOS:

„Langer“ Rede kurzer Sinn, hier das PowerShell Script, welches als DNS Plugin vom Win-ACME für die IONOS API genutzt werden kann:

param(
    [parameter(Mandatory=$true,Position=0)]
    [String]
    [ValidateSet("create", "delete")]
    $Action,

    [parameter(Mandatory=$true,Position=1)]
    [String]
    [ValidatePattern("[a-zA-Z0-9-_.]")]
    $Identifier,

    [parameter(Mandatory=$true,Position=2)]
    [String]
    [ValidateScript({$_ -match $("^_acme-challenge.{0}$" -f $Identifier)})]
    $RecordName,

    [parameter(Mandatory=$true,Position=3)]
    [String]
    $Token
)

$Basedomain = -join(
    $Identifier.Split(".")[$Identifier.Split(".").Count-2],
    ".",
    $Identifier.Split(".")[$Identifier.Split(".").Count-1]
)

$tmpRecordFilePath = -join($env:TEMP, "\ACME-", $Identifier, ".txt")

$publicAPI = ""
$secretAPI = ""
$XAPIKey = -join($publicAPI, ".", $secretAPI)

$APIUri = "https://api.hosting.ionos.com"
$DNSApiUri = -join($APIUri, "/dns/v1")
$DNSZonesApiUri = -join($DNSApiUri, "/zones")

$curwr = Invoke-WebRequest -UseBasicParsing `
    -Method Get `
    -Uri $DNSZonesApiUri `
    -ContentType "application/json" `
    -Headers @{
            "Accept" = "application/json";
            "X-API-Key" = "$XAPIKey"
        }
$DNSZones = ConvertFrom-Json -InputObject $curwr.Content

$curDomain = $DNSZones |
    Where-Object { $_.name -eq $Basedomain }

$DNSRecordApiUri = -join($DNSZonesApiUri, "/", $curDomain.id, "/records")
$RecordData = @"
    [
        {
            "name": "$RecordName",
            "type": "TXT",
            "content": "$Token",
            "ttl": "3600",
            "prio": "0",
            "disabled": "false"
        }
    ]
"@

if($Action -eq "create"){
    # Post new TXT record for ACME challenge 
    $curwr = Invoke-WebRequest -UseBasicParsing `
        -Method Post `
        -Uri $DNSRecordApiUri `
        -ContentType "application/json" `
        -Headers @{
                "Accept" = "application/json";
                "X-API-Key" = "$XAPIKey"
            } `
        -Body $RecordData
    $newRecord = ConvertFrom-Json -InputObject $curwr.Content
    $newRecord.id |
        Out-File -FilePath $tmpRecordFilePath `
            -Confirm:$false `
            -Force
}

# Delete TXT record after ACME challenge
if($Action -eq "delete"){
    $RecordId = Get-Content -Path $tmpRecordFilePath
    $deleteRecordUri = -join($DNSZonesApiUri, "/", $curDomain.id, "/records/", $RecordId)
    Invoke-WebRequest -UseBasicParsing `
        -Method Delete `
        -Uri $deleteRecordUri `
        -Headers @{
                "Accept" = "*/*";
                "X-API-Key" = "$XAPIKey"
            }
    if(Test-Path -Path $tmpRecordFilePath -PathType Leaf){
        Remove-Item -Path $tmpRecordFilePath `
            -Confirm:$false `
            -Force
    }
}

Im Script müssen nur die beiden Variablen „$publicAPI“ und „$secretAPI“ mit den Daten des API Keys bestückt werden, damit folgendermaßen der Win-ACME Client das/die Zertifkat/e per DNS-01 Challenge anfordern kann:

# Staging:
wacs.exe --baseuri https://acme-staging-v02.api.letsencrypt.org/ --accepttos --emailaddress "<einetolle@emailadresse.de" --friendlyname "LE Exchange (Staging)" --source manual --host "outlook.jans.cloud, autodiscover.jans.cloud" --validationmode dns-01 --validation script --dnsscript Scripts\IONOSDNS.ps1 --dnscreatescriptarguments "create {Identifier} {RecordName} {Token}" --dnsdeletescriptarguments "delete {Identifier} {RecordName} {Token}" --certificatestore My --acl-fullcontrol "Netzwerkdienst,Administratoren" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP,POP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

# Production:
wacs.exe --baseuri https://acme-v02.api.letsencrypt.org/ --accepttos --emailaddress "<einetolle@emailadresse.de" --friendlyname "LE Exchange" --source manual --host "outlook.jans.cloud, autodiscover.jans.cloud" --validationmode dns-01 --validation script --dnsscript Scripts\IONOSDNS.ps1 --dnscreatescriptarguments "create {Identifier} {RecordName} {Token}" --dnsdeletescriptarguments "delete {Identifier} {RecordName} {Token}" --certificatestore My --acl-fullcontrol "Netzwerkdienst,Administratoren" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP,POP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

Unter Umständen – bzw. wenn es um Exchange Server geht – sollte im Win-ACME Ordner noch in der „settings.json“ im Bereich „Security“ noch der Wert „PrivateKeyExportable“ von false auf true gesetzt werden. Sollte es – weiterhin – um Exchange Server gehen, dann auf deutschsprachigen System noch die Parameter „–acl-fullcontrol „Netzwerkdienst,Administratoren““ bzw. auf englischsprachigen Systemen die Parameter „–acl-fullcontrol „Network Service,Administrators““ beim Aufruf der „wcas.exe“ anfügen!


3 Antworten zu “IONOS DNS API Plugin für Win-ACME Client”

  1. Hey Jan,

    vielen Dank für das Script! Ich wollte es soeben unter Exchange 2016 auf einem Windows Server 2016 einsetzen.

    Leider kommt immer folgender Fehler:
    A simple Windows ACMEv2 client (WACS)
    Software version 2.1.22.1289 (release, pluggable, standalone, 64-bit)
    Connecting to https://acme-staging-v02.api.letsencrypt.org/...
    Connection OK!
    Scheduled task not configured yet
    Please report issues at https://github.com/win-acme/win-acme
    Running in mode: Unattended
    Source generated using plugin Manual: server.*****de and 1 alternatives

    Cached order has status pending, discarding
    [autodiscover.*****de] Authorizing...
    [autodiscover.*****de] Authorizing using dns-01 validation (Script)
    Script Scripts\IONOSDNS.ps1 starting with parameters create autodiscover.*****de _acme-challenge.autodiscover.*****de "znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE"
    Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:38 Zeichen:10
    Script error: + $curwr = Invoke-WebRequest -UseBasicParsing `
    Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    Script error: eption
    Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    Script error: ConvertFrom-Json : Das Argument kann nicht an den Parameter "InputObject" gebunden werden, da es NULL ist.
    Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:46 Zeichen:43
    Script error: + $DNSZones = ConvertFrom-Json -InputObject $curwr.Content
    Script error: + ~~~~~~~~~~~~~~
    Script error: + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
    Script error: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
    Script error: JsonCommand
    Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:67 Zeichen:14
    Script error: + $curwr = Invoke-WebRequest -UseBasicParsing `
    Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    Script error: eption
    Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    Script error: ConvertFrom-Json : Das Argument kann nicht an den Parameter "InputObject" gebunden werden, da es NULL ist.
    Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:76 Zeichen:48
    Script error: + $newRecord = ConvertFrom-Json -InputObject $curwr.Content
    Script error: + ~~~~~~~~~~~~~~
    Script error: + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
    Script error: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
    Script error: JsonCommand
    Script finished
    [autodiscover.*****de] Preliminary validation failed: no TXT records found
    Will retry in 30 seconds (retry 1/5)...

    Auch bei Versuch 5/5 kommt es nicht zum Erfolg. Offensichtlich gibt’s Probleme mit der Kommunikation zur Ionos-API, wenn es über wacs gestartet wird.
    Führe ich das Skript ohne Win-ACME aus, z.B. .\LetsEncrypt.ps1 create f-z-x.de _acme-challenge.f-z-x.de test-acmeasdf1234 wird der Eintrag brav angelegt.
    Auf meinem Win10-Client läuft das Skript auch im zusammenspiel mit wacs einwandfrei…

    Auf dem Exchange-Server sind die gleichen .NET-Versionen installiert, wie auf meinem Client (v1.0.3705; v1.1.4322; v2.0.50727; v3.0; v3.5; v4.0.30319)

    PowerShell-Version:
    PS C:\admin\Win-ACME> $PSVersionTable

    Name Value
    ---- -----
    PSVersion 5.1.14393.4583
    PSEdition Desktop
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
    BuildVersion 10.0.14393.4583
    CLRVersion 4.0.30319.42000
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1

    PowerShell7 habe ich auch ausprobiert, mit gleichem Fehler.
    PS C:\admin\Win-ACME> $PSVersionTable

    Name Value
    ---- -----
    PSVersion 7.1.3
    PSEdition Core
    GitCommitId 7.1.3
    OS Microsoft Windows 10.0.14393
    Platform Win32NT
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1
    WSManStackVersion 3.0

    Ich war so frei, das Skript um folgende Zeile zu ergänzen (hab es direkt unter dem param{}-Teil eingefügt):
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Tls11,Tls12'

    Hilft leider auch nicht.

    Hier noch das vollständige Log mit –test und –verbose:
    PS C:\admin\Win-ACME> .\wacs.exe --test --verbose --baseuri https://acme-staging-v02.api.letsencrypt.org/ --accepttos --emailaddress "edv@*****.de" --friendlyname "LE Exchange (Staging)" --source manual --host "server.*****.de, autodiscover.*****.de" --validationmode dns-01 --validation script --dnsscript Scripts\IONOSDNS.ps1 --dnscreatescriptarguments "create {Identifier} {RecordName} {Token}" --dnsdeletescriptarguments "delete {Identifier} {RecordName} {Token}" --certificatestore My --acl-fullcontrol "Netzwerkdienst,Administratoren"
    [VERB] Verbose mode logging enabled
    [VERB] ExePath: C:\admin\Win-ACME\wacs.exe
    [VERB] ResourcePath: C:\admin\Win-ACME\
    [VERB] PluginPath: C:\admin\Win-ACME\
    [VERB] Looking for settings.json in C:\admin\Win-ACME\
    [DBUG] Config folder: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org
    [DBUG] Log path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Log
    [DBUG] Cache path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates
    [VERB] W3SVC detected and running
    [VERB] No FTPSVC detected
    [DBUG] secrets.json not found
    [VERB] Arguments: --test --verbose --baseuri https://acme-staging-v02.api.letsencrypt.org/ --accepttos --emailaddress edv@*****.de --friendlyname LE Exchange (Staging) --source manual --host server.*****.de, autodiscover.*****.de --validationmode dns-01 --validation script --dnsscript Scripts\IONOSDNS.ps1 --dnscreatescriptarguments create {Identifier} {RecordName} {Token} --dnsdeletescriptarguments delete {Identifier} {RecordName} {Token} --certificatestore My --acl-fullcontrol Netzwerkdienst,Administratoren
    [DBUG] Renewal period: 55 days
    [VERB] Sending e-mails False

    [INFO] A simple Windows ACMEv2 client (WACS)
    [INFO] Software version 2.1.22.1289 (release, pluggable, standalone, 64-bit)
    [INFO] Connecting to https://acme-staging-v02.api.letsencrypt.org/...
    [DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
    [VERB] Request completed with status OK
    [DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/
    [VERB] Request completed with status OK
    [DBUG] Connection failed: Unable to parse response content
    [INFO] Connection OK!
    [DBUG] Running with administrator credentials
    [DBUG] IIS version 10.0
    [WARN] Scheduled task not configured yet
    [INFO] Please report issues at https://github.com/win-acme/win-acme
    [VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
    [INFO] Running in mode: Unattended, Test
    [VERB] Adding 8.8.8.8 as DNS server
    [VERB] Adding 1.1.1.1 as DNS server
    [VERB] Adding 8.8.4.4 as DNS server
    [VERB] Parsed value for --host: server.*****.de, autodiscover.*****.de
    [VERB] No value provided for --commonname
    [INFO] Source generated using plugin Manual: server.*****.de and 1 alternatives
    [VERB] Parsed value for --dnsscript: Scripts\IONOSDNS.ps1
    [VERB] No value provided for --dnscreatescript
    [VERB] No value provided for --dnsdeletescript
    [VERB] Parsed value for --dnsdeletescriptarguments: delete {Identifier} {RecordName} {Token}
    [VERB] Parsed value for --dnscreatescriptarguments: create {Identifier} {RecordName} {Token}
    [VERB] No value provided for --dnsscriptparallelism
    [VERB] Flag --ocsp-must-staple not present
    [VERB] Flag --reuse-privatekey not present
    [VERB] Parsed value for --certificatestore: My
    [VERB] Flag --keepexisting not present
    [VERB] Parsed value for --acl-fullcontrol: Netzwerkdienst,Administratoren

    [VERB] Source converted into 1 order(s)
    [DBUG] Reading certificate cache
    [DBUG] No cache files found for renewal
    [DBUG] Reading certificate cache
    [DBUG] No cache files found for renewal
    [VERB] Obtain order details for Main
    [DBUG] Refreshing cached order
    [DBUG] Refreshing order...
    [VERB] Constructing ACME protocol client...
    [VERB] Getting service directory...
    [DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
    [VERB] Request completed with status OK
    [DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
    [DBUG] Loading account from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
    [VERB] Using existing ACME account
    [VERB] ACME client initialized
    [DBUG] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
    [VERB] Request completed with status OK
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/68346003/4054374703
    [VERB] Request completed with status OK
    [WARN] Cached order has status pending, discarding
    [VERB] Creating order for hosts: ["DnsName: server.*****.de", "DnsName: autodiscover.*****.de"]
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
    [VERB] Request completed with status Created
    [VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/68346003/4054382123 created
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3620481663
    [VERB] Request completed with status OK
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3620481673
    [VERB] Request completed with status OK
    [VERB] Handle authorization 1/2
    [INFO] [autodiscover.*****.de] Authorizing...
    [VERB] [autodiscover.*****.de] Initial authorization status: pending
    [VERB] [autodiscover.*****.de] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
    [VERB] [autodiscover.*****.de] Initial challenge status: pending
    [INFO] [autodiscover.*****.de] Authorizing using dns-01 validation (Script)
    [VERB] Querying server 8.8.8.8 about *****.de
    [DBUG] Querying name servers for *****.de
    [VERB] Querying IP for name server
    [VERB] Name server IP 217.160.81.40 identified
    [VERB] Querying IP for name server
    [VERB] Name server IP 217.160.80.40 identified
    [VERB] Querying IP for name server
    [VERB] Name server IP 217.160.83.40 identified
    [VERB] Querying IP for name server
    [VERB] Name server IP 217.160.82.40 identified
    [VERB] Querying server 217.160.80.40 about autodiscover.*****.de
    [DBUG] Querying name servers for autodiscover.*****.de
    [VERB] Querying server 217.160.80.40 about _acme-challenge.autodiscover.*****.de
    [DBUG] Querying name servers for _acme-challenge.autodiscover.*****.de
    [DBUG] [autodiscover.*****.de] Attempting to create DNS record under _acme-challenge.autodiscover.*****.de...
    [INFO] Script Scripts\IONOSDNS.ps1 starting with parameters create autodiscover.*****.de _acme-challenge.autodiscover.*****.de "znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE"
    [DBUG] Process launched: powershell.exe (ID: 25920)
    [EROR] Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:38 Zeichen:10
    [EROR] Script error: + $curwr = Invoke-WebRequest -UseBasicParsing `
    [EROR] Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    [EROR] Script error: eption
    [EROR] Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    [VERB] Process error without data received
    [EROR] Script error: ConvertFrom-Json : Das Argument kann nicht an den Parameter "InputObject" gebunden werden, da es NULL ist.
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:46 Zeichen:43
    [EROR] Script error: + $DNSZones = ConvertFrom-Json -InputObject $curwr.Content
    [EROR] Script error: + ~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
    [EROR] Script error: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
    [EROR] Script error: JsonCommand
    [VERB] Process error without data received
    [EROR] Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:67 Zeichen:14
    [EROR] Script error: + $curwr = Invoke-WebRequest -UseBasicParsing `
    [EROR] Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    [EROR] Script error: eption
    [VERB] Process output without data received
    [EROR] Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    [VERB] Process error without data received
    [EROR] Script error: ConvertFrom-Json : Das Argument kann nicht an den Parameter "InputObject" gebunden werden, da es NULL ist.
    [INFO] Script finished
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:76 Zeichen:48
    [EROR] Script error: + $newRecord = ConvertFrom-Json -InputObject $curwr.Content
    [EROR] Script error: + ~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
    [EROR] Script error: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
    [EROR] Script error: JsonCommand
    [VERB] Process error without data received
    [VERB] Process error without data received
    [VERB] Waiting for process to finish...
    [DBUG] [autodiscover.*****.de] Record znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE successfully created
    [VERB] Starting commit stage
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] Will retry in 30 seconds (retry 1/5)...
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] Will retry in 30 seconds (retry 2/5)...
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] Will retry in 30 seconds (retry 3/5)...
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] Will retry in 30 seconds (retry 4/5)...
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] Will retry in 30 seconds (retry 5/5)...
    [DBUG] [autodiscover.*****.de] Looking for TXT value znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE...
    [DBUG] [autodiscover.*****.de] Preliminary validation asking 217.160.81.40...
    [WARN] [autodiscover.*****.de] Preliminary validation failed: no TXT records found
    [INFO] It looks like validation is going to fail, but we will try now anyway...
    [VERB] Commit was succesful
    [DBUG] [autodiscover.*****.de] Submitting challenge answer
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3620481663/kvh4hw
    [VERB] Request completed with status OK
    [DBUG] Refreshing authorization (1/15)
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3620481663/kvh4hw
    [VERB] Request completed with status OK
    [EROR] [autodiscover.*****.de] Authorization result: invalid
    [EROR] [autodiscover.*****.de] {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autodiscover.*****.de - check that a DNS record exists for this domain",
    "status": 400
    }
    [VERB] Starting post-validation cleanup
    [INFO] Script Scripts\IONOSDNS.ps1 starting with parameters delete autodiscover.*****.de _acme-challenge.autodiscover.*****.de "znj2xw_qq_UL5CNzipRf9x5P05ITxYefCeBdXo_CAkE"
    [DBUG] Process launched: powershell.exe (ID: 30020)
    [EROR] Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:38 Zeichen:10
    [EROR] Script error: + $curwr = Invoke-WebRequest -UseBasicParsing `
    [EROR] Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    [EROR] Script error: eption
    [EROR] Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    [VERB] Process error without data received
    [EROR] Script error: ConvertFrom-Json : Das Argument kann nicht an den Parameter "InputObject" gebunden werden, da es NULL ist.
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:46 Zeichen:43
    [EROR] Script error: + $DNSZones = ConvertFrom-Json -InputObject $curwr.Content
    [EROR] Script error: + ~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
    [EROR] Script error: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
    [EROR] Script error: JsonCommand
    [VERB] Process error without data received
    [EROR] Script error: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..
    [EROR] Script error: In C:\admin\Win-ACME\Scripts\IONOSDNS.ps1:87 Zeichen:5
    [EROR] Script error: + Invoke-WebRequest -UseBasicParsing `
    [VERB] Process output without data received
    [EROR] Script error: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    [EROR] Script error: + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
    [EROR] Script error: eption
    [EROR] Script error: + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
    [VERB] Process error without data received
    [INFO] Script finished
    [VERB] Process error without data received
    [VERB] Waiting for process to finish...
    [VERB] Post-validation cleanup was succesful
    [INFO] [autodiscover.*****.de] Deactivating pending authorization
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3620481663
    [INFO] [server.*****.de] Deactivating pending authorization
    [VERB] Request completed with status OK
    [DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3620481673
    [VERB] Request completed with status OK
    [VERB] Order 1/1 (Main): error
    [VERB] Processing order 1/1: Main
    [EROR] Create certificate failed: Validation failed
    - No certificate generated for order Main

    [--test] Quit? (y*/n) - yes

    [VERB] Exiting with status code -1

  2. Bei dem Fehler: Invoke-WebRequest : Die Anfrage wurde abgebrochen: Es konnte kein gesch�tzter SSL/TLS-Kanal erstellt werden..

    Powershell7 installieren und in der settings.json „PowershellExecutablePath“ in „pwsh.exe“ ändern.

  3. Moin Max,

    das Problem ist, dass IONOS (und viele weitere Anbieter) nur noch TLS 1.2 und neuer zulassen. Auf einem Windows Server 2016 muss dazu die PowerShell bzw. das .Net Framework entsprechend umkonfiguriert werden (Windows SSL / TLS Best Practice – Jans Cloud):

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727 /V SchUseStrongCrypto /T REG_DWORD /D 1
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727 /V SystemDefaultTlsVersions /T REG_DWORD /D 1
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SystemDefaultTlsVersions /T REG_DWORD /D 1

    Bzw.: Transport Layer Security (TLS) best practices with the .NET Framework – .NET Framework | Microsoft Docs

    Eine „schlechte“ Lösung wäre, im PowerShell Script bspw. nach den Parametern folgenden Code zu ergänzen:
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls

    Deine Lösung funktioniert aber ebenfalls. 🙂

    Viele Grüße
    Jan

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.