Came back to add an update, want to thank you again Matt, this tutorial was really great, I've managed to implement ACMEbot with a custom domain managed in Azure public DNS, along with integrating the key vault with two IIS servers using the Azure Keyvault Extension which runs on the windows servers and will periodically update the certs used on the server from those in the key vault. We now have fully automated certs for our custom web domain / iis servers.
Woo! That's a fantastic solution, great work, and I'm glad this helped you achieve a hands off, low cost automated solution :) Thanks for sharing the update, I love hearing when people put this sort of thing in to practice!
Nicely put together. This is the same stack that I use but doing it manually. I can't wait to give this a try and implement it. My only difference is that I will be using Front Door. Thanks again.
Hey @AntonioOlander, thanks heaps for the comment, I'm glad you found it helpful. It's a super awesome tool, I just did the easy work of sharing the word about it :)
@@MattAllford FYI, I created this a couple months back and now my certs were getting to the due dates and did not auto renew. I tried to manually renew and it was failing. The failed part was reaching out to Cloudflare, and looking at the logs could not figure out why. I started fresh and when I got to the point of creating the Cloudflare token to put into the function app config, I had a hunch that when I initially created the token, that the TTL was not set long enough. I think I did a week like you did in the video. So I created a new TTL with not expiration, took that key and put into my existing function app, and now I can renew the certs. My question and for others, is there an issue with not putting a TTL on the Cloudflare key?
I don't think I saw this reply, sorry. At the end of the day, the TTL on the Cloudflare key comes down to any internal processes you might have in place for security of API keys, and rotation requirements. A lot of it will come down to risk vs operational and management overhead. There's no technical issue with not putting an expiry on the cloudflare API key. Hope that helps!
Thanks for watching, happy to hear it was helpful! Point noted - might make for a good follow up section. Not sure if you came across it, but there's a bit of info in the docs about using the API if that's of interest: github.com/shibayan/keyvault-acmebot/wiki/
Thanks for watching! I haven't done it myself with Azure DNS, but looking at the docs it does look like it integrates with Azure DNS for the public DNS provider. You'll need to provide the function app with RBAC to the DNS zone, and then an app config setting - github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns Hope that helps!
Hi, I've checked your video. And it is so much helpful for the automation. I was wondering is there any way to add multiple DNS Zones to one function app ?
Hi there, sorry I did not see this comment earlier. I’m not immediately aware of the ability to add multiple DNS zones to a single function app, but I can see why that’s a valid request. I’d suggest logging an issue on the GitHub page to see if that functionality is available today, and if not then make it a feature request!
great video, you deserve more subs. I have a question, is it possible to do this with client certificates? So that i can realise some kind of PKI, for a hand full of clients? Im not sure if i can realise something like this. Everything i find in the net is with DNS certificates. Is it possible to request and deploy certificates for normal win clients?
Hey Ayhr, thanks for the comment I appreciate that :) I’m not aware of a solution that would meet your requirements, sorry. Are the client machines under some sort of management that would allow you to distribute the client certificate to the endpoint? I don’t think the certbot in this video will help, but I’d imagine there should be something out there to help with automation of client certs
Hello Matt, Thanks for this video. Just have a quick question - Is there a way that we can add the certificates in the dashboard too in an automated way please?
Thanks for watching. I’m not 100% sure what you’re referring to sorry. I suspect your best bet might be to add an issue on the GitHub repo for the project with a feature request?
Thanks for the great content / introducing me to this tool; really well presented. One question; normally with a key vault I'd set up a private endpoint then remove all public access to help ensure it's secure. With the function service being hosted on a consumption plan we don't have the option to integrate that into our private network, and I don't think we can just whitelist the service's public IPs (i.e. there's a huge range of CIDRs, and IP groups aren't supported in whitelists, so it feels unmanagable at best). Is there a nice solution to keep key vault securely within the network whilst taking advantage of the cheaper consumption plan; or else what are your opinions on the cost of switching plans to use the private network vs the benefits of network security on top of Key Vault's existing identity based security?
Thanks for the feedback! And yeah, what you’ve described is just one of the trade off decisions that you need to make as part of the architecture and design on your application(s). One thing to consider would be to use this key vault only for certificate storage, and then the risk of allowing public access from a network perspective is probably a little less risky, compared to if you were storing other secrets and information. On top of that, it’s just about the layers of security you’re able to implement, and deciding what level is a suitable configuration between usability, cost, and security. With all of that said, and I know it is still in preview, but have you seen the Flex Consumption option? It’s a little more expensive I think than standard consumption, but it supports VNET integration - learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan
@@MattAllford Good shout; I'd not come across that, but it looks ideal. Sadly my infra's deployed using IaC (Terraform), and whilst the FC1 SKU (flex consumption) was added last week, it looks like support for the (mandatory for FC1) `FunctionAppConfig` property of the function app isn't yet there. For now I'll try deploying a Basic plan, then will switch over to the cheaper flexible plan once it becomes available. Really appreciate your input; thanks again.
Can we use HTTP-1 validation for subdomains? A redirect rule in application gateway for the acme challenge that checks a static file in a storage account where let's encrypt can update the key. I need wildcards and also single certificates for subdomains and there's not a solution that covers both and saves the certs to key vault.
Hi there! Thanks for watching. There is some information in the WIKI page of the tool for Route 53 linked below. Otherwise this might be a good use case to get a LLM to help with the specific steps you’re looking for? github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#amazon-route-53 Hope that helps.
Hi Matt, Great thanks for sharing this valuable information. One thing I noticed when I did a Cert renew from Dashboard, it does not reflect on the web page , is this a bug ? Thanks
Hi Usama, thanks for watching. When you say “it does not reflect on the web page”, do you mean you’ve configured a web app to use a certificate from Key Vault, and then you renew the certificate using the key vault ACME bot, but the web app isn’t showing the new certificate? If I got that right, check out this link, where it states the sync can take up to 24 hours, or alternatively you can force a sync: learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#renew-a-certificate-imported-from-key-vault Does that help?
@@MattAllford Hey matt thanks for replying I figured out that issue basically it's related to IAM identity, Currently I am working on application gateway for my app but the application gateway listner is also asking me the ssl certificate then how to deal with it could you explain about it please also I want to add auto renewel for the application gatewy Thank YOU!
my first ever time I took my time watching 30 minute + video without skipping or forwarding 😂 but please can you enlighten me more on how webhooks work
Haha awesome :) Glad you enjoyed it. Can you elaborate a little more on your query around webhooks? Are you wondering generally how a webhook works, or something specific within this video?
@@MattAllford Thanks for replying most video about webhooks have been complex but I see you using slack as we hook I really want to know more how to use webhooks for receiving notifications
Hey! Yep, the solution will automatically renew certificates 30 days before their expiry - github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#automatic-renew-an-existing-certificate Hope this helps!
Hi Matt what is the best way to mitigate the risk of the DNS provider credentials being compromised , will this solution work togeather with acme-dns ?
Hey Simon. Are you referring to the protection of the API key being used to access your DNS provider? The best course is to store the API key as a secret in Key Vault, and then reference that secret from the function app. For example, the app setting "Acmebot:Cloudflare:ApiToken" on the function app could be set to reference the key vault secret containing the API Key, rather than pasting it directly in to the value (like I did in the video). Does that help?
Hey, thanks for watching! I'm not sure of any alternatives, sorry. Who is your DNS provider? I'm certainly no developer, but the integrations with a DNS provider look relatively straight forward to implement. Do you have any dot net devs that might be able to take a look and create an integration with your DNS provider?
@@MattAllford Our DNS provider is Dotster. They don't provide much assistance either. We're a non-profit, so I'm trying my darndest to make things easier down the road for us with what limited resources we have at our disposal. We've been willing to pay someone to get our Azure environment set up, but we've been burned by people saying they know how to do it, but leaving us hanging. So I've been figuring out how to do everything as I go. Again, I really appreciate your video and the level of detail you provided.
Gotcha. I had a quick look at Dotster and their docs, and it doesn't look like they provide an API to their platform, so regardless of whether it is this solution or another, it will probably be difficult to try and automate. I'm obviously not sure of your arrangement and partnership with them, but it might be a good enough reason to look at moving your DNS to a more mainstream provider? Especially if it can provide you some operational benefits around SSL certificate management.
At 20:22, At Add an identity provider, App registration, 1st option Create new app registration is grey out, and can pick only 3rd option (Provide the details ...), Could you tell me why? How can I do to pick 1st option? Thanks for your video
Hi Thura, thanks for watching! I feel like that option might be greyed out if the account you are logged in Azure with, doesn’t have permission to create an App Registration in Azure AD. A quick look tells me your account might need one of the following Azure AD roles to be able to do this: Application administrator Application developer Cloud application administrator Global admin Hope that helps!
This is a lovely solution but am stuck! Hey am trying to use this to add a certificate to the apex domain of a static website on blob storage. But when am switching the access cofiguration from role based to value access policy, it isnt happening. Any clue as to how i can get it to work?
We are using this now in our productive area. Is there a possible way to get those generetad certificates importet to a vm automaticly? Otherwise i need to log in every 90 days to vm and import the new certificate :)
Hey David. There is a VM extension for Azure Key Vault, for both Linux and Windows. This allows you to automatically refresh certs from Key Vault in to the VM. Sounds like this might do the trick?
This solution is not cost effective. For each renewal of Certificate in Key Vault, Microsoft charges $3.00. If a LetsEncrypt certificate has to be renewed 4 times a year, you end up paying Key Vault charges of $12 for each certificate. Check the documentation for pricing of Azure Key Vault.
Hi there. Sorry about the delay in response, I missed this comment. The $3 renewal is not relevant with this solution - that’s applicable when Key Vault itself is processing the renewal. This solution performs the renewal outside of key vault, and is just using key vault to store the certificate. Hope that helps!
One of the best tutorials ive got yet. Thank you very much Matt!
Hey David, thanks so much mate, I really appreciate that feedback and I'm glad you found it helpful!
That's the best tutorial on SSL certificate automation I've found using the stack I was interested in. Thank you very much
Thanks for the feedback, I’m glad it was helpful!
Came back to add an update, want to thank you again Matt, this tutorial was really great, I've managed to implement ACMEbot with a custom domain managed in Azure public DNS, along with integrating the key vault with two IIS servers using the Azure Keyvault Extension which runs on the windows servers and will periodically update the certs used on the server from those in the key vault. We now have fully automated certs for our custom web domain / iis servers.
Woo! That's a fantastic solution, great work, and I'm glad this helped you achieve a hands off, low cost automated solution :) Thanks for sharing the update, I love hearing when people put this sort of thing in to practice!
Great Tutorial, thanks!
This works perfectly. Thanks Allford.
Awesome! Glad it was helpful!
This works beautifully for my wildcard requirements. Azure | AWS Route 53. Thanks for this.
Awesome to hear, glad it helped you get up and running with the wildcard!
You saved me a bunch of time! Thank you!
I love to hear that! Thank you for watching and I’m glad it helped.
This is amazing!! Shout out to the Aussie and the Github creator!!
Thank you, glad you enjoyed it!
Nicely put together. This is the same stack that I use but doing it manually. I can't wait to give this a try and implement it. My only difference is that I will be using Front Door. Thanks again.
Hey @AntonioOlander, thanks heaps for the comment, I'm glad you found it helpful. It's a super awesome tool, I just did the easy work of sharing the word about it :)
@@MattAllford FYI, I created this a couple months back and now my certs were getting to the due dates and did not auto renew. I tried to manually renew and it was failing. The failed part was reaching out to Cloudflare, and looking at the logs could not figure out why. I started fresh and when I got to the point of creating the Cloudflare token to put into the function app config, I had a hunch that when I initially created the token, that the TTL was not set long enough. I think I did a week like you did in the video. So I created a new TTL with not expiration, took that key and put into my existing function app, and now I can renew the certs. My question and for others, is there an issue with not putting a TTL on the Cloudflare key?
I don't think I saw this reply, sorry.
At the end of the day, the TTL on the Cloudflare key comes down to any internal processes you might have in place for security of API keys, and rotation requirements. A lot of it will come down to risk vs operational and management overhead. There's no technical issue with not putting an expiry on the cloudflare API key. Hope that helps!
This video is really awesome!!!!
Thanks for the feedback Christian, I’m glad you valued it!
Great content, thank you
You’re welcome, thank you for the comment and kind feedback :)
Thx. Great video.
Thanks for watching! I’m glad it was helpful.
nice tutorial you explain in details thanks Matt, and also I tried to configured with ms team the alerts looks different from slack
Thanks James! I actually didn’t try it with teams in the end. I assume the data was similar, maybe just visually different, right?
Thanks, Matt, it was so helpful. It would be even more helpful if you can show a demo of API to manage all these certs
Thanks for watching, happy to hear it was helpful! Point noted - might make for a good follow up section.
Not sure if you came across it, but there's a bit of info in the docs about using the API if that's of interest:
github.com/shibayan/keyvault-acmebot/wiki/
Great work thanks for This
Glad you enjoyed it!
great vid!
Thanks for watching! I haven't done it myself with Azure DNS, but looking at the docs it does look like it integrates with Azure DNS for the public DNS provider. You'll need to provide the function app with RBAC to the DNS zone, and then an app config setting - github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
Hope that helps!
Hi, I've checked your video. And it is so much helpful for the automation. I was wondering is there any way to add multiple DNS Zones to one function app ?
Hi there, sorry I did not see this comment earlier.
I’m not immediately aware of the ability to add multiple DNS zones to a single function app, but I can see why that’s a valid request. I’d suggest logging an issue on the GitHub page to see if that functionality is available today, and if not then make it a feature request!
Great!
Thanks mate!
great video, you deserve more subs. I have a question, is it possible to do this with client certificates? So that i can realise some kind of PKI, for a hand full of clients? Im not sure if i can realise something like this. Everything i find in the net is with DNS certificates. Is it possible to request and deploy certificates for normal win clients?
Hey Ayhr, thanks for the comment I appreciate that :)
I’m not aware of a solution that would meet your requirements, sorry. Are the client machines under some sort of management that would allow you to distribute the client certificate to the endpoint? I don’t think the certbot in this video will help, but I’d imagine there should be something out there to help with automation of client certs
Hello Matt, Thanks for this video. Just have a quick question - Is there a way that we can add the certificates in the dashboard too in an automated way please?
Thanks for watching. I’m not 100% sure what you’re referring to sorry. I suspect your best bet might be to add an issue on the GitHub repo for the project with a feature request?
Thanks for the great content / introducing me to this tool; really well presented. One question; normally with a key vault I'd set up a private endpoint then remove all public access to help ensure it's secure. With the function service being hosted on a consumption plan we don't have the option to integrate that into our private network, and I don't think we can just whitelist the service's public IPs (i.e. there's a huge range of CIDRs, and IP groups aren't supported in whitelists, so it feels unmanagable at best). Is there a nice solution to keep key vault securely within the network whilst taking advantage of the cheaper consumption plan; or else what are your opinions on the cost of switching plans to use the private network vs the benefits of network security on top of Key Vault's existing identity based security?
Thanks for the feedback!
And yeah, what you’ve described is just one of the trade off decisions that you need to make as part of the architecture and design on your application(s). One thing to consider would be to use this key vault only for certificate storage, and then the risk of allowing public access from a network perspective is probably a little less risky, compared to if you were storing other secrets and information.
On top of that, it’s just about the layers of security you’re able to implement, and deciding what level is a suitable configuration between usability, cost, and security.
With all of that said, and I know it is still in preview, but have you seen the Flex Consumption option? It’s a little more expensive I think than standard consumption, but it supports VNET integration - learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan
@@MattAllford Good shout; I'd not come across that, but it looks ideal. Sadly my infra's deployed using IaC (Terraform), and whilst the FC1 SKU (flex consumption) was added last week, it looks like support for the (mandatory for FC1) `FunctionAppConfig` property of the function app isn't yet there. For now I'll try deploying a Basic plan, then will switch over to the cheaper flexible plan once it becomes available. Really appreciate your input; thanks again.
Can we use HTTP-1 validation for subdomains? A redirect rule in application gateway for the acme challenge that checks a static file in a storage account where let's encrypt can update the key.
I need wildcards and also single certificates for subdomains and there's not a solution that covers both and saves the certs to key vault.
I’m not sure about the specifics of that one, sorry.
Great Matt. Can u please refer me the documentation for creating API keys in aws route 53 as you did on cloudflare. Thanks in advance
Hi there! Thanks for watching. There is some information in the WIKI page of the tool for Route 53 linked below. Otherwise this might be a good use case to get a LLM to help with the specific steps you’re looking for?
github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#amazon-route-53
Hope that helps.
Hi Matt,
Great thanks for sharing this valuable information. One thing I noticed when I did a Cert renew from Dashboard, it does not reflect on the web page , is this a bug ?
Thanks
Hi Usama, thanks for watching.
When you say “it does not reflect on the web page”, do you mean you’ve configured a web app to use a certificate from Key Vault, and then you renew the certificate using the key vault ACME bot, but the web app isn’t showing the new certificate?
If I got that right, check out this link, where it states the sync can take up to 24 hours, or alternatively you can force a sync:
learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#renew-a-certificate-imported-from-key-vault
Does that help?
Hi @@MattAllford , thanks , I will give it a try.🙂
Hi Matt great tutorial with full clarity but I am trying to change it to vault
access but my azure environment is denying it
Hey there. Can you clarify a bit more about what you mean by “vault access”, and then subsequently what is problematic?
@@MattAllford Hey matt thanks for replying I figured out that issue basically it's related to IAM identity, Currently I am working on application gateway for my app but the application gateway listner is also asking me the ssl certificate then how to deal with it could you explain about it please also I want to add auto renewel for the application gatewy
Thank YOU!
my first ever time I took my time watching 30 minute + video without skipping or forwarding 😂 but please can you enlighten me more on how webhooks work
Haha awesome :) Glad you enjoyed it. Can you elaborate a little more on your query around webhooks? Are you wondering generally how a webhook works, or something specific within this video?
@@MattAllford Thanks for replying most video about webhooks have been complex but I see you using slack as we hook I really want to know more how to use webhooks for receiving notifications
Will it auto-renew the certificate once expiry is nearby ? if yes, what's the minimum day count it consider a valid cert.
Hey! Yep, the solution will automatically renew certificates 30 days before their expiry - github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#automatic-renew-an-existing-certificate
Hope this helps!
Hi Matt what is the best way to mitigate the risk of the DNS provider credentials being compromised , will this solution work togeather with acme-dns ?
Hey Simon. Are you referring to the protection of the API key being used to access your DNS provider? The best course is to store the API key as a secret in Key Vault, and then reference that secret from the function app. For example, the app setting "Acmebot:Cloudflare:ApiToken" on the function app could be set to reference the key vault secret containing the API Key, rather than pasting it directly in to the value (like I did in the video).
Does that help?
Matt, this is a great tutorial. I wish I could implment this, but our DNS provider isn't listed. Do you know of any alternatives?
Hey, thanks for watching! I'm not sure of any alternatives, sorry. Who is your DNS provider? I'm certainly no developer, but the integrations with a DNS provider look relatively straight forward to implement. Do you have any dot net devs that might be able to take a look and create an integration with your DNS provider?
@@MattAllford Our DNS provider is Dotster. They don't provide much assistance either. We're a non-profit, so I'm trying my darndest to make things easier down the road for us with what limited resources we have at our disposal. We've been willing to pay someone to get our Azure environment set up, but we've been burned by people saying they know how to do it, but leaving us hanging. So I've been figuring out how to do everything as I go. Again, I really appreciate your video and the level of detail you provided.
Gotcha. I had a quick look at Dotster and their docs, and it doesn't look like they provide an API to their platform, so regardless of whether it is this solution or another, it will probably be difficult to try and automate. I'm obviously not sure of your arrangement and partnership with them, but it might be a good enough reason to look at moving your DNS to a more mainstream provider? Especially if it can provide you some operational benefits around SSL certificate management.
At 20:22, At Add an identity provider, App registration, 1st option Create new app registration is grey out, and can pick only 3rd option (Provide the details ...), Could you tell me why? How can I do to pick 1st option? Thanks for your video
Hi Thura, thanks for watching!
I feel like that option might be greyed out if the account you are logged in Azure with, doesn’t have permission to create an App Registration in Azure AD.
A quick look tells me your account might need one of the following Azure AD roles to be able to do this:
Application administrator
Application developer
Cloud application administrator
Global admin
Hope that helps!
This is a lovely solution but am stuck!
Hey am trying to use this to add a certificate to the apex domain of a static website on blob storage. But when am switching the access cofiguration from role based to value access policy, it isnt happening. Any clue as to how i can get it to work?
Hey there! I don't think this is a specific configuration I've done, sorry. Is there a reason you are wanting to use access policies rather than RBAC?
We are using this now in our productive area. Is there a possible way to get those generetad certificates importet to a vm automaticly? Otherwise i need to log in every 90 days to vm and import the new certificate :)
Hey David. There is a VM extension for Azure Key Vault, for both Linux and Windows. This allows you to automatically refresh certs from Key Vault in to the VM. Sounds like this might do the trick?
@@MattAllfordHi Matt, on the off chance you read this, could you possibly do a video on the extension? Thanks
This solution is not cost effective. For each renewal of Certificate in Key Vault, Microsoft charges $3.00.
If a LetsEncrypt certificate has to be renewed 4 times a year, you end up paying Key Vault charges of $12 for each certificate.
Check the documentation for pricing of Azure Key Vault.
Hi there. Sorry about the delay in response, I missed this comment.
The $3 renewal is not relevant with this solution - that’s applicable when Key Vault itself is processing the renewal. This solution performs the renewal outside of key vault, and is just using key vault to store the certificate. Hope that helps!