Skip to content

[Tools] Automating Let's Encrypt Certificate Management with Azure Key Vault and Cloudflare

Published: at 12:00 PM

Introduction

Custom domain names enhance the professionalism and credibility of applications hosted on Azure services. However, associating a custom domain requires a trusted SSL/TLS certificate. For development and sandbox environments used internally by development teams, leveraging Let’s Encrypt certificates offers a convenient and automated solution. Let’s Encrypt provides free SSL certificates, but they have a short lifespan of only 90 days, necessitating frequent renewals.

To streamline this process, I’ve developed a tool that automates the generation and renewal of Let’s Encrypt certificates specifically for development and sandbox environments. The tool detects expiring certificates and renews only those that are nearing expiration, ensuring efficient management. The new certificates are securely imported into Azure Key Vault, allowing seamless integration with Azure resources such as Azure API Management and Azure Front Door. To eliminate manual intervention entirely, the tool runs as a monthly cron job on Azure Kubernetes Service (AKS).

Why Automate Certificate Management?

Manually managing short-lived Let’s Encrypt SSL certificates can be time-consuming and error-prone, especially when dealing with multiple domains and environments. Automating the certificate management process offers several significant advantages:

How It Works

The tool automates SSL certificate management by running as a monthly cron job on AKS. It handles the entire lifecycle of SSL certificates, from detection of impending expiration to deployment of new certificates. The workflow is as follows:

  1. Check Certificate Expiration: The tool scans all certificates stored in Azure Key Vault to determine their expiration dates.

  2. Generate New Certificates: For certificates nearing expiration, the tool requests new SSL certificates from Let’s Encrypt.

  3. DNS Challenge via Cloudflare: The tool integrates with Cloudflare to perform DNS challenges required by Let’s Encrypt to validate domain ownership.

  4. Import Certificates to Azure Key Vault: The newly obtained certificates are securely imported into Azure Key Vault, replacing the old certificates.

  5. Automated Monthly Execution: The tool is scheduled to run monthly on AKS, ensuring that certificates are kept up-to-date with minimal manual effort.

Setting Up Cloudflare DNS API Token

To enable the tool to perform DNS challenges for domain validation, you need to create a Cloudflare API token with permissions to manage DNS records.

  1. Create an API Token:

    • Log in to your Cloudflare account and navigate to your profile.
    • Go to the API Tokens section or directly via this link.
    • Click on “Create Token”.
  2. Configure Token Permissions:

    • Permissions: Grant Zone > DNS > Edit permissions.
    • Zone Resources: Select Specific Zone and choose the domain(s) you want to manage.
  3. Client IP Address Filtering (Optional but Recommended):

    • For enhanced security, specify the AKS cluster’s public IP address under “Client IP Address Filtering” in the token settings.
    • This restricts API token usage to requests originating from your AKS cluster, preventing unauthorized access.
  4. Save the Token:

    • Generate the token and copy it. You’ll need it for the tool’s configuration.

Cloudflare API Token Creation

Configuration

The tool is configured using environment variables or a JSON configuration file. Here’s an example appsettings.json file:

{
  "CertManager": {
    "ProductionEnabled": true,
    "CfEmail": "[email protected]",
    "CfToken": "YOUR_CLOUDFLARE_API_TOKEN",
    "ZoneId": "YOUR_CLOUDFLARE_ZONE_ID",
    "LetsEncryptEmail": "[email protected]",
    "Domains": ["api.example.com", "*.example.com"],
    "CertInfo": {
      "CountryName": "SG",
      "State": "Singapore",
      "Locality": "Singapore",
      "Organization": "YourOrganization",
      "OrganizationUnit": "YourUnit"
    },
    "KeyVaultUrl": "https://your-keyvault-name.vault.azure.net/",
    "KeyVaultUID": "OPTIONAL_USER_ASSIGNED_IDENTITY_CLIENT_ID"
  }
}

Configuration Parameters Explained:

Deploying to AKS

Prerequisites

Granting Key Vault Access to AKS UAMI

Before deploying the tool, you need to grant your AKS cluster’s UAMI the necessary permissions to access Azure Key Vault:

  1. Identify the AKS Agent Pool UAMI:

    • In the Azure portal, navigate to your AKS cluster.
    • Under Settings, select Identity.
    • Note the Client ID of the User Assigned identity associated with your node pools.

AKS User Assigned Managed Identity

  1. Grant Key Vault Permissions:

    • Navigate to your Azure Key Vault.
    • Select Access control (IAM).
    • Click on “Add role assignment”.
    • In the Role dropdown, select “Key Vault Certificates Officer”.
    • Click Next and select the AKS UAMI as the Member.
    • Review and assign the role.

By granting the Key Vault Certificates Officer role to your AKS UAMI, you allow the tool running on AKS to manage certificates within the Key Vault.

Deploying the Tool Using Helm

Assuming you are using Helm for deployment, you can update your Helm chart values file with the necessary configurations.

Here’s an example values.yaml file:

services:
  cert-renewal:
    image: baoduy2412/keyvault-letsencrypt:latest
    environment:
      CertManager__ProductionEnabled: "true"
      CertManager__CfEmail: "[email protected]"
      CertManager__CfToken: "YOUR_CLOUDFLARE_API_TOKEN"
      CertManager__ZoneId: "YOUR_CLOUDFLARE_ZONE_ID"
      CertManager__LetsEncryptEmail: "[email protected]"
      CertManager__Domains__0: "api.example.com"
      CertManager__Domains__1: "*.example.com"
      CertManager__CertInfo__CountryName: "SG"
      CertManager__CertInfo__State: "Singapore"
      CertManager__CertInfo__Locality: "Singapore"
      CertManager__CertInfo__Organization: "YourOrganization"
      CertManager__CertInfo__OrganizationUnit: "YourUnit"
      CertManager__KeyVaultUrl: "https://your-keyvault-name.vault.azure.net/"
      CertManager__KeyVaultUID: "OPTIONAL_USER_ASSIGNED_IDENTITY_CLIENT_ID"
    schedule: "0 0 1 * *" # Runs on the 1st of every month at midnight

Notes:

Deploying the Helm Chart

  1. Update Helm Repositories:

    helm repo update
    
  2. Deploy or Upgrade the Chart:

    helm upgrade --install cert-renewal ./path-to-your-chart -f values.yaml
    

Replace ./path-to-your-chart with the path to your Helm chart.

Conclusion

Managing SSL certificates for Azure resources with custom domains can be challenging due to the frequent renewal requirements of Let’s Encrypt certificates. This tool automates the entire process of certificate generation, validation, and deployment, significantly simplifying SSL certificate management for development and sandbox environments.

By running as a monthly cron job on AKS, it ensures that your certificates are always up-to-date without manual intervention. The integration with Azure Key Vault enhances security by providing centralized and secure storage of your certificates, which can be accessed by other Azure services as needed.

Leveraging Infrastructure as Code for Deployment

Once the certificates are stored in Azure Key Vault, you can further automate the deployment process by using infrastructure as code (IaC) tools like Pulumi or Terraform. These tools can retrieve the certificates from Key Vault and deploy them to your Azure resources automatically. By incorporating this into your IaC pipelines, you ensure that any updates to the certificates are seamlessly propagated to services like Azure API Management, Azure Front Door, or Azure Application Gateway, maintaining consistent and secure configurations across your infrastructure.

Key Benefits:

Give it a try and simplify your SSL certificate management process!


Resources:


Thank You

Thank you for taking the time to read this guide! I hope it has been helpful, feel free to explore further, and happy coding! 🌟✨

Steven GitHub