Use Azure Key Vault Store of Wild card certificate created via certbot and update the local nginx webserver and Azure Application Gateway

A follow on from the Azure wildcard certbot certificate with Azure DNS TXT updates, this part is store the wild card SSL certificate that certbot created and place into azure key vault.

I am going to break this down into 2 parts So, to start with I create a script to basically use on your linux server and the second is via the application gateway

  1. clean out any old processing of the certificates
  2. pull down the certificate from the azure key vault store
  3. convert the PFX certificate into the
    1. full chain
    2. private key
  4. update the nginx hosting certificate files
  5. reload nginx

So here are the steps in full, I am using a sub directory called “certs” to process the certificate

echo “clean out the certs”
rm certs/*

Change the following to your azure key vault and wildcard certificate name, please note we have to use the encoding base64

az keyvault secret download –file certs/wild.pfx –id https://<azure key vault name>.vault.azure.net/secrets/<certificate name> –encoding base64

And now just convert that PFX file into the private key and then the full certificate file (I am channing the client certificates and the CA certificates into the full.crt file)

openssl pkcs12 -in certs/wild.pfx -passin pass: -nocerts -nodes -out certs/priv .key
openssl pkcs12 -in certs/wild.pfx -passin pass: -clcerts -nokeys -out certs/ful l.crt
openssl pkcs12 -in certs/wild.pfx -passin pass: -cacerts -nokeys -chain >> cer ts/full.crt

And then just push the certs folder into the nginx configured ssl directory that links to your nginx configure SSL options

cp certs/* /etc/nginx/ssl/<domain name>/

final part, reload nginx to use the new certificate!

systemctl reload nginx

To use on the Application Gateway — well that is very simple as just going to the application gateway -> listeners -> choose your listener you want to update and then choose the certificate from the key vault.

AND THAT IS IT ūüôā — if you need any more advice on certain areas please say!

Use Azure Application Gateway with the certbot wild card certificate stored within the Azure Key Vault

A follow on from the Azure wildcard certbot certificate with Azure DNS TXT updates, this part is to store the wild card SSL certificate that certbot created and place into azure key vault.

So in essence the process is to

  1. Check for new certificates via the certbot renewal process
  2. If there is a new certificate create a PFX
  3. Upload this PFX file into the key store

So, to start with lets obtain a new certificate (if there is one!!) , please change your domain name to the domain name that you using, the preferred challenge should be to whatever you have setup to be the default process for this certificate, I am using the azure DNS zone so using the azure certbot-azure-dns certbot plugin

certbot¬†certonly –manual -d ‘*.<domain name>’ –preferred-challenges=dns

The next part is the most important part!, it is creating the PFX file from the new ticket! Please note you have to pass in the whole key chain e.g the chain / fullchain files. (change the domain name again to what you are using)

openssl pkcs12 -export -out <domain name>.pfx -inkey /etc/letsencrypt/live/<domain name>/privkey.pem -in /etc/letsencrypt/live/<domain name>/cert.pem  -in /etc/letsencrypt/live/<domain name>/cert.pem -in /etc/letsencrypt/live/<domain name>/chain.pem -in /etc/letsencrypt/live/<domain name>/fullchain.pem

And then the last part is to just upload that certificate into the azure key vault (you have to have enabled the managed identity for key vault of the service you are using)

az keyvault certificate import –vault-name “<key vault name>” -n “<certificate common name in the file store e.g my domin>” -f <domain name>.pfx

AND THAT IS IT ūüôā — if you need any more advice on certain areas please say!

Azure devops git (ssh) config on linux

I am using fedora linux as my development environment OS, I love it but when you are working with azure that mainly believes you are using windows. Then you have to make some changes to your configuration files that windows (may do??) for you.

So, after I created my ssh key for the development, I keep on getting an issue to pull/push up my local git repo where the CLI would just hang or error out, so after doing the -v (verbose mode)

git pull -v

The issue highlighted itself with the following error message

Unable to negotiate with 51.104.26.0 port 22: no matching host key type found. Their offer: ssh-rsa

So, all I did was to update the ~/.ssh/config (your local username home directory .ssh config(uration) file. Please note the last bits, the HostkeyAlgorithms and PubkeyAcceptedKeyTypes

Host ssh.dev.azure.com
       PreferredAuthentications publickey
       IdentityFile ~/your/key
       UpdateHostKeys no
       IdentitiesOnly yes
       HostkeyAlgorithms +ssh-rsa
       PubkeyAcceptedKeyTypes +ssh-rsa,rsa-sha2-256,rsa-sha2-512

After that, there were no issues, I suppose it is the classic of reading the error message!