Free Automated SSL Certificates in Azure KeyVault with ACME Bot

Подписаться 723

Просмотров 10 тыс.

50% 1

Azure KeyVault ACME Bot is a solution provided by Tatsuro Shibamura to manage and automate SSL certificates in Azure KeyVault. The SSL certificates can be generated from a free provider such as lets encrypt, and the whole solution will cost next to nothing to run!
Join me as I cover an overview of how the KeyVault ACME Bot solution works, and then we'll walk through a deployment and generation of SSL certificates.
// SUBSCRIBE ✅
ru-vid.com?su...
// RESOURCES & REFERENCES 📃
KeyVault ACME Bot on GitHub:
🔗github.com/shibayan/keyvault-...
// FOLLOW ME 👉
Blog - mattallford.com
LinkedIn - / mattallford
Twitter - / mattallford
GitHub - github.com/mattallford
// CHAPTERS 🕛
0:00 Introduction
2:27 ACME at a 30,000 foot view
5:56 KeyVault ACME Bot Components
10:01 KeyVault ACME Bot GitHub
11:50 Deploying the solution
13:53 Reviewing the deployed resources
16:07 Modifying KeyVault Access
19:25 Function App Authentication and dashboard
21:50 Adding Cloudflare DNS Authentication
25:32 Add a new certificate
29:04 Manually renewing a certificate
30:16 Add a wildcard certificate
30:34 Deleting a certificate
30:53 Managed and unmanaged certificates
31:50 Using an issued certificate in a web app
35:02 Reviewing the webhook notifications

Хобби

Опубликовано:

22 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 76

@davidpetrovic3656 Год назад

One of the best tutorials ive got yet. Thank you very much Matt!

@MattAllford Год назад

Hey David, thanks so much mate, I really appreciate that feedback and I'm glad you found it helpful!

@jp-tp1bl 7 месяцев назад

This works perfectly. Thanks Allford.

@MattAllford 5 месяцев назад

Awesome! Glad it was helpful!

@subzeroleaf 4 месяца назад

That's the best tutorial on SSL certificate automation I've found using the stack I was interested in. Thank you very much

@MattAllford 4 месяца назад

Thanks for the feedback, I’m glad it was helpful!

@Saqibss 8 месяцев назад

Great Tutorial, thanks!

@aaronhudon 12 дней назад

This works beautifully for my wildcard requirements. Azure | AWS Route 53. Thanks for this.

@MattAllford 12 дней назад

Awesome to hear, glad it helped you get up and running with the wildcard!

@Saqibss 3 месяца назад

Came back to add an update, want to thank you again Matt, this tutorial was really great, I've managed to implement ACMEbot with a custom domain managed in Azure public DNS, along with integrating the key vault with two IIS servers using the Azure Keyvault Extension which runs on the windows servers and will periodically update the certs used on the server from those in the key vault. We now have fully automated certs for our custom web domain / iis servers.

@MattAllford 3 месяца назад

Woo! That's a fantastic solution, great work, and I'm glad this helped you achieve a hands off, low cost automated solution :) Thanks for sharing the update, I love hearing when people put this sort of thing in to practice!

@po6577 3 месяца назад

This is amazing!! Shout out to the Aussie and the Github creator!!

@MattAllford 3 месяца назад

Thank you, glad you enjoyed it!

@kolex023 6 месяцев назад

You saved me a bunch of time! Thank you!

@MattAllford 5 месяцев назад

I love to hear that! Thank you for watching and I’m glad it helped.

@AntonioOlander Год назад

Nicely put together. This is the same stack that I use but doing it manually. I can't wait to give this a try and implement it. My only difference is that I will be using Front Door. Thanks again.

@MattAllford Год назад

Hey @AntonioOlander, thanks heaps for the comment, I'm glad you found it helpful. It's a super awesome tool, I just did the easy work of sharing the word about it :)

@AntonioOlander Год назад

@@MattAllford FYI, I created this a couple months back and now my certs were getting to the due dates and did not auto renew. I tried to manually renew and it was failing. The failed part was reaching out to Cloudflare, and looking at the logs could not figure out why. I started fresh and when I got to the point of creating the Cloudflare token to put into the function app config, I had a hunch that when I initially created the token, that the TTL was not set long enough. I think I did a week like you did in the video. So I created a new TTL with not expiration, took that key and put into my existing function app, and now I can renew the certs. My question and for others, is there an issue with not putting a TTL on the Cloudflare key?

@MattAllford Год назад

I don't think I saw this reply, sorry. At the end of the day, the TTL on the Cloudflare key comes down to any internal processes you might have in place for security of API keys, and rotation requirements. A lot of it will come down to risk vs operational and management overhead. There's no technical issue with not putting an expiry on the cloudflare API key. Hope that helps!

@christianibiri Год назад

This video is really awesome!!!!

@MattAllford Год назад

Thanks for the feedback Christian, I’m glad you valued it!

@user-dr8cy5hs7i Месяц назад

Thanks, Matt, it was so helpful. It would be even more helpful if you can show a demo of API to manage all these certs

@MattAllford Месяц назад

Thanks for watching, happy to hear it was helpful! Point noted - might make for a good follow up section. Not sure if you came across it, but there's a bit of info in the docs about using the API if that's of interest: github.com/shibayan/keyvault-acmebot/wiki/

@joergmayer3741 2 месяца назад

Thx. Great video.

@MattAllford 2 месяца назад

Thanks for watching! I’m glad it was helpful.

@juliensan Год назад

Great content, thank you

@MattAllford Год назад

You’re welcome, thank you for the comment and kind feedback :)

@jameseduard2092 Год назад

nice tutorial you explain in details thanks Matt, and also I tried to configured with ms team the alerts looks different from slack

@MattAllford Год назад

Thanks James! I actually didn’t try it with teams in the end. I assume the data was similar, maybe just visually different, right?

@floridahoroschak-bo7tl Год назад

Great work thanks for This

@MattAllford Год назад

Glad you enjoyed it!

@zamarinen Год назад

great vid!

@MattAllford Год назад

Thanks for watching! I haven't done it myself with Azure DNS, but looking at the docs it does look like it integrates with Azure DNS for the public DNS provider. You'll need to provide the function app with RBAC to the DNS zone, and then an app config setting - github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns Hope that helps!

@rafaeljucio Год назад

Great!

@MattAllford Год назад

Thanks mate!

@25566 4 месяца назад

Can we use HTTP-1 validation for subdomains? A redirect rule in application gateway for the acme challenge that checks a static file in a storage account where let's encrypt can update the key. I need wildcards and also single certificates for subdomains and there's not a solution that covers both and saves the certs to key vault.

@MattAllford 4 месяца назад

I’m not sure about the specifics of that one, sorry.

@iam_mz 8 месяцев назад

Hi, I've checked your video. And it is so much helpful for the automation. I was wondering is there any way to add multiple DNS Zones to one function app ?

@MattAllford 7 месяцев назад

Hi there, sorry I did not see this comment earlier. I’m not immediately aware of the ability to add multiple DNS zones to a single function app, but I can see why that’s a valid request. I’d suggest logging an issue on the GitHub page to see if that functionality is available today, and if not then make it a feature request!

@floridahoroschak-bo7tl Год назад

my first ever time I took my time watching 30 minute + video without skipping or forwarding 😂 but please can you enlighten me more on how webhooks work

@MattAllford Год назад

Haha awesome :) Glad you enjoyed it. Can you elaborate a little more on your query around webhooks? Are you wondering generally how a webhook works, or something specific within this video?

@floridahoroschak-bo7tl Год назад

@@MattAllford Thanks for replying most video about webhooks have been complex but I see you using slack as we hook I really want to know more how to use webhooks for receiving notifications

@DeveloperDevendra Год назад

Hi Matt great tutorial with full clarity but I am trying to change it to vault access but my azure environment is denying it

@MattAllford Год назад

Hey there. Can you clarify a bit more about what you mean by “vault access”, and then subsequently what is problematic?

@DeveloperDevendra Год назад

@@MattAllford Hey matt thanks for replying I figured out that issue basically it's related to IAM identity, Currently I am working on application gateway for my app but the application gateway listner is also asking me the ssl certificate then how to deal with it could you explain about it please also I want to add auto renewel for the application gatewy Thank YOU!

@1337Ayhr Год назад

great video, you deserve more subs. I have a question, is it possible to do this with client certificates? So that i can realise some kind of PKI, for a hand full of clients? Im not sure if i can realise something like this. Everything i find in the net is with DNS certificates. Is it possible to request and deploy certificates for normal win clients?

@MattAllford Год назад

Hey Ayhr, thanks for the comment I appreciate that :) I’m not aware of a solution that would meet your requirements, sorry. Are the client machines under some sort of management that would allow you to distribute the client certificate to the endpoint? I don’t think the certbot in this video will help, but I’d imagine there should be something out there to help with automation of client certs

@suhas_chandrashekar 10 месяцев назад

Hello Matt, Thanks for this video. Just have a quick question - Is there a way that we can add the certificates in the dashboard too in an automated way please?

@MattAllford 10 месяцев назад

Thanks for watching. I’m not 100% sure what you’re referring to sorry. I suspect your best bet might be to add an issue on the GitHub repo for the project with a feature request?

@JohnBevan 11 дней назад

Thanks for the great content / introducing me to this tool; really well presented. One question; normally with a key vault I'd set up a private endpoint then remove all public access to help ensure it's secure. With the function service being hosted on a consumption plan we don't have the option to integrate that into our private network, and I don't think we can just whitelist the service's public IPs (i.e. there's a huge range of CIDRs, and IP groups aren't supported in whitelists, so it feels unmanagable at best). Is there a nice solution to keep key vault securely within the network whilst taking advantage of the cheaper consumption plan; or else what are your opinions on the cost of switching plans to use the private network vs the benefits of network security on top of Key Vault's existing identity based security?

@MattAllford 11 дней назад

Thanks for the feedback! And yeah, what you’ve described is just one of the trade off decisions that you need to make as part of the architecture and design on your application(s). One thing to consider would be to use this key vault only for certificate storage, and then the risk of allowing public access from a network perspective is probably a little less risky, compared to if you were storing other secrets and information. On top of that, it’s just about the layers of security you’re able to implement, and deciding what level is a suitable configuration between usability, cost, and security. With all of that said, and I know it is still in preview, but have you seen the Flex Consumption option? It’s a little more expensive I think than standard consumption, but it supports VNET integration - learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-plan

@JohnBevan 11 дней назад

@@MattAllford Good shout; I'd not come across that, but it looks ideal. Sadly my infra's deployed using IaC (Terraform), and whilst the FC1 SKU (flex consumption) was added last week, it looks like support for the (mandatory for FC1) `FunctionAppConfig` property of the function app isn't yet there. For now I'll try deploying a Basic plan, then will switch over to the cheaper flexible plan once it becomes available. Really appreciate your input; thanks again.

@thurawin4996 Год назад

At 20:22, At Add an identity provider, App registration, 1st option Create new app registration is grey out, and can pick only 3rd option (Provide the details ...), Could you tell me why? How can I do to pick 1st option? Thanks for your video

@MattAllford Год назад

Hi Thura, thanks for watching! I feel like that option might be greyed out if the account you are logged in Azure with, doesn’t have permission to create an App Registration in Azure AD. A quick look tells me your account might need one of the following Azure AD roles to be able to do this: Application administrator Application developer Cloud application administrator Global admin Hope that helps!

@user-hj8ps1bc1f 2 месяца назад

Great Matt. Can u please refer me the documentation for creating API keys in aws route 53 as you did on cloudflare. Thanks in advance

@MattAllford 2 месяца назад

Hi there! Thanks for watching. There is some information in the WIKI page of the tool for Route 53 linked below. Otherwise this might be a good use case to get a LLM to help with the specific steps you’re looking for? github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#amazon-route-53 Hope that helps.

@usamabilal8367 Год назад

Hi Matt, Great thanks for sharing this valuable information. One thing I noticed when I did a Cert renew from Dashboard, it does not reflect on the web page , is this a bug ? Thanks

@MattAllford Год назад

Hi Usama, thanks for watching. When you say “it does not reflect on the web page”, do you mean you’ve configured a web app to use a certificate from Key Vault, and then you renew the certificate using the key vault ACME bot, but the web app isn’t showing the new certificate? If I got that right, check out this link, where it states the sync can take up to 24 hours, or alternatively you can force a sync: learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#renew-a-certificate-imported-from-key-vault Does that help?

@usamabilal8367 Год назад

Hi @@MattAllford , thanks , I will give it a try.🙂

@YashJain-kr9zs 4 месяца назад

Will it auto-renew the certificate once expiry is nearby ? if yes, what's the minimum day count it consider a valid cert.

@MattAllford 4 месяца назад

Hey! Yep, the solution will automatically renew certificates 30 days before their expiry - github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#automatic-renew-an-existing-certificate Hope this helps!

@designcorecreativityamplif5729 Год назад

This is a lovely solution but am stuck! Hey am trying to use this to add a certificate to the apex domain of a static website on blob storage. But when am switching the access cofiguration from role based to value access policy, it isnt happening. Any clue as to how i can get it to work?

@MattAllford Год назад

Hey there! I don't think this is a specific configuration I've done, sorry. Is there a reason you are wanting to use access policies rather than RBAC?

@simongarman1238 5 месяцев назад

Hi Matt what is the best way to mitigate the risk of the DNS provider credentials being compromised , will this solution work togeather with acme-dns ?

@MattAllford 4 месяца назад

Hey Simon. Are you referring to the protection of the API key being used to access your DNS provider? The best course is to store the API key as a secret in Key Vault, and then reference that secret from the function app. For example, the app setting "Acmebot:Cloudflare:ApiToken" on the function app could be set to reference the key vault secret containing the API Key, rather than pasting it directly in to the value (like I did in the video). Does that help?

@cooldude2204 Год назад

Matt, this is a great tutorial. I wish I could implment this, but our DNS provider isn't listed. Do you know of any alternatives?

@MattAllford Год назад

Hey, thanks for watching! I'm not sure of any alternatives, sorry. Who is your DNS provider? I'm certainly no developer, but the integrations with a DNS provider look relatively straight forward to implement. Do you have any dot net devs that might be able to take a look and create an integration with your DNS provider?

@cooldude2204 Год назад

@@MattAllford Our DNS provider is Dotster. They don't provide much assistance either. We're a non-profit, so I'm trying my darndest to make things easier down the road for us with what limited resources we have at our disposal. We've been willing to pay someone to get our Azure environment set up, but we've been burned by people saying they know how to do it, but leaving us hanging. So I've been figuring out how to do everything as I go. Again, I really appreciate your video and the level of detail you provided.

@MattAllford Год назад

Gotcha. I had a quick look at Dotster and their docs, and it doesn't look like they provide an API to their platform, so regardless of whether it is this solution or another, it will probably be difficult to try and automate. I'm obviously not sure of your arrangement and partnership with them, but it might be a good enough reason to look at moving your DNS to a more mainstream provider? Especially if it can provide you some operational benefits around SSL certificate management.

@davidpetrovic3656 Год назад

We are using this now in our productive area. Is there a possible way to get those generetad certificates importet to a vm automaticly? Otherwise i need to log in every 90 days to vm and import the new certificate :)

@MattAllford Год назад

Hey David. There is a VM extension for Azure Key Vault, for both Linux and Windows. This allows you to automatically refresh certs from Key Vault in to the VM. Sounds like this might do the trick?

@riaanstrydom2183 9 месяцев назад

@@MattAllfordHi Matt, on the off chance you read this, could you possibly do a video on the extension? Thanks

@jp-tp1bl 6 месяцев назад

This solution is not cost effective. For each renewal of Certificate in Key Vault, Microsoft charges $3.00. If a LetsEncrypt certificate has to be renewed 4 times a year, you end up paying Key Vault charges of $12 for each certificate. Check the documentation for pricing of Azure Key Vault.

@MattAllford 5 месяцев назад

Hi there. Sorry about the delay in response, I missed this comment. The $3 renewal is not relevant with this solution - that’s applicable when Key Vault itself is processing the renewal. This solution performs the renewal outside of key vault, and is just using key vault to store the certificate. Hope that helps!