programad/keyvault-acmebot

Automated Let's Encrypt issuer for Azure Key Vault

Key Vault Acmebot

This function provide easy automation of Let's Encrypt for Azure Key Vault. This project started to solve some problems.

• Store certificates securely with Key Vault
• Centrally manage many certificates with one Key Vault
• Simple deployment and configuration
• Robustness of implementation
• Easy monitoring (Application Insights, Webhook)

Use Key Vault for secure and centralized management of Let's Encrypt certificates.

Table Of Contents

• Feature Support
• Requirements
• Getting Started
• Usage
• Thanks
• License

Feature Support

• All Azure App Service (Web Apps / Functions / Containers, any OS)
• Azure CDN / Front Door
• Azure Application Gateway v2
• Subject Alternative Names (SANs) certificates (multi-domains support)
• Zone Apex and Wildcard certificates

Requirements

• Azure Subscription
• Azure DNS and Key Vault resource
• Email address (for Let's Encrypt account)

Getting Started

1. Deploy to Azure Functions

2. Add application settings key

• LetsEncrypt:SubscriptionId
  • Azure Subscription Id
• LetsEncrypt:Contacts
  • Email address for Let's Encrypt account
• LetsEncrypt:VaultBaseUrl
  • Azure Key Vault DNS name (Only when using an existing Key Vault)
• LetsEncrypt:Webhook
  • Webhook destination URL (optional, Slack recommend)

3. Enable App Service Authentication (EasyAuth) with AAD

Open Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select Log in with Azure Active Directory as an action when not logging in.

Set up Azure Active Directory provider by selecting Express.

4. Assign role to Azure DNS

Assign DNS Zone Contributor role to Azure DNS zone or Resource Group.

5. Add a access policy (Only when using an existing Key Vault)

Add the created Azure Function to the Key Vault Certificate management access policy.

Usage

Adding new certificate

Go to https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate. Since the Web UI is displayed, if you select the target DNS zone and input domain and execute it, a certificate will be issued.

If nothing is displayed in the dropdown, the IAM setting is incorrect.

App Service (Web Apps / Functions / Containers)

Select "Import Key Vault Certificate" button to import the certificate from Key Vault into App Service.

After that, the certificate will automatically be renewed from Key Vault.

Application Gateway v2

• https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

Azure CDN / Front Door

• https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
• https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#option-2-use-your-own-certificate

API Management

• https://docs.microsoft.com/en-us/azure/api-management/configure-custom-domain

Thanks

• ACMESharp Core by @ebekker
• Durable Functions by @cgillum and contributors
• DnsClient.NET by @MichaCo

License

This project is licensed under the Apache License 2.0