starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: Azure DNS validation
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
3 Azure DNS validation
Wouter Tinus edited this page 2019-01-20 20:29:15 +01:00
Table of Contents

This assumes you already have your DNS managed in Azure; if not, you'll need to set that up first.

If you are using the Azure DNS option for validation, you'll need to get certain info from your Azure Tenant, and create a service principal for Let's Encrypt to use (you'll only need to create on of these for your entire domain - it's basically an account that has authority to create DNS records).

Create Azure AD Service Principal Account

(as per https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal)

Run the following commands in Powershell. You will need to install the AzureRM Powershell module first if you don't have it installed already.

Login-AzureRmAccount

$sp = New-AzureRmADServicePrincipal -DisplayName LetsEncrypt -Password "SuperSecretPasswordGoesHere"

You can change the DisplayName to something else if you like, and you should certainly change the password. Keep a note of the password as you'll need it to set up the client in a minute.

You then need to give this Service Principal access to change DNS entries. In the Azure Portal:

  • go to DNS Zones -> your.dns.zone.net -> Access Control (IAM)
  • Click Add
  • For Role, choose DNS Zone Contributor
  • Assign access to Azure AD user, group, or application
  • Select LetsEncrypt (or whatever you called your Service Principal above)
  • Click Save

Setting up win-acme

  • Run wacs.exe, and choose which site you want to secure.
  • At the section 'How you you like to validate this certificate' choose Azure DNS
  • For Tenant ID: in the Azure Portal: Azure Active Directory -> Properties -> Directory ID.
  • For Client ID: in the Azure Portal: Azure Active Directory -> App registrations -> LetsEncrypt (or whatever you called your Service Principal before), and find the Application ID.
  • For the Secret: enter the password you created before.
  • For the DNS Subscription ID: in the Azure Portal: DNS zones -> your.dns.zone.net -> Subscription ID
  • For the DNS Resource Group Name: the name of the Resource Group your DNS zone is in (you can find this in Azure Portal: DNS zones -> your.dns.zone.net -> Resource Group

(most of this comes from https://docs.microsoft.com/en-us/azure/dns/dns-sdk)

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.