AlternativeIdentifierRefs problems with ACME New Certificate

2018, Jun 20    

The AlternativeIdentifierRefs parameter is used by the New-ACMECertificate cmdlet in ACMESharp when you want Let’s encrypt to have an secondary domain in the same certificate as your primary alias.
This is handy because Let’s Encrypt doesn’t support wildcards. EDIT: Let’s Encrypt ACMEv2 endpoint DOES support wildcards, but the Powershell module as it stands does not use ACMEv2.

I was having an issue when trying to do this;

New-ACMECertificate : The given key was not present in the dictionary

This was because in the previous steps in my script, I was only validating my ownership of the first alias – not of the alternative domains. I need to validate all domains before a certificate will be issued.

Here’s some code snippets of what I ended up with;

#Lets Encrypt uses the ACME protocol for verification. 
import-module ACMESharp

if (!(Get-ACMEVault))
{
    Initialize-ACMEVault
}
New-ACMERegistration -Contacts "mailto:$RegistrationEmail" -AcceptTos

$aliases | % {
    New-ACMEIdentifier -Dns $_ + "." + $rootdomain -Alias $_
}

#Requesting a validation challenge before we can get a certificate
$acmeChallenges = @()
$aliases | % {
    $acmeChallenges += Complete-ACMEChallenge $_ -ChallengeType dns-01 -Handler manual
}

#Parsing the challenge output for the right DNS entries to create
$acmeChallenges | % {
    $acmeChallenge = $_

    $manualChallenge = $acmeChallenge.Challenges | ? {$_.HandlerName -eq "manual"}
    $dnsName = $manualChallenge.Challenge.RecordName.replace(".$rootdomain","")
    $dnsValue = $manualChallenge.Challenge.RecordValue

    #Add the dns records to your provider, preferably via API

}

Start-Sleep -s 5

#Notifying that challenge conditions have been met
$aliases | % {
    Submit-ACMEChallenge $_ -ChallengeType dns-01
    (Update-ACMEIdentifier $_ -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}
}

#Requesting a certificate
New-ACMECertificate ${alias} -Generate -Alias $acmeCertname -AlternativeIdentifierRefs $($Aliases | ? {$_ -ne $alias}) 
Submit-ACMECertificate $acmeCertname
Update-AcmeCertificate $acmeCertname

#Making a Pfx certificate
Write-Output "Certificate Password $randomPw" 
Get-ACMECertificate $acmeCertname -ExportPkcs12 $pfxFile -CertificatePassword $randomPw