posted on March 20 Show version history

Hi all, I'm sharing a script I've developed over the years to help automate updating certificate/port bindings, especially the non-443 ones like 5053 (LFFTS), 5049 (LFDS), and 8181 (Forms Notification Service) that can't be handled by the IIS Automatic Rebind of Renewed Certificate(s) feature.

I hope it will prove a useful resource for the community.
It's named UpdateLaserficheCertificateBindings.ps1(.txt) and attached to this post.
As usual, remove the ".txt" extension after downloading.

Updating the bindings for these ports is often missed during certificate renewals, leading to negative outcomes that can include:

  • Full system outages, as when LFDSSTS is configured to use HTTPS/TLS and the cert bound to port 5049 for the LFDS service expires
  • Loss of functionality
    • as with the Forms Notification Service when the cert bound to port 8181 expires, where users will stop receiving real-time task notifications in their Forms session (often a "silent" failure as there are no user-facing error messages, only an absence of task updates - only obvious if you load /Forms with the DevTools Networking tab up)
    • as with Laserfiche Full-Text Search (LFFTS), where indexing and indexed searches will stop working as HTTPS calls to it from Laserfiche Server will fail
      • Note: HTTPS/TLS is not typically configured for LFFTS when it runs on the same machine as Laserfiche Server so traffic between them is all localhost. It's usually seen when LFFTS is on its own separate server to have dedicated, isolated resources and communication to it from Laserfiche Server goes over the network.

 

The script is (I'd like to think) well documented with the first 100 lines being descriptions and examples, so please give that a through read before using. I've added the intro description and a few examples below for Answers searchability.
If you have any questions after reviewing,  please feel free to ask them here.

.SYNOPSIS

This script updates certificate bindings for ports used by Laserfiche services.

.DESCRIPTION

This script updates certificate bindings for ports used by Laserfiche services.

Especially those that use TLS ports other than 443, which can often be handled through the IIS Certificate Rebind feature or an Automatic Certificate Management Environment (ACME) client for Let's Encrypt or other supporting CA.

It is intended to run as part of a Windows Scheduled Task or similar scheduled/triggered job.

See the Examples for specifics on how to invoke the script through a Scheduled Task action.

Certificate binding requires the Scheduled Task to run with "Highest" (Administrator) privileges.

Consider adding it an additional action to a relevant existing Scheduled Task, such as an IIS Certificate Rebind or ACME renewal one.

....

.EXAMPLE

UpdateLaserficheCertificateBindings.ps1 -Ports 5049,8181 -MatchSubject "lf-web.example.com"

.EXAMPLE

UpdateLaserficheCertificateBindings.ps1 -Thumbprint "5882d61ef5296744405532cfe379feb8e754c3d4" -CreateBindings

.EXAMPLE

UpdateLaserficheCertificateBindings.ps1 -LogPath "E:\Scripts\Logs" -LogName "CertLog.txt"

.EXAMPLE

When invoked through a Scheduled Task:

Action: Start a program

Program/script: powershell

Add arguments: -File "C:\Scripts\UpdateLaserficheCertificateBindings.ps1" -Ports 5049,8181 -MatchSubject "lf-web.example.com"

Please note this script is something I put together myself, is not an officially supported Laserfiche product, and includes the following disclaimer:

THIS SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

9 0