diff options
| author | Wouter Tinus <win.acme.simple@gmail.com> | 2020-01-16 06:50:05 +0100 |
|---|---|---|
| committer | Wouter Tinus <win.acme.simple@gmail.com> | 2020-01-16 06:50:05 +0100 |
| commit | 880f58c86b66e0f8ae8219a58e03ea0af97357a8 (patch) | |
| tree | 6fee87ad15e5d8640ec0dd1cc21d5359d8e795ae /docs/reference/plugins | |
| parent | 3ffe56a888fc294a9c66a7343a1ccbb5cdaa0c7d (diff) | |
| download | letsencrypt-win-simple-880f58c86b66e0f8ae8219a58e03ea0af97357a8.zip letsencrypt-win-simple-880f58c86b66e0f8ae8219a58e03ea0af97357a8.tar.gz letsencrypt-win-simple-880f58c86b66e0f8ae8219a58e03ea0af97357a8.tar.bz2 | |
update azure docs
Diffstat (limited to 'docs/reference/plugins')
| -rw-r--r-- | docs/reference/plugins/validation/dns/azure.md | 44 |
1 files changed, 24 insertions, 20 deletions
diff --git a/docs/reference/plugins/validation/dns/azure.md b/docs/reference/plugins/validation/dns/azure.md index 424a02c..6518557 100644 --- a/docs/reference/plugins/validation/dns/azure.md +++ b/docs/reference/plugins/validation/dns/azure.md @@ -10,39 +10,43 @@ Create the record in Azure DNS. ## Setup This assumes you already have your DNS managed in Azure; if not, you'll need to set that up first. If you are using the Azure DNS option for validation, you'll need to get certain info from your Azure Tenant, and create -a service principal for Let's Encrypt to use (you'll only need to create on of these for your entire domain - -it's basically an account that has authority to create DNS records). +a service principal for win-acme to use (you'll only need to create on of these - it's basically an account that has authority to create DNS records). +There are two ways to authenticate with Azure: -### Create Azure AD Service Principal Account -Run the following commands in Powershell. You will need to install the AzureRM Powershell module first if -you don't have it installed already. - -`Login-AzureRmAccount` -`$sp = New-AzureRmADServicePrincipal -DisplayName LetsEncrypt -Password "SuperSecretPasswordGoesHere"` - -You can change the DisplayName to something else if you like, and you should certainly change the password. -Keep a note of the password as you'll need it to set up the client in a minute. +#### Create Azure AD Service Principal Account +Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest) +to create an [Azure service principal](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) You then need to give this Service Principal access to change DNS entries. In the Azure Portal: * Go to `DNS Zones` > `sub.example.com` > `Access Control (IAM)` * Click `Add` * For Role, choose `DNS Zone Contributor` * Assign access to `Azure AD user, group, or application` -* Select `LetsEncrypt` (or whatever you called your Service Principal above) +* Select your Service Principal * Click `Save` +#### Use a Managed Service Identity +More information [here](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) + ### Configuring the plugin -* Run `wacs.exe`, and choose which site you want to secure. -* At the section 'How you you like to validate this certificate' choose `Azure DNS` -* For `Tenant ID`: in the Azure Portal: Azure Active Directory > Properties > Directory ID. -* For `Client ID`: in the Azure Portal: Azure Active Directory > App registrations > LetsEncrypt (or whatever you called your Service Principal before), and find the Application ID. -* For the `Secret`: enter the password you created before. -* For the `DNS Subscription ID`: in the Azure Portal: `DNS Zones` > `sub.example.com` > Subscription ID -* For the `DNS Resource Group Name`: the name of the Resource Group your DNS zone is in (you can find this in Azure Portal: DNS zones -> your.dns.zone.net -> Resource Group +During setup of the validation the program will ask several questions. +Here is to answer them with information from the Azure Portal. + +* `DNS Subscription ID`: DNS Zones > `sub.example.com` > `Subscription ID` +* `DNS Resource Group Name`: DNS zones > `sub.example.com` > `Resource Group`) + +Only when authenticating Service Principal Account: + +* `Directory/tenant id`: Azure Active Directory > Properties > `Directory ID`. +* `Application client id`: Azure Active Directory > App registrations > [Service Principal] > `Application ID`. +* `Application client secret`: The password that was generated when you created the Service Principal Account. ### Resources - [How to: Use Azure PowerShell to create a service principal with a certificate](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell) - [DNS SDK](https://docs.microsoft.com/en-us/azure/dns/dns-sdk) ## Unattended -`--validationmode dns-01 --validation azure --azuretenantid x --azureclientid x --azuresecret *** --azuresubscriptionid x --azureresourcegroupname x`
\ No newline at end of file +#### Service Principal Account +`--validationmode dns-01 --validation azure --azuretenantid x --azureclientid x --azuresecret *** --azuresubscriptionid x --azureresourcegroupname x` +#### Managaged Resource Identity +`--validationmode dns-01 --validation azure --azureusemsi --azuresubscriptionid x --azureresourcegroupname x`
\ No newline at end of file |