-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use dns zone if available in resource ID #18
Conversation
Looks good, three things:
|
Agreed. I've added the check. Alternatively, I've used this function in other projects to parse Azure resource IDs. from azure.core.utils import CaseInsensitiveDict
def parse_azure_resource_id(resource_id: str):
if resource_id.startswith('/'):
resource_id = resource_id[1:]
if resource_id.endswith('/'):
resource_id = resource_id[:-1]
if '/' not in resource_id:
raise ValueError('Invalid resource ID')
parts = resource_id.split('/')
if (len(parts) % 2) != 0 or '' in parts:
raise ValueError('Invalid resource ID')
return CaseInsensitiveDict(zip(parts[0::2], parts[1::2]))
r1 = parse_azure_resource_id("/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1")
r2 = parse_azure_resource_id("/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns2/providers/Microsoft.Network/dnszones/acme.example.com")
print(r1)
{'subscriptions': 'c135abce-d87d-48df-936c-15596c6968a5', 'resourceGroups': 'dns1'}
print(r2)
{'subscriptions': 'c135abce-d87d-48df-936c-15596c6968a5', 'resourceGroups': 'dns2', 'providers': 'Microsoft.Network', 'dnszones': 'acme.example.com'}
"dnszones" in r1 # False
r1.get("subscriptions") # c135abce-d87d-48df-936c-15596c6968a5
r1.get("resourceGroups") # dns1
r1.get("dnsZones") # None
"dnszones" in r2 # True
r2.get("dnsZones") # acme.example.com |
Nice that function looks good. Excellent use of case insensitive dict too. PR looks good, happy to wait if you want to use that function instead though, i reckon it'll look nicer 😄 |
Nice that looks great, will give it a test over the weekend on my tenant and then do a release |
@terrycain Would it be possible to ask for this to be released to a new version at pypi anytime soon so it works in the version installed by pip3? |
Hey, is on my todo list, hopefully get it done soon :) |
@mdhowle @terrycain I tried to install the version from GitHub master locally Given CNAME from As far as I can understand the version in the master branch creates the TXT lookup under |
The documentation is incorrect. Using your example, if you are requesting a certificate for site1.example.com using certs.example.com for DNS delegation of example.com, the CNAME record on example.com needs to be The TXT record certbot creates would be I'll create a new PR to fix the documentation. Thank you for pointing this out. |
We have a subdomain, acme.example.com, in Azure DNS that handles the DNS validation. The DNS zone for example.com is hosted outside of Azure DNS. It has a CNAME that points to acme.example.com:
_acme-challenge.foo.example.com => _acme-challenge.foo.acme.example.com
that will be followed by the ACME server to validate (DNS aliasing).The current implementation of certbot-dns-azure does not take this setup into account. Registering foo.example.com with the following configuration will result in certbot-dns-azure writing to a non-existent Azure DNS zone for example.com
dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>
Also, adjusting the domain name prefix to
acme.example.com:/subscriptions/...
leads to an error in the plugin:Domain foo.example.com does not have a valid domain to resource group id mapping
. This makes sense because foo.example.com does not end with acme.example.com. Removing this check would probably fix it in my case, but it's also not the most common case.With this PR, one can supply the full resource ID with the DNS zone in the configuration file as displayed in Azure DNS.
dns_azure_zone1 = example.com:/subscriptions/<subid>/resourceGroups/<rgname>/providers/Microsoft.Network/dnszones/acme.example.com
The code will then attempt to index the DNS zone from resource ID. In this instance, acme.example.com will be returned. Otherwise, if a resource ID without the dnszone is supplied, it will return example.com as defined in the domain prefix and continue to work as before as currently documented.