Home
THIS SCRIPT HAS NOT BEEN TESTED ON A PRODUCTION ENVIRONMENT, USE IT AT YOUR OWN RISK!
This script helps automate Let's Encrypt certificate requests and renewal for Citrix NetScaler deployments.
It will not set it all up for you. Head over to the setup section to get the instructions to get it all working.
It relies on the following libraries:
- ACMESharp to talk over the ACME API provided by Let's Encrypt. Project page: https://github.com/ebekker/ACMESharp
- Netscaler-configuration to talk to NetScaler over the REST API. Project page: https://github.com/santiagocardenas/netscaler-configuration
- Write-Log to write useful logs (hopefully!). Source: https://gallery.technet.microsoft.com/scriptcenter/Write-Log-PowerShell-999c32d0
Inspired by Ryan Butler's article: https://techdrabble.com/citrix/18-letsencrypt-san-certificate-with-citrix-netscaler-take-2.
Feel free to contribute!
- Sync the script and its dependencies to your Windows box.
- Setup your Netscaler appliance basic settings (NSIP,etc...)
- On your NetScaler, in the menu App Expert > Responder, create a responder HTML page. Name it as you like and select "Import From Text".
- Fill any text, this will get updated later on by the script.
- Create a responder action and name it as you like. The type is "Respond with HTML page, response code status is "200" and the page is the one you just created.
- Create a responder policy and name it as you like. Select the action you just created and fill the expression field with the following:
HTTP.REQ.URL.CONTAINS("well-known/acme-challenge/")
These responder page, action and policy will be used to reply to the HTTP challenge requested by Let's Encrypt ACME API.
- Create a new responder action and name it as you like. The type is "Redirect" and the status code is "302". Fill the expression field with the following:
"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE
- Create a new responder policy and name it as you like. The action is the on you just created and the expression field should be set to:
HTTP.REQ.IS_VALID
These responder action and policy will be used to redirect the traffic coming on HTTP over to HTTPS.
- In the menu Traffic Management > Load Balancing, create a new service and name it "always up". The IP address should be set to "127.0.0.1", the protocol is "HTTP" and the port "80".
- Create a new Load Balancing Virtual Server and name it as you like. The IP address should correspond to the one of your domain you want to get the certificate on. The protocol is "HTTP" and the port is "80".
- Bind the "always up" service to your LB vServer.
- Bind your two responder policies in the following order: the Let's Encrypt policy should be higher priority (i.e. lower priority number) than the HTTP redirection policy.
- Now, head over to your Windows box, open a Powershell prompt and type the following:
-
$password = read-host -prompt "Enter your Password"Press Enter, type your NetScaler password and press Enter -
$secure = ConvertTo-SecureString $password -force -asPlainText | ConvertFrom-SecureStringPress Enter -
$secure | out-file c:\temp\securepassword.txtPress Enter. The file c:\temp\securepassword.txt holds your encrypted password (it's better than clear text password but still not secure!).
- Edit the Powershell script named "automatic-cert-update.ps1" in a text editor and change the variables to match your environment. Save your changes. The following variables should be adjusted:
-
$nsip: IP address of your NetScaler (NSIP) -
$nsuser: Admin user of your NetScaler -
$nspwd: Encrypted admin password of your NetScaler -
$responderhtmlpagename: name of your Let's Encrypt responder HTML page -
$certkey: the name you want to give to your certificate on the NetScaler -
$email: your email address in case Let's Encrypt staff needs to contact you -
$domainname: your domain name -
$certpath: the location where the certificates and the logfile will be stored on the Windows box
- Run the script! Check the output or the log file.
- You can check your SSL certificate on your NetScaler in Traffic Management > SSL > SSL Certificate > Server Certificates. Use it as you like!
- Automate the script launch with your favorite scheduler (Windows task scheduler for example).