A few years ago I setup an Azure Function App to retrieve a LetsEncrypt certificate for a few $work services.
Annoyingly that silently stopped renewing stuff.
Given I’ve no idea how to update it etc or really investigate it (it’s too much of a black box) I decided to replace it with certbot etc, hopefully run through a scheduled github action.
To keep things interesting, I need to use the Route53 DNS stuff to verify domain ownership.
Random bits :
docker run --rm -e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
-v $(pwd)/certs:/etc/letsencrypt/ \
-u $(id -u ${USER}):$(id -g ${USER}) \
certbot/dns-route53 certonly \
--agree-tos \
--email=me@example.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--dns-route53 \
--rsa-key-size 2048 \
--key-type rsa \
--keep-until-expiring \
--preferred-challenges dns \
--non-interactive \
--work-dir /etc/letsencrypt/work \
--logs-dir /etc/letsencrypt/logs \
--config-dir /etc/letsencrypt/ \
-d mydomain.example.comAzure needs the rsa-key-size 2048 and type to be specified. I tried 4096 and it told me to f.off.
Once that’s done, the following seems to produce a certificate that keyvault will accept, and the load balancer can use, that includes an intermediate certificate / some sort of chain.
cat certs/live/mydomain.example.com/{fullchain.pem,privkey.pem} > certs/mydomain.pem
openssl pkcs12 -in certs/mydomain.pem -keypbe NONE -cetpbe NONE -nomaciter -passout pass:something -out certs/something.pfx -export
az keyvault certificate import --vault-name my-azure-vault -n certificate-name -f certs/something.pfx --password something
Thankfully that seems to get accepted by Azure, and when it’s applied to an application gateway listener, clients see an appropriate chain.
Leave a Reply