New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Web-jobs instances (do I need one for each site?) #43

Open
ComputerCowboy opened this Issue Apr 10, 2016 · 17 comments

Comments

Projects
None yet
4 participants
@ComputerCowboy

ComputerCowboy commented Apr 10, 2016

I have a question about webjobs instances and if one is required for each site. I have quite a few sites in a single resource group which all have the let's encrypt job. The thing is actually that now they don't all have said job because I have been messing around with continuous deployment and I've inadvertently delete some of them. At any rate I was wondering if just having one per resource group would be enough to pick up and renew certs. Maybe it would do this with a little extra configuration? I don't really want to run multiple versions of the same thing if one would suffice.

Thanks in advance

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Apr 10, 2016

Owner

Right now it doesn't support running a single instance for multiple sites.

I could be done - but as of right now I'm not building it until I know whether or not we can get the certs to install on windows azure, see #42

Owner

sjkp commented Apr 10, 2016

Right now it doesn't support running a single instance for multiple sites.

I could be done - but as of right now I'm not building it until I know whether or not we can get the certs to install on windows azure, see #42

@ComputerCowboy

This comment has been minimized.

Show comment
Hide comment
@ComputerCowboy

ComputerCowboy Apr 10, 2016

Well, I am certain it is only a matter of time.
Did the Microsoft people ever actually try to delete the X1 intermediate?

ComputerCowboy commented Apr 10, 2016

Well, I am certain it is only a matter of time.
Did the Microsoft people ever actually try to delete the X1 intermediate?

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Apr 10, 2016

Owner

Within the next 14 days - all their frontends should have it removed. But I'm not 100% certain that it will fix it, because it seems there are some caching that is hitting onprem users, which could also affect azure. We will have to wait and see.

Owner

sjkp commented Apr 10, 2016

Within the next 14 days - all their frontends should have it removed. But I'm not 100% certain that it will fix it, because it seems there are some caching that is hitting onprem users, which could also affect azure. We will have to wait and see.

@Yitzchok

This comment has been minimized.

Show comment
Hide comment
@Yitzchok

Yitzchok Jun 8, 2016

It seems like you figured out issue #42.

What's the status with this feature?

Yitzchok commented Jun 8, 2016

It seems like you figured out issue #42.

What's the status with this feature?

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Jun 10, 2016

Owner

@Yitzchok - I decided not to implement it as part of the site extension but Im going to build something else that will support that scenario.
The timeline is a couple of months, as these project are my spare time project things takes some time.

Owner

sjkp commented Jun 10, 2016

@Yitzchok - I decided not to implement it as part of the site extension but Im going to build something else that will support that scenario.
The timeline is a couple of months, as these project are my spare time project things takes some time.

@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn Mar 25, 2017

Contributor

@sjkp would you reconsider? This would actually resolve #22 along the way - simply have a dedicated web app for LetsEncrypt renewals, configure all your web apps there, and never touch it again... The user just needs to make sure that the service principal has the right permissions.

Then you can make clean deployments to whatever web apps you want, cleaning existing WebJobs and whatnot, without worry.

Contributor

ohadschn commented Mar 25, 2017

@sjkp would you reconsider? This would actually resolve #22 along the way - simply have a dedicated web app for LetsEncrypt renewals, configure all your web apps there, and never touch it again... The user just needs to make sure that the service principal has the right permissions.

Then you can make clean deployments to whatever web apps you want, cleaning existing WebJobs and whatnot, without worry.

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Mar 25, 2017

Owner

I'm working on restructuring the code, that will allow the extension to be run from a function app, and that single function app, can install certificates on several web apps. That should solve the problem. I'm hoping to finish it tomorrow.

Owner

sjkp commented Mar 25, 2017

I'm working on restructuring the code, that will allow the extension to be run from a function app, and that single function app, can install certificates on several web apps. That should solve the problem. I'm hoping to finish it tomorrow.

sjkp added a commit that referenced this issue Apr 2, 2017

@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn Apr 25, 2017

Contributor

@sjkp I noticed you added a commit that references this issue but it's still open, could you please share where things stand? IMHO this is the single most important issue of the extension (specifically the deletion of the webjob when one uses "Delete Existing files", which I do all the time to avoid clutter and assembly mismatches). It's just too easy to miss and breaks everything silently...

Contributor

ohadschn commented Apr 25, 2017

@sjkp I noticed you added a commit that references this issue but it's still open, could you please share where things stand? IMHO this is the single most important issue of the extension (specifically the deletion of the webjob when one uses "Delete Existing files", which I do all the time to avoid clutter and assembly mismatches). It's just too easy to miss and breaks everything silently...

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Apr 25, 2017

Owner

@ohadschn - I wanted to make it work with Azure functions (applying the ssl certificates could be completely external to the web app), but I think I have to give up on that, because Azure functions doesn't support assembly binding redirects so running the code from the site extension in an azure function app, gives me whole world of problems.

Owner

sjkp commented Apr 25, 2017

@ohadschn - I wanted to make it work with Azure functions (applying the ssl certificates could be completely external to the web app), but I think I have to give up on that, because Azure functions doesn't support assembly binding redirects so running the code from the site extension in an azure function app, gives me whole world of problems.

@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn Apr 25, 2017

Contributor

@sjkp then how about allowing Web App A to renew certificates for Web App B (and ideally web app C and D and so forth, but for the first phase a one-to-one correspondence would be good enough), still using Webjobs?

That would eliminate the "delete existing files" problem as you'd never deploy the cert renewing app...

Contributor

ohadschn commented Apr 25, 2017

@sjkp then how about allowing Web App A to renew certificates for Web App B (and ideally web app C and D and so forth, but for the first phase a one-to-one correspondence would be good enough), still using Webjobs?

That would eliminate the "delete existing files" problem as you'd never deploy the cert renewing app...

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp Apr 26, 2017

Owner

That is exactly what I refactored to code to allow, but my original intention was to use functions as the runtime as that would allow easy setup and configuration. But I will post a sample tonight on how you can do it with your own web jobs or console app for that matter it is about 10 lines of code.

Owner

sjkp commented Apr 26, 2017

That is exactly what I refactored to code to allow, but my original intention was to use functions as the runtime as that would allow easy setup and configuration. But I will post a sample tonight on how you can do it with your own web jobs or console app for that matter it is about 10 lines of code.

@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn Apr 26, 2017

Contributor

@sjkp cool, thanks! I take it that sample would involve pulling some LetsEncrypt,Azure NuGets and operating on classes there?

Contributor

ohadschn commented Apr 26, 2017

@sjkp cool, thanks! I take it that sample would involve pulling some LetsEncrypt,Azure NuGets and operating on classes there?

sjkp added a commit that referenced this issue May 2, 2017

@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp May 2, 2017

Owner

If someone wants to play with the nuget it can be downloaded from here:
https://www.nuget.org/packages/letsencrypt.azure.core/0.6.20-prerelease

It is still in prerelease so I might break it or do other things with it, but it should be workable.

A sample console app could e.g. look like this

using LetsEncrypt.Azure.Core;
using LetsEncrypt.Azure.Core.Models;
using System;


namespace Letsencrypt.Azure.Console
{
    class Program
    {

        static void Main(string[] args)
        {
            var mgr = new CertificateManager(new LetsEncrypt.Azure.Core.Models.AzureEnvironment("tenantId", new Guid("subscriptionId"), new Guid("clientId"), "secret", "resourceGroupName", "webAppName"), new AcmeConfig()
            {
                Host = "your-domain.com",
                RegistrationEmail = "your@email.com",
                RSAKeyLength = 2048,
                PFXPassword = "yourCertPass",
                BaseUri = "https://acme-v01.api.letsencrypt.org/" //Comment out to use staging
            }, new CertificateServiceSettings()
            {
                UseIPBasedSSL = false
            }, new AuthProviderConfig());

            //var res = mgr.RenewCertificate(renewXNumberOfDaysBeforeExpiration: 180).Result;
            mgr.AddCertificate();
        }

       
    }   

    internal class AuthProviderConfig : IAuthorizationChallengeProviderConfig
    {
        public bool DisableWebConfigUpdate
        {
            get
            {
                return false;
            }
        }
    }
}
Owner

sjkp commented May 2, 2017

If someone wants to play with the nuget it can be downloaded from here:
https://www.nuget.org/packages/letsencrypt.azure.core/0.6.20-prerelease

It is still in prerelease so I might break it or do other things with it, but it should be workable.

A sample console app could e.g. look like this

using LetsEncrypt.Azure.Core;
using LetsEncrypt.Azure.Core.Models;
using System;


namespace Letsencrypt.Azure.Console
{
    class Program
    {

        static void Main(string[] args)
        {
            var mgr = new CertificateManager(new LetsEncrypt.Azure.Core.Models.AzureEnvironment("tenantId", new Guid("subscriptionId"), new Guid("clientId"), "secret", "resourceGroupName", "webAppName"), new AcmeConfig()
            {
                Host = "your-domain.com",
                RegistrationEmail = "your@email.com",
                RSAKeyLength = 2048,
                PFXPassword = "yourCertPass",
                BaseUri = "https://acme-v01.api.letsencrypt.org/" //Comment out to use staging
            }, new CertificateServiceSettings()
            {
                UseIPBasedSSL = false
            }, new AuthProviderConfig());

            //var res = mgr.RenewCertificate(renewXNumberOfDaysBeforeExpiration: 180).Result;
            mgr.AddCertificate();
        }

       
    }   

    internal class AuthProviderConfig : IAuthorizationChallengeProviderConfig
    {
        public bool DisableWebConfigUpdate
        {
            get
            {
                return false;
            }
        }
    }
}
@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn May 2, 2017

Contributor

@sjkp thanks!

  1. I take it PFXPassword could be anything?
  2. So this code actually issues a new cert and links it to the web app, rather than renew only if necessary? In other words, if I run this code every week, it will create a new cert and link it to my app every week correct?
  3. It's funny how ACME is a real thing now (Automatic Certificate Management Environment)
Contributor

ohadschn commented May 2, 2017

@sjkp thanks!

  1. I take it PFXPassword could be anything?
  2. So this code actually issues a new cert and links it to the web app, rather than renew only if necessary? In other words, if I run this code every week, it will create a new cert and link it to my app every week correct?
  3. It's funny how ACME is a real thing now (Automatic Certificate Management Environment)
@sjkp

This comment has been minimized.

Show comment
Hide comment
@sjkp

sjkp May 2, 2017

Owner
  1. Yes, infact it can also be empty, just not if you want to import the certificate manually through the portal UI
  2. Technically there is not any much difference. You could also run the renew code if you want to let my code check if the certificate is about to expire, and if so then it will create a new and assign it.
  3. 👍 I'm surprised that it has been this long and Microsoft haven't made my work obsolete. But I guess they rather send money into GoDaddys pockets.
Owner

sjkp commented May 2, 2017

  1. Yes, infact it can also be empty, just not if you want to import the certificate manually through the portal UI
  2. Technically there is not any much difference. You could also run the renew code if you want to let my code check if the certificate is about to expire, and if so then it will create a new and assign it.
  3. 👍 I'm surprised that it has been this long and Microsoft haven't made my work obsolete. But I guess they rather send money into GoDaddys pockets.
@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn May 2, 2017

Contributor
  1. I wonder if security-wise it's OK to have an empty password for the PFX?
  2. I'm planning to just run this every 60 days and be done with it, but just out of curiosity, how would one run your renewal code? (EDIT - looks like one simply has to call RenewCertificate rather than AddCertificate on the CertificateManager).
  3. Well I work for Microsoft, so no comment :)
Contributor

ohadschn commented May 2, 2017

  1. I wonder if security-wise it's OK to have an empty password for the PFX?
  2. I'm planning to just run this every 60 days and be done with it, but just out of curiosity, how would one run your renewal code? (EDIT - looks like one simply has to call RenewCertificate rather than AddCertificate on the CertificateManager).
  3. Well I work for Microsoft, so no comment :)
@ohadschn

This comment has been minimized.

Show comment
Hide comment
@ohadschn

ohadschn Aug 19, 2017

Contributor

I created a WebJob that supports multiple sites (Web Apps) among other things:
https://github.com/ohadschn/letsencrypt-webapp-renewer

@sjkp would you mind linking to it from the main README? I also added e-mail notifications and removed the dependency on Azure Storage. You can also use it as a standalone command-line tool.

Contributor

ohadschn commented Aug 19, 2017

I created a WebJob that supports multiple sites (Web Apps) among other things:
https://github.com/ohadschn/letsencrypt-webapp-renewer

@sjkp would you mind linking to it from the main README? I also added e-mail notifications and removed the dependency on Azure Storage. You can also use it as a standalone command-line tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment