Welcome to certbot-dns-azure’s documentation!¶
The dns_azure
plugin automates the process of
completing a dns-01
challenge (DNS01
) by creating, and
subsequently removing, TXT records using the Azure API.
Note
The plugin is not installed by default. It can be installed by heading to certbot.eff.org, choosing your system and selecting the Wildcard tab.
Named Arguments¶
|
Azure config INI file. (Required) |
|
Alias for –dns-azure-config |
Configuration¶
Use of this plugin requires a configuration file containing Azure API credentials or information.
This plugin supported API authentication using either Service Principals or utilising a Managed Identity assigned to the virtual machine.
Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.
As multiple Azure DNS Zones in multiple resource groups can exist, the config
file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings
can be listed by using the key dns_azure_zoneX
where X is a unique number.
At least 1 zone mapping is required.
dns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
dns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9
dns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7
dns_azure_environment = "AzurePublicCloud"
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
dns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
dns_azure_sp_certificate_path = /path/to/certificate.pem
dns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7
dns_azure_environment = "AzurePublicCloud"
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
dns_azure_msi_system_assigned = true
dns_azure_environment = "AzurePublicCloud"
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
dns_azure_use_cli_credentials = true
dns_azure_environment = "AzurePublicCloud"
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
dns_azure_use_workload_identity_credentials = true
dns_azure_environment = "AzurePublicCloud"
dns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1
dns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2
The path to this file can be provided interactively or using the
--dns-azure-config
command-line argument. Certbot records the path
to this file for use during renewal, but does not store the file’s contents.
Caution
You should protect these API credentials as you would the password to your
Azure account. Users who can read this file can use these credentials
to issue arbitrary API calls on your behalf. Users who can cause Certbot to
run using these credentials can complete a dns-01
challenge to acquire
new certificates or revoke existing certificates for domains the identity
has access to.
Certbot will emit a warning if it detects that the credentials file can be
accessed by other users on your system. The warning reads “Unsafe permissions
on configuration file”, followed by the path to the config
file. This warning will be emitted each time Certbot uses the config file,
including for renewal, and cannot be silenced except by addressing the issue
(e.g., by using a command like chmod 600
to restrict access to the file).
Azure Environment¶
The Azure Cloud will default to AzurePublicCloud
, this is used to change
the authentication endpoint used when generating credentials. This option
can be specified in the config file using dns_azure_environment
or
via an environment variable AZURE_ENVIRONMENT
.
The supported values are:
|
|
|
|
|
|
|
DNS delegation¶
DNS delegation, also known as DNS aliasing, is a process of allowing a secondary DNS zone to handle validation in place
of the primary zone. For example, you would like to acquire a certificate for example.com
but have the validation
performed on a secondary domain example.org
. You would create a _acme-challenge.example.com
CNAME on the
example.com
nameserver with the value of _acme-challenge.example.org
. The ACME server will resolve the CNAME and
validate the TXT record _acme-challenge.example.org
instead. Certbot itself does not support CNAME aliasing,
therefore this plugin does what it can to support it.
- The common reasons for DNS delegation are:
The primary DNS zone is hosted on a nameserver with no API access
Security concerns regarding access to the primary DNS zone
We’ll use two domains for the examples below: foo.com
and bar.com
.
Example: Primary Zone, no API Access¶
Let’s assume you wish to get a certificate for test.foo.com
, this will result in a validation record for
_acme-challenge.test.foo.com
. Assuming you don’t have API access to the foo.com
zone, you can manually CNAME said
validation record to point it to bar.com
. E.g.
_acme-challenge.test.foo.com CNAME -> _acme-challenge.test.foo.com.bar.com
This will result in a TXT record called
_acme-challenge.test.foo.com
created in the bar.com
zone.
This can be achieved by using the following config snippet
dns_azure_zone1 = test.foo.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a/resourceGroups/dns1/providers/Microsoft.Network/dnszones/bar.com
So when the Azure Certbot plugin gets requested to make _acme-challenge.test.foo.com
, the zone that record gets
created in is overridden to bar.com
hence the entire _acme-challenge.test.foo.com
is needed as the prefix in the
CNAME value before bar.com
.
Example: Delegation + more security¶
One can go a step further than the step above when hosting records in Azure. Instead of granting Certbot write access to an entire DNS Zone, you can grant access to specific records.
As with before, we shall get a certificate for test.foo.com
. We shall make a CNAME record like:
_acme-challenge.test.foo.com CNAME test_validation.bar.com
(yes it doesn’t need _acme-challenge
in this example).
Using a config like the following:
dns_azure_zone1 = test.foo.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a/resourceGroups/dns1/providers/Microsoft.Network/dnszones/bar.com/TXT/test_validation
This requires you to create a TXT record called test_validation
in the bar.com
zone, the value should be -
and certbot should have IAM privileges to
write to that record explicitly. Now when the request is sent to the plugin to create _acme-challenge.test.foo.com
the zone its created in will be overridden with bar.com
and the validation record will be overridden with test_validation
. This
effectively does the same thing as if certbot had actually resolved the CNAME (which it doesn’t).
Now one caveat here, if you assign specific IAM roles to an individual record, they’ll be lost when the record is cleaned up and deleted.
Which means when it comes to renewal, it’ll fail as it has no IAM privileges to update said record as it no longer exists. For this reason
when the config has record ID’s in it, it will not delete the validation records, it will just set its value to -
(hence you were told to set this initially).
This example can be simplified to allow you to reduce the certbot permissions but not do CNAME delegation, so
for test.foo.com
you would make a TXT record for _acme-challenge.test.foo.com
with the value of -
and then use a config
snippet like:
dns_azure_zone1 = test.foo.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a/resourceGroups/dns1/providers/Microsoft.Network/dnszones/foo.com/TXT/_acme-validation.test
This will override the zone to foo.com (which test
is already in) and the validation record (though it’s overridden to the same thing) but now
it will not delete said validation record.
Generic Certbot Examples¶
certbot certonly \
--dns-azure-config ~/.secrets/certbot/azure.ini \
-d example.com
certbot certonly \
--dns-azure-config ~/.secrets/certbot/azure.ini \
-d example.com \
-d example.org
To run in a non-interactive manner:
certbot certonly \
--authenticator dns-azure \
--preferred-challenges dns \
--noninteractive \
--agree-tos \
--dns-azure-config ~/.secrets/certbot/azure.ini \
-d example.com