Use dns zone if available in resource ID #18
Conversation
|
Looks good, three things:
|
Agreed. I've added the check. Alternatively, I've used this function in other projects to parse Azure resource IDs. from azure.core.utils import CaseInsensitiveDict
def parse_azure_resource_id(resource_id: str):
if resource_id.startswith('/'):
resource_id = resource_id[1:]
if resource_id.endswith('/'):
resource_id = resource_id[:-1]
if '/' not in resource_id:
raise ValueError('Invalid resource ID')
parts = resource_id.split('/')
if (len(parts) % 2) != 0 or '' in parts:
raise ValueError('Invalid resource ID')
return CaseInsensitiveDict(zip(parts[0::2], parts[1::2]))
r1 = parse_azure_resource_id("/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1")
r2 = parse_azure_resource_id("/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns2/providers/Microsoft.Network/dnszones/acme.example.com")
print(r1)
{'subscriptions': 'c135abce-d87d-48df-936c-15596c6968a5', 'resourceGroups': 'dns1'}
print(r2)
{'subscriptions': 'c135abce-d87d-48df-936c-15596c6968a5', 'resourceGroups': 'dns2', 'providers': 'Microsoft.Network', 'dnszones': 'acme.example.com'}
"dnszones" in r1 # False
r1.get("subscriptions") # c135abce-d87d-48df-936c-15596c6968a5
r1.get("resourceGroups") # dns1
r1.get("dnsZones") # None
"dnszones" in r2 # True
r2.get("dnsZones") # acme.example.com |
|
Nice that function looks good. Excellent use of case insensitive dict too. PR looks good, happy to wait if you want to use that function instead though, i reckon it'll look nicer 😄 |
|
Nice that looks great, will give it a test over the weekend on my tenant and then do a release |
|
@terrycain Would it be possible to ask for this to be released to a new version at pypi anytime soon so it works in the version installed by pip3? |
|
Hey, is on my todo list, hopefully get it done soon :) |
|
@mdhowle @terrycain I tried to install the version from GitHub master locally Given CNAME from As far as I can understand the version in the master branch creates the TXT lookup under |
|
The documentation is incorrect. Using your example, if you are requesting a certificate for site1.example.com using certs.example.com for DNS delegation of example.com, the CNAME record on example.com needs to be The TXT record certbot creates would be I'll create a new PR to fix the documentation. Thank you for pointing this out. |
We have a subdomain, acme.example.com, in Azure DNS that handles the DNS validation. The DNS zone for example.com is hosted outside of Azure DNS. It has a CNAME that points to acme.example.com:
_acme-challenge.foo.example.com => _acme-challenge.foo.acme.example.comthat will be followed by the ACME server to validate (DNS aliasing).The current implementation of certbot-dns-azure does not take this setup into account. Registering foo.example.com with the following configuration will result in certbot-dns-azure writing to a non-existent Azure DNS zone for example.com
dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>Also, adjusting the domain name prefix to
acme.example.com:/subscriptions/...leads to an error in the plugin:Domain foo.example.com does not have a valid domain to resource group id mapping. This makes sense because foo.example.com does not end with acme.example.com. Removing this check would probably fix it in my case, but it's also not the most common case.With this PR, one can supply the full resource ID with the DNS zone in the configuration file as displayed in Azure DNS.
dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>/providers/Microsoft.Network/dnszones/acme.example.comThe code will then attempt to index the DNS zone from resource ID. In this instance, acme.example.com will be returned. Otherwise, if a resource ID without the dnszone is supplied, it will return example.com as defined in the domain prefix and continue to work as before as currently documented.