question

PerSderlind-4328 avatar image
0 Votes"
PerSderlind-4328 asked PerSderlind-4328 commented

Front Door, enable-https for custom domain with certificate in AzureKeyVault

Enabling HTTPS and adding a certificate from my keyvault works fine using the portal (i.e. I have the access rights needed).

I'm trying to do the same using az but can't find an explanation on how to do:

 az network front-door frontend-endpoint enable-https --resource-group $RG \
     --front-door-name $AFD \
     --name $name \
     --vault-id $kv_id \
     --certificate-source AzureKeyVault \
     --secret-name $NN \
     --secret-version $XX


Especially, how do I retrieve $NN and $XX using az keyvault ... ?


azure-key-vaultazure-front-door
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndriyBilous avatar image
0 Votes"
AndriyBilous answered PerSderlind-4328 commented

Hello @PerSderlind-4328
You want to retrieve secret-name and secret-version from AzureKeyVault.
Here is a list of az keyvault secret commands
https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#commands

However, I am not sure how do you want to get secret name and its version in AzureKeyVault without knowing secret's name or id.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I managed doing it using the following kode:

 snames=$(az keyvault certificate list --vault-name $KV | jq -r '[.[].name]|join(" ")')
 for SECRET_NAME in $snames; do
     DOMAINS_WITH_CERTS=$(az keyvault certificate show --vault-name $KV --name $SECRET_NAME | jq -r '.. | objects | select(.subjectAlternativeNames).subjectAlternativeNames.dnsNames |join(" ")')
     SECRET_ID=$(az keyvault certificate show --vault-name $KV --name $SECRET_NAME |jq  -r '[.sid]|join("")|split("/")[-1]')
     for DOMAIN_WITH_CERT in $DOMAINS_WITH_CERTS; do
         echo "$DOMAIN_WITH_CERT $SECRET_NAME $SECRET_ID"
     done
 done
0 Votes 0 ·
PerSderlind-4328 avatar image
0 Votes"
PerSderlind-4328 answered PerSderlind-4328 commented

I know, it's a catch 22. I'm adding the certificate using code so how can I get its secret name and id.

The reason why I'm doing this is that I'm onboarding 50+ custom domains, and doing that via the portal will take too much time.

My script so far is below, it's paperware at the moment, i.e. not tested:

In 3b (in the comments) I need to find secret name ( $NN ) and secret id ( $XX ) so I can use them in 3c


 # zone file = domain name.
 for zone in "$zone_dir"/*
 do
    
 # 1 Update DNS, point apex and www to the front door
     printf "\nUpdating $zone\n"
    
     front_door_id=$(az network front-door show --resource-group $RG --name $AFD --query id -o tsv)
    
     az network dns record-set a update --resource-group $RG --name "@" --zone-name $zone --target-resource $front_door_id
     az network dns record-set cname set-record --resource-group $RG --record-set-name "www" --zone-name $zone --cname $afd_host
    
 # 2 Create certificate: 
    
 # https://github.com/shibayan/keyvault-acmebot/issues/232
    
 # 3 Add custom domain to Front Door and connect the certificate to the domain (i.e. enable HTTPS)
    
    
 # 3a is the domain pointing to the front door ?
     has_domain=$(az network front-door check-custom-domain --resource-group $RG --name $AFD --host-name $zone --query customDomainValidated)
     has_cname=$(az network front-door check-custom-domain --resource-group $RG --name $AFD --host-name "www.${zone}" --query customDomainValidated)
    
 # 3b TODO: Find keyvault id, secret-name,secret id etc    
     $kv_id=$(az keyvault list --resource-group $RG  | jq -r '[.[].id]|join("")')
    
     az keyvault certificate list --vault-name $KV 
    
         az keyvault certificate show --id $kv_id
    
     az keyvault certificate get-default-policy 
    
 # 3c Enable HTTPS and attach the certificate to the domain. 
    
     if [[ "true" == $has_domain  ]]
         az network front-door frontend-endpoint create --resource-group $RG --front-door-name $AFD --name $zone --host-name $zone
         az network front-door frontend-endpoint enable-https --resource-group $RG --front-door-name $AFD --name $zone --vault-id $kv_id -- --certificate-source AzureKeyVault --secret-name $NN --secret-version $XX
     fi
     if [[ "true" == $has_cname ]]
         az network front-door frontend-endpoint create --resource-group $RG --front-door-name $AFD --name "www.${zone}" --host-name "www.${zone}"
         az network front-door frontend-endpoint enable-https --resource-group $RG --front-door-name $AFD --name "www.${zone}" --vault-id $kv_id -- --certificate-source AzureKeyVault --secret-name $NN --secret-version $XX
     fi
        
 done
        
 ALL_FRONTENDS=$(az network front-door frontend-endpoint list --resource-group $RG --front-door-name $AFD | jq -r '[.[].name]|join(" ")' )
 for RULE in $ROUTINGRULES; do
     echo "Adding ALL endpoints/domains to $RULE"
     az network front-door routing-rule update --resource-group $RG --front-door-name $AFD --name $RULE --frontend-endpoints $ALL_FRONTENDS
 done


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerSderlind-4328 avatar image
0 Votes"
PerSderlind-4328 answered

BTW, if I could use Front Door managed certificates for apex domains, I would do that instead of using certificates in the keyvault, but Front Door managed certificates doesn't support apex domains


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.