Use Azure Application Gateway with the certbot wild card certificate stored within the Azure Key Vault

A follow on from the Azure wildcard certbot certificate with Azure DNS TXT updates, this part is to store the wild card SSL certificate that certbot created and place into azure key vault.

So in essence the process is to

  1. Check for new certificates via the certbot renewal process
  2. If there is a new certificate create a PFX
  3. Upload this PFX file into the key store

So, to start with lets obtain a new certificate (if there is one!!) , please change your domain name to the domain name that you using, the preferred challenge should be to whatever you have setup to be the default process for this certificate, I am using the azure DNS zone so using the azure certbot-azure-dns certbot plugin

certbot certonly –manual -d ‘*.<domain name>’ –preferred-challenges=dns

The next part is the most important part!, it is creating the PFX file from the new ticket! Please note you have to pass in the whole key chain e.g the chain / fullchain files. (change the domain name again to what you are using)

openssl pkcs12 -export -out <domain name>.pfx -inkey /etc/letsencrypt/live/<domain name>/privkey.pem -in /etc/letsencrypt/live/<domain name>/cert.pem  -in /etc/letsencrypt/live/<domain name>/cert.pem -in /etc/letsencrypt/live/<domain name>/chain.pem -in /etc/letsencrypt/live/<domain name>/fullchain.pem

And then the last part is to just upload that certificate into the azure key vault (you have to have enabled the managed identity for key vault of the service you are using)

az keyvault certificate import –vault-name “<key vault name>” -n “<certificate common name in the file store e.g my domin>” -f <domain name>.pfx

AND THAT IS IT 🙂 — if you need any more advice on certain areas please say!

Azure wildcard certbot certificate with Azure DNS TXT updates

The requirement was to set up a wildcard certificate on azure, so I used a nice tool called certbot that can generate single subdomain certificates or a wild card certificate.

For the creation of a wild car certificate, we need to be able to alter the DNS TXT records and via azure we can achieve this via the

  1. Install certbot onto a server (I am using a linux server)
  2. User role to only allow DNS TXT record updates
  3. Allow the managed identity (in essence the server that is altering the DNS TXT records)

So, to start things off lets install the certbot and I am using the snap package manager and also the nginx as the web server.

snap install core
snap refresh core
snap install –classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

The certbot plugin to converse with the azure dns is certbot-dns-azure, as this isn’t part of the offical packages we have to use the “–edge” option below and also allow the certbot trust this plugin.

snap set certbot trust-plugin-with-root=ok
snap install –edge certbot-dns-azure
snap connect certbot:plugin certbot-dns-azure

For the certbot dns azure plugin to function automatically we need to create a file within the .azure folder called dns.ini ( e.g. /root/.azure/dns.ini or ~/.azure/dns.ini)

certbot renew –dry-run

To fill in the options below are as below (small hint! the subscription ID + resource group name could be obtained from the URL when you goto the dns zone within azure you want to use!)

  1. linux server ID = I got this after the creation of the role access
  2. dns cloud name = is the azure named resource of your dns zone
  3. subscriptionID = your subscription ID
  4. resource groupname = the groupname of resource

dns_azure_msi_client_id = <linux server ID>

dns_azure_zone1 = <dns cloud name>:/subscriptions/<subscriptionID>/resourceGroups/<resource groupname>/providers/Microsoft.Network/dnsZones/<dns cloudname>

The last part of this solution is to allow the managed identy (e.g. the linux server) to update the DNS TXT records for the azure dns zone.

Iif you goto your subscription -> access control (IAM) — On the left menu -> Add(top bar) custom role

In the new custom role, please define the basics e.g. name, but within the permissions use the “add permission” and include the one below (Microsoft.Network/dnszones/TXT

The json would be something akin to

{ "id": "/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/roleDefinitions/<roleID>", 
"properties": { "roleName": "DNS TXT Contributor", "description": "User role only allows DNS TXT updates.", "assignableScopes": [ "/subscriptions/<subscriptionID>" ], "permissions": [ { "actions": [ "Microsoft.Network/dnszones/TXT/read", "Microsoft.Network/dnszones/TXT/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }}

and then within the DNS Zone (your DNS configuration) go to Access Control (IAM) and then click “add role assignment” where the role will be the role that you created above

and then we just need to associate it (members) with your managed identities (e.g. your webserver!)

The next post (once I have created it, there will be a link here!) will be about how to create the certificate and then convert it into a PFX file for uploading into the azure key vault file storage.

AND THAT IS IT 🙂 — if you need any more advice on certain areas please say!