Comments (5)
Hi @kennethtipton, thanks for reaching out. Have you already seen the Using SecretManagement guide on the doc site?
https://poshac.me/docs/v4/Guides/Using-SecretManagement/
from posh-acme.
I read through that one and watched several video. The part I am not understanding is what is stored in the vault is it the old heuser and password or something else and how does it know which secret to retrieve. Sorry I an having such a hard time with understanding it. I can store other information in the vaults.
from posh-acme.
No worries. Happy to explain further.
Ignoring SecretManagement for a moment, what normally happens when your plugin variables are saved to disk is that the module encrypts the secure values using a key provided by the OS. However, that OS provided key can't be used by anyone except the current user on the current machine. It's a very secure configuration, but it can also be inconvenient if you need to reference the same config files from another user or machine.
For those who need a more portable configuration, Set-PAAccount
has a switch called -UseAltPluginEncryption
which tells the module to start using a specific (randomly generated) key instead of the OS provided key. The new key value is stored with the config files so if you move them or access them from a different user/machine, the encrypted plugin data can still be decrypted. So you're sacrificing a bit of security for a more portable config and trusting that the filesystem permissions on your config are sufficient to keep unwanted parties from accessing your sensitive plugin variables.
The SecretManagement support builds on this UseAltPluginEncryption
functionality by moving the encryption key into the vault instead of leaving it on disk with the rest of your config. The key is stored by default as a secret called poshacme-{0}-sskey
where {0}
is a random GUID associated with the account in the local config file. If you have more than one Posh-ACME account defined and you enable UseAltPluginEncryption
on all of them, you'll have one secret stored per account. There's also nothing stopping you from storing other non-Posh-ACME related secrets in the same vault as long as they don't conflict with the Posh-ACME secrets' naming conventions.
By using the SecretManagement support you're ultimately trading filesystem security for whatever security is provided by the specific Vault plugin you've configured. For instance, using the Microsoft provided SecretStore
plugin would be pointless because it stores secrets on disk in the current user profile using the exact same non-portable key provided by the OS that the default Posh-ACME configuration uses. But using something like Az.KeyVault
means your secrets are protected by Azure's native KeyVault service access is dependent on however you've configured that.
from posh-acme.
I can see how you are storing the info. Pretty neat. But when I generate a certificate it promts me for the hurricane electric username and password. When I use Get-PAPlugin I get:
PS C:\POSHACME> Get-paPlugin -plugin HurricaneElectric -params
Set Name: Secure (Default)
Parameter Type IsMandatory
--------- ---- -----------
HECredential PSCredential True
Set Name: DeprecatedInsecure
Parameter Type IsMandatory
--------- ---- -----------
HEUsername String True
HEPassword String True
from posh-acme.
That Get-PAPlugin
command is only telling you what parameter sets are supported for the HurricaneElectric plugin. In this case, you can either supply a PSCredential object called HECredential
or two different strings containing the username/password called HEUsername
and HEPassword
. If you want to query the actual parameters that are saved for a given order, you'd need to use Get-PAPluginArgs
.
What command(s) did you use to create the certificate initially?
from posh-acme.
Related Issues (20)
- Trying to use ZeroSSL HOT 4
- Problem with OVH plugin for creating/renewing certificates HOT 8
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- Pull cert into local certificate store using FQDN and Subsequent renew HOT 5
- CmdLets Repeatedly asking for DNS Text Records HOT 3
- Running "Get-PACertificate" can cause a long stream of errors HOT 4
- OVH plugin is not compatible with PowerShell 5.1
- DNSimple Plugin not removing dns challange HOT 3
- DNSimple Plugin regression HOT 3
- DNSPod Argument Names HOT 3
- Gandi API change HOT 3
- Question - Problems loading bouncy castle HOT 6
- NameCom plugin - Domain not found HOT 8
- Plugin request: Scaleway.com/Online.net HOT 10
- How do you check for current installed version of Posh-ACME client and how do you upgrade the Posh-ACME client HOT 3
- Cannot indicate an order replaces certificate with serial <code>, which already has a replacement order HOT 4
- Submit-Renewal throws errors checking ARI on certs with no AKI HOT 3
- Azure IMDS authentication doesn't work on Arc-enabled servers HOT 17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.