https://www.dvolve.net/tags/powershell/ Recent content in powershell on Adventures in Tech Hugo -- gohugo.io en Wed, 04 May 2022 00:00:00 +0000 https://www.dvolve.net/blog/2022/05/automating-free-certs-for-infoblox-grid-manager/ Wed, 04 May 2022 00:00:00 +0000 https://www.dvolve.net/blog/2022/05/automating-free-certs-for-infoblox-grid-manager/ HTTPS web UIs and APIs using self-signed certificates have always annoyed me. It’s one of the reasons I started learning about PKI long before Let’s Encrypt and the ACME protocol made free publicly trusted certs available for everyone. But it may still be a while before large products and platforms like Infoblox start natively supporting ACME to make our self-signed cert woes a thing of the past. Until then, here’s how you can use Posh-ACME and Posh-IBWAPI to get a free cert for your Grid Manager and automate the renewals. https://www.dvolve.net/blog/2021/07/posh-acme-4.6.0/ Sun, 25 Jul 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/07/posh-acme-4.6.0/ Just shipped a new Posh-ACME release, version 4.6.0. There are new plugins for HostingDe and Beget. The new Revoke-PACertificate has been improved so it no longer requires a configured ACME account when using an explicit cert/key. There’s a fix for unauthenticated updates with RFC2136 plugin and the Simply plugin is now IDN agnostic thanks to suggestions from the API owner. Updated versions can be found in the PowerShell Gallery or GitHub. https://www.dvolve.net/blog/2021/05/posh-acme-4.5.0/ Sat, 29 May 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/05/posh-acme-4.5.0/ Just shipped a new Posh-ACME release, version 4.5.0. There are new plugins for PCExtreme (called Aurora) and UKFast. There’s also a new dedicated function for certificate revocation called Revoke-PACertificate. The current revocation functionality is sort of hidden in Set-PAOrder -RevokeCert and only really able to revoke certs that were obtained by the current Posh-ACME account. But the ACME protocol supports additional methods for revocation where all you need is the certificate and its private key even if you have lost access to the original account that requested it. https://www.dvolve.net/blog/2021/05/posh-acme-4.4.0/ Mon, 03 May 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/05/posh-acme-4.4.0/ Just shipped a new Posh-ACME release, version 4.4.0. There are three new DNS plugin for Constellix, All-Inkl, Easyname and a couple order related new features. PAOrder objects that get returned by things like Get-PAOrder now have a Folder property which is the filesystem path to that order’s config folder. It’s dynamically generated so if you move the config folder somewhere else, it will be updated the next time the module is loaded. https://www.dvolve.net/blog/2021/02/posh-acme-4.3.0/ Wed, 24 Feb 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/02/posh-acme-4.3.0/ Just shipped a new Posh-ACME release, version 4.3.0. The main change in this version is how the PreferredChain functionality works. Previously it would check all chains in the order they were recieved and use the first one that contained a cert that matched the PreferredChain value. But the upcoming changes to the chains offered by Let’s Encrypt highlighted a problem with that logic. If a user wanted to use the new shorter ISRG Root X1, that value would match in the default chain before even checking the secondary chain. https://www.dvolve.net/blog/2021/02/posh-acme-4.2.0/ Mon, 01 Feb 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/02/posh-acme-4.2.0/ Just shipped a new Posh-ACME release, version 4.2.0. There are new DNS plugins for Infomaniak and Zilore and a new option for AcmeDns that allows you to specify the complete URI instead of just the hostname in case you’ve got a custom setup. Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme. Changelog Added new DNS plugins Infomaniak (Thanks @Sundypha) Zilore Added ACMEUri option to AcmeDns plugin which allows specifying the complete URI instead of just the hostname. https://www.dvolve.net/blog/2021/01/posh-acme-4.1.0/ Mon, 18 Jan 2021 00:00:00 +0000 https://www.dvolve.net/blog/2021/01/posh-acme-4.1.0/ Just shipped a new Posh-ACME release, version 4.1.0. The RFC2136 plugin now uses the exit code from nsupdate instead of output parsing to determine success and avoid possible language OS inconsistencies. There’s also a new optional DDNSZone param to avoid the initial SOA lookup that breaks in some environments. The UnoEuro plugin has been removed because the API endpoint is no longer functional. So if you hadn’t switched over to the Simply plugin, now is the time. https://www.dvolve.net/blog/2020/12/posh-acme-4.0.0/ Fri, 18 Dec 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/12/posh-acme-4.0.0/ Just shipped a new Posh-ACME release, version 4.0.0. This is a huge personal win for me that took far longer than I had originally intended. So I’m super excited to finally get it out the door. HTTP Plugins The biggest long overdue change is that the plugin system can now support http-0 based challenges and the architecture has been revamped such that adding support for additional challenge types should be significantly easier. https://www.dvolve.net/blog/2020/11/posh-acme-3.20.0/ Wed, 25 Nov 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/11/posh-acme-3.20.0/ Just shipped a new Posh-ACME release, version 3.20.0. The Azure plugin has been enhanced in this release thanks to @InKahootz and now supports targeting additional Azure cloud environments that support specific countries or governments. There are also some fixes for the Simply plugin. Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme. Changelog Azure plugin now supports other Azure cloud environments via the AZEnvironment parameter. https://www.dvolve.net/blog/2020/11/posh-acme-3.19.0/ Fri, 20 Nov 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/11/posh-acme-3.19.0/ Just shipped a new Posh-ACME release, version 3.19.0. There is a new DNS plugin for Simply which is ultimately just a clone of the existing UnoEuro plugin. The provider changed their name and their API endpoint, but it should function the same. DNSPod also changed their API recently and the plugin has been updated to account for those changes, but users will need to create and set an updated API key in their configs in order for renewals to continue working. https://www.dvolve.net/blog/2020/11/posh-acme-3.18.0/ Sat, 07 Nov 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/11/posh-acme-3.18.0/ Just shipped a new Posh-ACME release, version 3.18.0. The highlight of this release is a plugin for DuckDNS. DuckDNS is a free, but troublesome provider to work with because their API only allows for a single TXT record to exist at a time. That means if you’re trying to get a cert that has more than one name in it, such as example.com and www.example.com, you need to publish and validate each TXT record separately instead of publishing both records and validating them at the same time. https://www.dvolve.net/blog/2020/10/posh-acme-deploy-1.2.0/ Thu, 15 Oct 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/10/posh-acme-deploy-1.2.0/ Just shipped a new Posh-ACME.Deploy release, version 1.2.0. There is now a Set-IISFTPCertificate function. It requires the same WebAdministration module the other IIS function does and has been tested on Windows Server 2019, but will likely work against earlier versions as well. In addition to updating the cert, it can also be used to change other SSL related FTP parameters like Control Channel Policy, Data Channel Policy, and whether to use 128-bit encryption. https://www.dvolve.net/blog/2020/10/posh-acme-3.17.0/ Fri, 09 Oct 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/10/posh-acme-3.17.0/ Just shipped a new Posh-ACME release, version 3.17.0. The highlight of this release is the ability to import or export the private key associated with an ACME account. When creating a new account or performing a key rollover for an existing account, Posh-ACME will normally generate a new random private key automatically. But you now have the option to import an existing key instead of having one generated. It works like this: https://www.dvolve.net/blog/2020/09/posh-ibwapi-3.2.0/ Mon, 21 Sep 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/09/posh-ibwapi-3.2.0/ Just shipped a new Posh-IBWAPI release, version 3.2.0. There is now a ProfileName parameter associated with all of the public functions that have connection specific parameters such as WAPIHost, WAPIVersion, and Credential. This should make it easier to change profiles on a per-call basis instead of needing to run Set-IBConfig to switch away and back again. You might use this to make it easier to compare data between different grids. You could also use this to setup some protection against accidental mistakes if you create both an “admin” profile and a “readonly” profile. https://www.dvolve.net/blog/2020/09/hacking-infoblox-discovery-for-fun-and-profit/ Mon, 14 Sep 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/09/hacking-infoblox-discovery-for-fun-and-profit/ An IPAM solution is not very useful unless it accurately reflects the state of your network. The discovery features in NIOS have always been one of the great benefits of having Infoblox DDI. Network Insight and NetMRI focus on discovery of network gear and what is connected to it. The vDiscovery feature adds the ability to discover virtual infrastructure in both public and private cloud environments. All of these working together can give you a super accurate picture of what exists on your network…if all your gear is supported. https://www.dvolve.net/blog/2020/08/posh-acme-3.16.0/ Mon, 31 Aug 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/08/posh-acme-3.16.0/ Just shipped a new Posh-ACME release, version 3.16.0. The highlight of this release is Preferred Chain support which is an advanced but important feature with Let’s Encrypt’s impending root transition. When you download a certificate from an ACME server, you also get the issuing chain with that certificate. But for certificate authorities with complex issuance hierarchies, the ACME server may have multiple valid hierarchies to choose from. This new feature allows you to specify which chain to use based on the Common Name of an issuing CA in the chain. https://www.dvolve.net/blog/2020/06/posh-acme-deploy-1.1.0/ Wed, 24 Jun 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/06/posh-acme-deploy-1.1.0/ Just shipped a new Posh-ACME.Deploy release, version 1.1.0. There is now a Set-ExchangeCertificate function thanks to Erik Nemchik (@nemchik). It requires the Microsoft.Exchange.Management.PowerShell snap-in and has been tested successfully against Exchange 2019, but may work against earlier versions as well. Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme. Changelog Added Set-ExchangeCertificate https://www.dvolve.net/blog/2020/06/posh-acme-3.15.0/ Mon, 22 Jun 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/06/posh-acme-3.15.0/ Just shipped a new Posh-ACME release, version 3.15.0. The big news in this release is External Account Binding (EAB) support which widens Posh-ACME’s compatibility with certificate authorities other than Let’s Encrypt. Sectigo, for example, offers paid certificates and ACME compatible endpoints. However, creating the ACME account requires linking it against an existing Sectigo account using new parameters in New-PAAccount. These parameters are a standard part of the ACME protocol, but optional to implement by a certificate authority. https://www.dvolve.net/blog/2020/06/dnsclient-ps-1.0.0/ Sun, 14 Jun 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/06/dnsclient-ps-1.0.0/ Just shipped a brand new module called DnsClient-PS. It’s a cross-platform DNS client for PowerShell utilizing the DnsClient.NET library. In the library author’s own words: DnsClient.NET is a simple yet very powerful and high performant open source library for the .NET Framework to do DNS lookups. It can be used in any kind of application to query the network’s DNS server or any other DNS server even on non-default ports. https://www.dvolve.net/blog/2020/05/posh-acme-3.14.0/ Thu, 07 May 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/05/posh-acme-3.14.0/ Just shipped a new Posh-ACME release, version 3.14.0. There’s now a Hetzner plugin thanks to a submission by Franz Mueller (@derguterat). The RFC2136 has an important fix when using it with names other than the root domain. The Google DNS plugin and the Azure usage guide also got a couple fixes. Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme. Changelog Added new DNS plugin Hetzner (Thanks @derguterat) Fix for Google DNS plugin to ignore private zones. https://www.dvolve.net/blog/2020/04/posh-acme-3.13.0/ Sat, 11 Apr 2020 00:00:00 +0000 https://www.dvolve.net/blog/2020/04/posh-acme-3.13.0/ Just shipped a new Posh-ACME release, version 3.13.0. There are a whole bunch of new plugins in this release and a whopping four of them were submitted by Anton Samsonov (@WiZaRd31337). One of the other big additions is the long-awaited RFC2136 plugin which utilizes BIND’s nsupdate utility to perform dynamic DNS updates. If you’re on Windows, definitely check the usage guide if you plan to use this because you likely need to download and install the nsupdate prerequisite. https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/ Tue, 17 Dec 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/ If you’ve ever had to setup an HTTPS website in the past couple years, you’ve most likely heard of Let’s Encrypt which is arguably the largest public certificate authority in the world. Not only are their certificates free, the entire ordering and renewal process can be completely automated using a recently finalized protocol standard known as ACME (RFC 8555). But there are endless apps and services other than HTTP based web sites that can also use TLS certificates. https://www.dvolve.net/blog/2019/12/posh-acme-deploy-1.0.0/ Fri, 13 Dec 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/12/posh-acme-deploy-1.0.0/ Just shipped a new module called Posh-ACME.Deploy. It’s an optional companion module for Posh-ACME that provides a set of functions to make it easier to deploy the certificates you create. Deploying certificates is never as simple as you want it to be particularly on Windows. Some apps want PEM files in a folder referenced in a config file. Others reference them from the registry. Some need the certificates in a Windows certificate store, but they might be configured based on thumbprint via WMI. https://www.dvolve.net/blog/2019/12/posh-acme-3.12.0/ Tue, 10 Dec 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/12/posh-acme-3.12.0/ Just shipped a new Posh-ACME release, version 3.12.0. The Set-PAOrder function now has -DnsPlugin and -PluginArgs parameters which should make it easier to change DNS providers and/or provider parameters without needing to wait for a certificate renewal. The BouncyCastle library has been updated to the latest 1.8.5 version and the DLL file is using a non-standard name to avoid conflicts with other software that uses BouncyCastle and chooses to install the DLL into the . https://www.dvolve.net/blog/2019/11/posh-acme-3.11.0/ Tue, 12 Nov 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/11/posh-acme-3.11.0/ Just shipped a new Posh-ACME release, version 3.11.0. The Install-PACertificate function now has optional parameters that allow you to specify the Windows certificate store location and name in case the defaults (LocalMachine\My) aren’t what you need. You can also use the -NotExportable switch to mark the certificate as non-exportable. There’s also a new function called Revoke-PAAuthorization which is mostly useful for testing a new configuration. It allows you to revoke one or more existing authorizations associated with an account so that when you generate a new certificate, the ACME server will require a full re-validation for those names. https://www.dvolve.net/blog/2019/11/posh-acme-3.10.0/ Wed, 06 Nov 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/11/posh-acme-3.10.0/ Just shipped a new Posh-ACME release, version 3.10.0. There’s a critical fix in this version for a problem introduced by a recent change in Let’s Encrypt’s ACME implementation that breaks renewals. A new DNS plugin for HurricaneElectric was added and the Azure plugin now supports certificate based authentication in addition to the existing methods. There’s also additional guidance in the tutorial on renewals and deployment. Updated versions can be found in the PowerShell Gallery or GitHub. https://www.dvolve.net/blog/2019/10/posh-acme-3.9.0/ Sat, 26 Oct 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/10/posh-acme-3.9.0/ Just shipped a new Posh-ACME release, version 3.9.0. There’s a new DNS plugin for UnoEuro thanks to a user submission. The Cloudflare plugin was also updated to support limited use tokens that don’t have edit permissions to all zones on an account. Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme. Changelog Added new DNS plugin UnoEuro (Thanks @OrKarstoft) Fix for Cloudflare plugin not working properly when limited scope token didn’t have at least read permissions to all zones on an account. https://www.dvolve.net/blog/2019/10/posh-ibcli-1.3.0/ Wed, 23 Oct 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/10/posh-ibcli-1.3.0/ Just shipped a new Posh-IBCLI release, version 1.3.0. It adds new functions called Get-IBCLIApacheCert and Set-IBCLIApacheCert which wrap the set apache_https_cert command added in NIOS 8.4. What’s funny is that the only reason I found out about the command is because of a problem I ran into while testing Posh-IBWAPI’s new file upload functions. The file I was trying to upload was a certificate for the web UI and I figured my test procedure would involve uploading my cert and then re-generating a self-signed cert before repeating the test. https://www.dvolve.net/blog/2019/09/posh-acme-3.8.0/ Fri, 27 Sep 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/09/posh-acme-3.8.0/ Just shipped a new Posh-ACME release, version 3.8.0. Set-PAOrder now supports modifying some order properties that don’t require generating a new order such as FriendlyName, PfxPass, and the Install switch. If the order has already been completed, changes to FriendlyName and PfxPass will generate new versions of the associated PFX files with the updated values. But changes to the Install switch will only affect future renewals. The GoDaddy plugin will no longer fail on large accounts with more than 100 domains. https://www.dvolve.net/blog/2019/09/posh-acme-3.7.0/ Wed, 18 Sep 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/09/posh-acme-3.7.0/ Just shipped a new Posh-ACME release, version 3.7.0. In addition to some miscellaneous bug fixes, Submit-Renewal now has an optional -PluginArgs parameter for cases when you need to specify new values for a plugin but don’t want to create a whole new order from scratch. This is useful if your credentials change or if the type of credential you’re using is purposefully short-lived. Updated versions can be found in the PowerShell Gallery or GitHub. https://www.dvolve.net/blog/2019/08/posh-ibwapi-3.1.0/ Fri, 23 Aug 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/08/posh-ibwapi-3.1.0/ Just shipped a new Posh-IBWAPI release, version 3.1.0. There is now an -OverrideTransferHost switch in Send-IBFile and Receive-IBFile. But to understand what it does requires a bit of explanation on how file transfers work under the hood with the Infoblox WAPI. Any given file transfer (up or down) is a 3-step process that can be generalized as follows. Inform WAPI that you want to do a file transfer and it returns a token and a URL to actually transfer against. https://www.dvolve.net/blog/2019/08/posh-acme-3.6.0/ Wed, 21 Aug 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/08/posh-acme-3.6.0/ Just shipped a new Posh-ACME release, version 3.6.0. This one has a bunch of new stuff including new plugins for Domeneshop, Dreamhost, EasyDNS, and freedns.afraid.org. The other big addition is a new function called Invoke-HttpChallengeListener which can be super handy for people doing HTTP challenges. It’s basically a self-contained webserver that will respond to requests for the HTTP challenges in your order so you don’t have manually deal with making the challenge files available. https://www.dvolve.net/blog/2019/08/auditing-active-directory-passwords-with-pwnedpasscheck/ Thu, 15 Aug 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/08/auditing-active-directory-passwords-with-pwnedpasscheck/ In a previous post, I introduced a new PowerShell module called PwnedPassCheck. It can be used to check passwords and hashes against a list of over half a billion compromised passwords exposed in data breaches thanks to Troy Hunt’s incredibly useful haveibeenpwned.com. In this post, I’ll demonstrate how to use the module in conjunction with Michael Grafnetter’s amazing DSInternals module to quickly audit existing passwords in Active Directory against the compromised list. https://www.dvolve.net/blog/2019/08/new-module-pwnedpasscheck/ Tue, 13 Aug 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/08/new-module-pwnedpasscheck/ Troy Hunt’s incredibly useful haveibeenpwned.com is a great way to check whether your email address and other personal information was exposed in a data breach. But it also allows you to separately check if a specific password was exposed in a breach. As of version 5, the data set contains over half a billion compromised passwords and the number of times they’ve been seen in data breaches. My PwnedPassCheck module lets you query that data easily via PowerShell. https://www.dvolve.net/blog/2019/07/workaround-for-ad-psdrive-bug-in-server-2019/ Tue, 16 Jul 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/07/workaround-for-ad-psdrive-bug-in-server-2019/ TL;DR Until Microsoft fixes the bug with the AD PSDrive provider, use the fully qualified PSPath to the object instead of the “AD:” PSDrive path like this: $DN = (Get-ADUser jdoe).distinguishedName $objectPath = "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$DN" Get-Acl -Path $objectPath The Story I was browsing r/PowerShell recently and came across a thread from someone who had run into a PowerShell bug after upgrading to Windows Server 2019 (1809). The user was attempting to run Get-Acl against an AD object using the object’s distinguished name like this: https://www.dvolve.net/blog/2019/06/infoblox-and-ms-management-permissions/ Thu, 27 Jun 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/06/infoblox-and-ms-management-permissions/ The NIOS documentation lacks great instructions for granting least-privilege access to use the various MS Management components. As a former Active Directory admin, that bugs me because people get frustrated and end up giving service accounts Domain Admin permissions just to get things working. This post will lay out the necessary permissions for each component and provide PowerShell examples on how to apply them easily. Warning: I’ve tested these permissions and examples against NIOS 8. https://www.dvolve.net/blog/2019/06/posh-acme-3.5.0/ Fri, 21 Jun 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/06/posh-acme-3.5.0/ Just shipped a new Posh-ACME release, version 3.5.0. This one has an important fix due to a recent change in Let’s Encrypt’s ACME implementation which now more strictly adheres to the recently finalized RFC 8555 spec. The Let’s Encrypt change is only on the staging server at the moment, but it will likely move to production soon and it breaks account creation on all previous versions of Posh-ACME. Updated versions can be found in the PowerShell Gallery or GitHub. https://www.dvolve.net/blog/2019/04/posh-ibwapi-3.0.0/ Sat, 20 Apr 2019 00:00:00 +0000 https://www.dvolve.net/blog/2019/04/posh-ibwapi-3.0.0/ Just shipped a new Posh-IBWAPI release, version 3.0.0. It has only been two days since 2.0.0, but I goofed and shipped 2.0.0 with some breaking changes that I ended up reverting. The biggest feature of the release is the new file upload/download wrappers, Send-IBFile and Recieve-IBFile. They allow you to more easily do things like upload a certificate or download a grid backup and fill a functionality gap that has been bugging me since 1.