Azure Managed Service Identity


#1

Hi,

We’ve been running Let’s Encrypt as a Web Job in many of our Azure App Services to automatically re-issue SSL certs for our websites - all good. We’re now starting to switch our services to using Azure’s Managed Service Identity. In App Settings, if we set the letsencrypt:ClientId to that of the MSI, does this mean that we can do away with letsencrypt:ClientSecret? This would be great because it would mean that we wouldn’t need to remember to renew the secret every 2 years.

Thanks,

Chris


#2

Hypothetically yes. But only if the Let’s Encrypt client knows how to use the Instance Metadata Service(IMDS) to authenticate.


#3

Thanks Ryan. Can anyone from Let’s Encrypt confirm that please?


#4

Are you actually using certbot in your web job? Or are you using a different client?


#5

That doesn’t ring a bell, no. We installed the site extension following Troy Hunt’s write-up:


#6

Unfortunately, that site extension was not written by the Let’s Encrypt team. So you’re not going to be able to get a whole lot of support for it here. The project site on GitHub doesn’t seem to indicate that it will support Azure authentication via IMDS. But it does still appear to be maintained by the author. So you might want to submit an issue there asking for IMDS support.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.