Free Automated SSL Certificates in Azure KeyVault with ACME Bot
Рет қаралды 11,330
Azure KeyVault ACME Bot is a solution provided by Tatsuro Shibamura to manage and automate SSL certificates in Azure KeyVault. The SSL certificates can be generated from a free provider such as lets encrypt, and the whole solution will cost next to nothing to run!
Join me as I cover an overview of how the KeyVault ACME Bot solution works, and then we'll walk through a deployment and generation of SSL certificates.
// SUBSCRIBE ✅
kzbin.info
// RESOURCES & REFERENCES 📃
KeyVault ACME Bot on GitHub:
🔗github.com/shibayan/keyvault-acmebot
// FOLLOW ME 👉
Blog - mattallford.com
LinkedIn - www.linkedin.com/in/mattallford/
Twitter - mattallford
GitHub - github.com/mattallford
// CHAPTERS 🕛
0:00 Introduction
2:27 ACME at a 30,000 foot view
5:56 KeyVault ACME Bot Components
10:01 KeyVault ACME Bot GitHub
11:50 Deploying the solution
13:53 Reviewing the deployed resources
16:07 Modifying KeyVault Access
19:25 Function App Authentication and dashboard
21:50 Adding Cloudflare DNS Authentication
25:32 Add a new certificate
29:04 Manually renewing a certificate
30:16 Add a wildcard certificate
30:34 Deleting a certificate
30:53 Managed and unmanaged certificates
31:50 Using an issued certificate in a web app
35:02 Reviewing the webhook notifications
@jp-tp1bl 9 ай бұрын
This works perfectly. Thanks Allford.
@MattAllford 8 ай бұрын
Awesome! Glad it was helpful!
@davidpetrovic3656 Жыл бұрын
One of the best tutorials ive got yet. Thank you very much Matt!
@MattAllford Жыл бұрын
Hey David, thanks so much mate, I really appreciate that feedback and I'm glad you found it helpful!
@subzeroleaf 6 ай бұрын
That's the best tutorial on SSL certificate automation I've found using the stack I was interested in. Thank you very much
@MattAllford 6 ай бұрын
Thanks for the feedback, I’m glad it was helpful!
@_btall 29 күн бұрын
The best tutorial I've ever seen around ACME + Azure KeyVault. It works very well, thank you very much!
@MattAllford 29 күн бұрын
Thanks for watching, I’m glad you found it helpful!
@Saqibss 6 ай бұрын
Came back to add an update, want to thank you again Matt, this tutorial was really great, I've managed to implement ACMEbot with a custom domain managed in Azure public DNS, along with integrating the key vault with two IIS servers using the Azure Keyvault Extension which runs on the windows servers and will periodically update the certs used on the server from those in the key vault. We now have fully automated certs for our custom web domain / iis servers.
@MattAllford 6 ай бұрын
Woo! That's a fantastic solution, great work, and I'm glad this helped you achieve a hands off, low cost automated solution :) Thanks for sharing the update, I love hearing when people put this sort of thing in to practice!
@flapa2010 2 ай бұрын
Hello @Saqibss how did you link azure dns to the functionapp, what did you add in the app settings of the function app, its not working for me
@Saqibss 2 ай бұрын
@@flapa2010 see the documentation for ACMEBOT and azure dns. Open the Access Control (IAM) of the target DNS zone or resource group containing the DNS zone, and assign the role of DNS Zone Contributor to the deployed function application.
@Saqibss 2 ай бұрын
@@flapa2010 check the documentation you need to add the Subscription ID that the DNS zone resides in under "Acmebot:AzureDns:SubscriptionId" and then ensure the function app has the DNS contributor permission on the DNS zone (under IAM).
@AntonioOlander Жыл бұрын
Nicely put together. This is the same stack that I use but doing it manually. I can't wait to give this a try and implement it. My only difference is that I will be using Front Door. Thanks again.
@MattAllford Жыл бұрын
Hey @AntonioOlander, thanks heaps for the comment, I'm glad you found it helpful. It's a super awesome tool, I just did the easy work of sharing the word about it :)
@AntonioOlander Жыл бұрын
@@MattAllford FYI, I created this a couple months back and now my certs were getting to the due dates and did not auto renew. I tried to manually renew and it was failing. The failed part was reaching out to Cloudflare, and looking at the logs could not figure out why. I started fresh and when I got to the point of creating the Cloudflare token to put into the function app config, I had a hunch that when I initially created the token, that the TTL was not set long enough. I think I did a week like you did in the video. So I created a new TTL with not expiration, took that key and put into my existing function app, and now I can renew the certs. My question and for others, is there an issue with not putting a TTL on the Cloudflare key?
@MattAllford Жыл бұрын
I don't think I saw this reply, sorry. At the end of the day, the TTL on the Cloudflare key comes down to any internal processes you might have in place for security of API keys, and rotation requirements. A lot of it will come down to risk vs operational and management overhead. There's no technical issue with not putting an expiry on the cloudflare API key. Hope that helps!
@jameseduard2092 Жыл бұрын
nice tutorial you explain in details thanks Matt, and also I tried to configured with ms team the alerts looks different from slack
@MattAllford Жыл бұрын
Thanks James! I actually didn’t try it with teams in the end. I assume the data was similar, maybe just visually different, right?
@Saqibss 11 ай бұрын
Great Tutorial, thanks!
@aaronhudon 3 ай бұрын
This works beautifully for my wildcard requirements. Azure | AWS Route 53. Thanks for this.
@MattAllford 3 ай бұрын
Awesome to hear, glad it helped you get up and running with the wildcard!
@po6577 6 ай бұрын
This is amazing!! Shout out to the Aussie and the Github creator!!
@MattAllford 6 ай бұрын
Thank you, glad you enjoyed it!
@iam_mz 11 ай бұрын
Hi, I've checked your video. And it is so much helpful for the automation. I was wondering is there any way to add multiple DNS Zones to one function app ?
@MattAllford 10 ай бұрын
Hi there, sorry I did not see this comment earlier. I’m not immediately aware of the ability to add multiple DNS zones to a single function app, but I can see why that’s a valid request. I’d suggest logging an issue on the GitHub page to see if that functionality is available today, and if not then make it a feature request!
@JohnBevan 3 ай бұрын
Thanks for the great content / introducing me to this tool; really well presented. One question; normally with a key vault I'd set up a private endpoint then remove all public access to help ensure it's secure. With the function service being hosted on a consumption plan we don't have the option to integrate that into our private network, and I don't think we can just whitelist the service's public IPs (i.e. there's a huge range of CIDRs, and IP groups aren't supported in whitelists, so it feels unmanagable at best). Is there a nice solution to keep key vault securely within the network whilst taking advantage of the cheaper consumption plan; or else what are your opinions on the cost of switching plans to use the private network vs the benefits of network security on top of Key Vault's existing identity based security?
@MattAllford 3 ай бұрын
Thanks for the feedback! And yeah, what you’ve described is just one of the trade off decisions that you need to make as part of the architecture and design on your application(s). One thing to consider would be to use this key vault only for certificate storage, and then the risk of allowing public access from a network perspective is probably a little less risky, compared to if you were storing other secrets and information. On top of that, it’s just about the layers of security you’re able to implement, and deciding what level is a suitable configuration between usability, cost, and security. With all of that said, and I know it is still in preview, but have you seen the Flex Consumption option? It’s a little more expensive I think than standard consumption, but it supports VNET integration - learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan
@JohnBevan 3 ай бұрын
@@MattAllford Good shout; I'd not come across that, but it looks ideal. Sadly my infra's deployed using IaC (Terraform), and whilst the FC1 SKU (flex consumption) was added last week, it looks like support for the (mandatory for FC1) `FunctionAppConfig` property of the function app isn't yet there. For now I'll try deploying a Basic plan, then will switch over to the cheaper flexible plan once it becomes available. Really appreciate your input; thanks again.
@kolex023 9 ай бұрын
You saved me a bunch of time! Thank you!
@MattAllford 8 ай бұрын
I love to hear that! Thank you for watching and I’m glad it helped.
@RushikeshKalyani 4 ай бұрын
Thanks, Matt, it was so helpful. It would be even more helpful if you can show a demo of API to manage all these certs
@MattAllford 4 ай бұрын
Thanks for watching, happy to hear it was helpful! Point noted - might make for a good follow up section. Not sure if you came across it, but there's a bit of info in the docs about using the API if that's of interest: github.com/shibayan/keyvault-acmebot/wiki/
@25566 7 ай бұрын
Can we use HTTP-1 validation for subdomains? A redirect rule in application gateway for the acme challenge that checks a static file in a storage account where let's encrypt can update the key. I need wildcards and also single certificates for subdomains and there's not a solution that covers both and saves the certs to key vault.
@MattAllford 6 ай бұрын
I’m not sure about the specifics of that one, sorry.
@simongarman1238 7 ай бұрын
Hi Matt what is the best way to mitigate the risk of the DNS provider credentials being compromised , will this solution work togeather with acme-dns ?
@MattAllford 7 ай бұрын
Hey Simon. Are you referring to the protection of the API key being used to access your DNS provider? The best course is to store the API key as a secret in Key Vault, and then reference that secret from the function app. For example, the app setting "Acmebot:Cloudflare:ApiToken" on the function app could be set to reference the key vault secret containing the API Key, rather than pasting it directly in to the value (like I did in the video). Does that help?
@christianibiri 2 жыл бұрын
This video is really awesome!!!!
@MattAllford 2 жыл бұрын
Thanks for the feedback Christian, I’m glad you valued it!
@benjaminjetajobejr6967 Ай бұрын
good information, Can i used this one as well when im using Digicert to integrate this to azureKeyVault?
@MattAllford 29 күн бұрын
Thanks for watching! I’m not sure if it can be integrated directly with Digicert sorry. From memory there are supported CAs on the main readme in the project on GitHub, and it might be worth raising an issue on the project if you have a feature request.
@YashJain-kr9zs 7 ай бұрын
Will it auto-renew the certificate once expiry is nearby ? if yes, what's the minimum day count it consider a valid cert.
@MattAllford 7 ай бұрын
Hey! Yep, the solution will automatically renew certificates 30 days before their expiry - github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#automatic-renew-an-existing-certificate Hope this helps!
@1337Ayhr Жыл бұрын
great video, you deserve more subs. I have a question, is it possible to do this with client certificates? So that i can realise some kind of PKI, for a hand full of clients? Im not sure if i can realise something like this. Everything i find in the net is with DNS certificates. Is it possible to request and deploy certificates for normal win clients?
@MattAllford Жыл бұрын
Hey Ayhr, thanks for the comment I appreciate that :) I’m not aware of a solution that would meet your requirements, sorry. Are the client machines under some sort of management that would allow you to distribute the client certificate to the endpoint? I don’t think the certbot in this video will help, but I’d imagine there should be something out there to help with automation of client certs
@suhas_chandrashekar Жыл бұрын
Hello Matt, Thanks for this video. Just have a quick question - Is there a way that we can add the certificates in the dashboard too in an automated way please?
@MattAllford Жыл бұрын
Thanks for watching. I’m not 100% sure what you’re referring to sorry. I suspect your best bet might be to add an issue on the GitHub repo for the project with a feature request?
@VishalSharma-h7g8k 4 ай бұрын
Great Matt. Can u please refer me the documentation for creating API keys in aws route 53 as you did on cloudflare. Thanks in advance
@MattAllford 4 ай бұрын
Hi there! Thanks for watching. There is some information in the WIKI page of the tool for Route 53 linked below. Otherwise this might be a good use case to get a LLM to help with the specific steps you’re looking for? github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#amazon-route-53 Hope that helps.
@DeveloperDevendra Жыл бұрын
Hi Matt great tutorial with full clarity but I am trying to change it to vault access but my azure environment is denying it
@MattAllford Жыл бұрын
Hey there. Can you clarify a bit more about what you mean by “vault access”, and then subsequently what is problematic?
@DeveloperDevendra Жыл бұрын
@@MattAllford Hey matt thanks for replying I figured out that issue basically it's related to IAM identity, Currently I am working on application gateway for my app but the application gateway listner is also asking me the ssl certificate then how to deal with it could you explain about it please also I want to add auto renewel for the application gatewy Thank YOU!
@cooldude2204 Жыл бұрын
Matt, this is a great tutorial. I wish I could implment this, but our DNS provider isn't listed. Do you know of any alternatives?
@MattAllford Жыл бұрын
Hey, thanks for watching! I'm not sure of any alternatives, sorry. Who is your DNS provider? I'm certainly no developer, but the integrations with a DNS provider look relatively straight forward to implement. Do you have any dot net devs that might be able to take a look and create an integration with your DNS provider?
@cooldude2204 Жыл бұрын
@@MattAllford Our DNS provider is Dotster. They don't provide much assistance either. We're a non-profit, so I'm trying my darndest to make things easier down the road for us with what limited resources we have at our disposal. We've been willing to pay someone to get our Azure environment set up, but we've been burned by people saying they know how to do it, but leaving us hanging. So I've been figuring out how to do everything as I go. Again, I really appreciate your video and the level of detail you provided.
@MattAllford Жыл бұрын
Gotcha. I had a quick look at Dotster and their docs, and it doesn't look like they provide an API to their platform, so regardless of whether it is this solution or another, it will probably be difficult to try and automate. I'm obviously not sure of your arrangement and partnership with them, but it might be a good enough reason to look at moving your DNS to a more mainstream provider? Especially if it can provide you some operational benefits around SSL certificate management.
@thurawin4996 Жыл бұрын
At 20:22, At Add an identity provider, App registration, 1st option Create new app registration is grey out, and can pick only 3rd option (Provide the details ...), Could you tell me why? How can I do to pick 1st option? Thanks for your video
@MattAllford Жыл бұрын
Hi Thura, thanks for watching! I feel like that option might be greyed out if the account you are logged in Azure with, doesn’t have permission to create an App Registration in Azure AD. A quick look tells me your account might need one of the following Azure AD roles to be able to do this: Application administrator Application developer Cloud application administrator Global admin Hope that helps!
@floridahoroschak-bo7tl Жыл бұрын
Great work thanks for This
@MattAllford Жыл бұрын
Glad you enjoyed it!
@designcorecreativityamplif5729 Жыл бұрын
This is a lovely solution but am stuck! Hey am trying to use this to add a certificate to the apex domain of a static website on blob storage. But when am switching the access cofiguration from role based to value access policy, it isnt happening. Any clue as to how i can get it to work?
@MattAllford Жыл бұрын
Hey there! I don't think this is a specific configuration I've done, sorry. Is there a reason you are wanting to use access policies rather than RBAC?
@usamabilal8367 Жыл бұрын
Hi Matt, Great thanks for sharing this valuable information. One thing I noticed when I did a Cert renew from Dashboard, it does not reflect on the web page , is this a bug ? Thanks
@MattAllford Жыл бұрын
Hi Usama, thanks for watching. When you say “it does not reflect on the web page”, do you mean you’ve configured a web app to use a certificate from Key Vault, and then you renew the certificate using the key vault ACME bot, but the web app isn’t showing the new certificate? If I got that right, check out this link, where it states the sync can take up to 24 hours, or alternatively you can force a sync: learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#renew-a-certificate-imported-from-key-vault Does that help?
@usamabilal8367 Жыл бұрын
Hi @@MattAllford , thanks , I will give it a try.🙂
@floridahoroschak-bo7tl Жыл бұрын
my first ever time I took my time watching 30 minute + video without skipping or forwarding 😂 but please can you enlighten me more on how webhooks work
@MattAllford Жыл бұрын
Haha awesome :) Glad you enjoyed it. Can you elaborate a little more on your query around webhooks? Are you wondering generally how a webhook works, or something specific within this video?
@floridahoroschak-bo7tl Жыл бұрын
@@MattAllford Thanks for replying most video about webhooks have been complex but I see you using slack as we hook I really want to know more how to use webhooks for receiving notifications
@jp-tp1bl 9 ай бұрын
This solution is not cost effective. For each renewal of Certificate in Key Vault, Microsoft charges $3.00. If a LetsEncrypt certificate has to be renewed 4 times a year, you end up paying Key Vault charges of $12 for each certificate. Check the documentation for pricing of Azure Key Vault.
@MattAllford 8 ай бұрын
Hi there. Sorry about the delay in response, I missed this comment. The $3 renewal is not relevant with this solution - that’s applicable when Key Vault itself is processing the renewal. This solution performs the renewal outside of key vault, and is just using key vault to store the certificate. Hope that helps!
@davidpetrovic3656 Жыл бұрын
We are using this now in our productive area. Is there a possible way to get those generetad certificates importet to a vm automaticly? Otherwise i need to log in every 90 days to vm and import the new certificate :)
@MattAllford Жыл бұрын
Hey David. There is a VM extension for Azure Key Vault, for both Linux and Windows. This allows you to automatically refresh certs from Key Vault in to the VM. Sounds like this might do the trick?
@riaanstrydom2183 Жыл бұрын
@@MattAllfordHi Matt, on the off chance you read this, could you possibly do a video on the extension? Thanks
@juliensan Жыл бұрын
Great content, thank you
@MattAllford Жыл бұрын
You’re welcome, thank you for the comment and kind feedback :)
@Jmstr-p6h 5 ай бұрын
Thx. Great video.
@MattAllford 5 ай бұрын
Thanks for watching! I’m glad it was helpful.
@zamarinen Жыл бұрын
great vid!
@MattAllford Жыл бұрын
Thanks for watching! I haven't done it myself with Azure DNS, but looking at the docs it does look like it integrates with Azure DNS for the public DNS provider. You'll need to provide the function app with RBAC to the DNS zone, and then an app config setting - github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns Hope that helps!
@rafaeljucio 2 жыл бұрын
Great!
@MattAllford 2 жыл бұрын
Thanks mate!