Generate a cert for azure but not so manually

My domain is: www.dev-connect.digitalpipeline.xyz

I want update/renew the cert but not so manually, the point is that trying other ways to generate the cert I can't get the txt to put it in Azure DNS Zone and avoid a validation.

And I would like to avoid this part to be able to automate this in the near future, but if I have to be copying and pasting the txt that won't happen never...

Also trying other ways got many errors related to the preffered challenge dns-01

May you have any idea to solve this?

I ran this command:
certbot certonly --manual
--preferred-challenges dns-01
--server https://acme-v02.api.letsencrypt.org/directory
-d "temptest.digitalpipeline.xyz"
-m xxxxxxx@xxxxxx.com --agree-tos
--preferred-chain "ISRG Root X1"

Regards

You can use certbot-dns-azure to automate Certbot DNS validation via Azure DNS.

6 Likes

Oh... let me try it and i'll answer you back, thanks!

2 Likes

It's also worth mentioning that some ACME clients (https://acmeclients.com/) have built-in support for Azure KeyVault (and Azure DNS), so from there you could probably assign the cert from the KeyVault to the Azure App Gateway. That way you'd just need to renew the cert and push it to the KeyVault, I believe the gateway then picks up the refreshed cert after about 30 minutes or so.

4 Likes

Okay, I did it!
I paste below the script for maybe future guys who may have the same problem, enjoy:

#### Steps before use the script:
#### Log in to Azure with az login (if you don't have it, install it with apt install azure-cli)
#### Install Certbot (apt install certbot)
#!/bin/bash
#### name of this script -> whatever you want.sh
#### This is the only variable that you need to replace (in DNS this url should have _acme-challenge. or won't work)
URL="testdns.digitalpipeline.xyz"

#### The begin of the script
PATH=$(pwd)
printf "\n -> Starting script\n\n"
certbot certonly --manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos --email victor.kraskicieslak@georgfischer.com \
--manual-auth-hook $PATH/validate.sh \
-d $URL


### THIS PART BELOW MUST BE IN ANOTHER SCRIPT WHICH NEEDS TO BE IN THE SAME DIRECTORY AS THE FIRST ONE

#!/bin/bash
#### name of this script -> validate.sh
#### The full name for the TXT record

#### Add _acme-challenge and remove last part .digitalpipeline.xyz
CERTBOT_CHALLENGE="_acme-challenge.$CERTBOT_DOMAIN"
CERTBOT_CHALLENGE=${CERTBOT_CHALLENGE%.digit*}
AZURE_DNSZONE="digitalpipeline.xyz"

printf "\n########################################################################################\n"
printf "-VALIDATE-\n"
printf "certbot domain: $CERTBOT_DOMAIN\n"
printf "cerbot challenge: $CERTBOT_CHALLENGE\n"
printf "certbot validation: $CERTBOT_VALIDATION\n"
printf "Azure DNS zone: $AZURE_DNSZONE\n"

AZURE_RESOURCEGROUP=$(az network dns zone list --output tsv --query "[?name=='$AZURE_DNSZONE'] | [0].resourceGroup" | tr -d '\r')

#### Add the ACME DNS Validation challenge TXT record and remove the old one
OLD_TXT_RECORD=$(az network dns record-set txt show -g $AZURE_RESOURCEGROUP -z $AZURE_DNSZONE -n $CERTBOT_CHALLENGE --query "txtRecords[0].value[0]" --output tsv)
az network dns record-set txt add-record -g $AZURE_RESOURCEGROUP -z $AZURE_DNSZONE -n $CERTBOT_CHALLENGE -v $CERTBOT_VALIDATION
az network dns record-set txt remove-record -g $AZURE_RESOURCEGROUP -z $AZURE_DNSZONE -n $CERTBOT_CHALLENGE -v $OLD_TXT_RECORD


printf "END OF -VALIDATE-\n"
printf "\n########################################################################################\n"
#### Give some time for DNS propagation
sleep 10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.