This application automates the issuance and renewal of ACME SSL/TLS certificates. The certificates are stored inside Azure Key Vault. Many Azure services such as Azure App Service, Application Gateway, CDN, etc. are able to import certificates directly from Key Vault.
We have started to address the following requirements:
- Use the Azure Key Vault to store SSL/TLS certificates securely
- Centralize management of a large number of certificates using a single Key Vault
- Easy to deploy and configure solution
- Highly reliable implementation
- Ease of Monitoring (Application Insights, Webhook)
Key Vault allows for secure and centralized management of ACME certificates.
- Feature Support
- Requirements
- Getting Started
- Usage
- Frequently Asked Questions
- Thanks
- Sponsors
- License
- All Azure App Services (Web Apps / Functions / Containers, regardless of OS)
- Azure CDN and Front Door
- Azure Application Gateway v2
- Issuing certificates for Wildcard and Zone Apex
- Issuing certificates with SANs (subject alternative names) (one certificate for multiple domains)
- Automated certificate renewal
- ACME v2 compliants Certification Authorities
- Let's Encrypt
- Buypass Go SSL
- ZeroSSL (Requires EAB Credentials)
You will need the following:
- Azure Subscription (required to deploy this solution)
- Azure Key Vault (existing one or new Key Vault can be created at deployment time)
- DNS provider (required to host your public DNS zone)
- Email address (required to register with ACME)
| Azure (Public) | Azure China | Azure Government |
|---|---|---|
Update the following configuration settings of the Function App:
Acmebot:VaultBaseUrl- DNS name of the Azure Key Vault (if you are using an existing Key Vault)
Acmebot:Webhook- Webhook destination URL (optional, Slack and Microsoft Teams are recommended)
- Message will be sent when the process succeeds or fails
There are also additional settings that will be automatically created by Key Vault Acmebot:
Acmebot:Endpoint- The ACME endpoint used to issue certificates
Acmebot:Contacts- The email address (required) used in ACME account registration
For instructions on how to configure each DNS provider, please refer to the following page.
https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration
- Amazon Route 53
- Azure DNS
- Cloudflare
- DNS Made Easy
- GoDaddy
- Google Cloud DNS
- GratisDNS
- TransIP DNS
You must enable Authentication on the Function App that is deployed as part of this application.
In the Azure Portal, open the Function blade then select the Authentication menu and enable App Service authentication. Click on the Add identity provider button to display the screen for adding a new identity provider. If you select Microsoft as your Identity provider, the required settings will be automatically filled in for you. The default settings are fine.
Make sure that the App Service Authentication setting is set to Require authentication. The permissions can basically be left at the default settings.
If you are using Sovereign Cloud, you may not be able to select Express. Enable authentication from the advanced settings with reference to the following document.
Finally, you can save your previous settings to enable App Service authentication.
Open the access policy of the Key Vault and add the Certificate management access policy for the deployed application.
Access https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate with a browser and authenticate with Azure Active Directory and the Web UI will be displayed. Select the target domain from that screen, add the required subdomains, and run, and after a few tens of seconds, the certificate will be issued.
If the Access Control (IAM) setting is not correct, nothing will be shown in the drop-down list.
All existing ACME certificates are automatically renewed 30 days before their expiration.
The default check timing is 00:00 UTC. If you need to change the time zone, use WEBSITE_TIME_ZONE to set the time zone.
See also https://github.com/shibayan/keyvault-acmebot/wiki/How-to-use-in-Azure-services
See also https://github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions
- ACMESharp Core by @ebekker
- Durable Functions by @cgillum and contributors
- DnsClient.NET by @MichaCo
This project is licensed under the Apache License 2.0