Azure DNS validation

crompto edited this page Nov 21, 2017 · 2 revisions

This assumes you already have your DNS managed in Azure; if not, you'll need to set that up first.

If you are using the Azure DNS option for validation, you'll need to get certain info from your Azure Tenant, and create a service principal for Let's Encrypt to use (you'll only need to create on of these for your entire domain - it's basically an account that has authority to create DNS records).

Create Azure AD Service Principal Account

(as per https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal)

Run the following commands in Powershell. You will need to install the AzureRM Powershell module first if you don't have it installed already.

Login-AzureRmAccount

$sp = New-AzureRmADServicePrincipal -DisplayName LetsEncrypt -Password "SuperSecretPasswordGoesHere"

You can change the DisplayName to something else if you like, and you should certainly change the password. Keep a note of the password as you'll need it to set up the client in a minute.

You then need to give this Service Principal access to change DNS entries. In the Azure Portal:

  • go to DNS Zones -> your.dns.zone.net -> Access Control (IAM)
  • Click Add
  • For Role, choose DNS Zone Contributor
  • Assign access to Azure AD user, group, or application
  • Select LetsEncrypt (or whatever you called your Service Principal above)
  • Click Save

Setting up letsencrypt-win-simple

  • Run Let's Encrypt, and choose which site you want to secure.
  • At the section 'How you you like to validate this certificate' choose Azure DNS
  • For Tenant ID: in the Azure Portal: Azure Active Directory -> Properties -> Directory ID.
  • For Client ID: in the Azure Portal: Azure Active Directory -> App registrations -> LetsEncrypt (or whatever you called your Service Principal before), and find the Application ID.
  • For the Secret: enter the password you created before.
  • For the DNS Subscription ID: in the Azure Portal: DNS zones -> your.dns.zone.net -> Subscription ID
  • For the DNS Resource Group Name: the name of the Resource Group your DNS zone is in (you can find this in Azure Portal: DNS zones -> your.dns.zone.net -> Resource Group

(most of this comes from https://docs.microsoft.com/en-us/azure/dns/dns-sdk)

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.