How to approach automated remote certificate renewal on Serverless (Azure App Services)

I was hoping to get some guidance or direction on how to approach remote management (renewal) of Lets Encrypt certificates in serverless isntallations. I have Azure App Services (that run on abstracted compute which I can not get to or install Cert Bot on), the configuration of SSL certificates is achieved through Auzre API and is pretty straight forward. I also have Azure DNS to the app service that I can access via API and add txt records for challenges/etc.

I am entirely able to obtain certificates, add txt challenges, and upload/configure the certificates from a remote system however I am stuck on understanding the best approach on how I would automate this. I have configured CertBot to get all the certificates and some powershell to configure the DNS challenges/upload certificates once I have them.

I am stuck on the actual interaction from the client and how I obtain the challenge and then initiate the check. I can run certbot certonly --manual --preferred-challenges dns -d my.domain.com and then I am given the challenge key and a continue prompt.

Is there any programmatic or better/simple way to obtain the challenge first and then call again (with some pause or something after DNS is in place) to test for the challenge? I guess I am just looking for advice or tips on how to use --manual mode of CertBot (or any other client) with automation remotely for serverless applications. I am not sure if I can grep out plus send sleep commands to continue (after x seconds) in a shell script or something but I was thinking maybe I am just approaching this all wrong and could get some help.

Have you seen Posh-ACME? It has support for Azure DNS and I guess you might find it more convenient if you’re already using powershell anyway (I haven’t used it myself though, I’m a Linux guy)

If you prefer certbot, it does have hooks that allow you to call out to other programs to deploy the DNS updates (--manual-auth-hook and --manual-cleanup-hook) and upload the certificates (--deploy-hook).

2 Likes

Thanks so much for pointing me to Posh-ACME, this integrates perfectly to the manual/remote work flow I need (given that I will likely use powershell to deploy issued certificates to the Azure App Service anyways).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.