Create Let's Encrypt TLS with Azure DevOps Pipelines

GitHub

https://github.com/cloudelementsca/certbot-automation

Introduction

This guide will show you how to configure an Azure DevOps pipeline to renew Let's encrypt certificates using our GitHub repo. The scripts are designed to help in scenarios where PaaS is used with custom domains and certbot can't be installed on the platform.

Most cloud-native technologies are PaaS-based and allow you limited access to the underlying platform which makes it difficult to run small peripheral tasks such as renewing the application's certificate. This script will help create and renew certificates and upload them to keyvault for it to be used by the PaaS resources. Common scenarios are running App Services or Azure Front Door with a custom domain that can benefit from this.

Prerequisites

• Azure DevOps project
• a custom domain
• application running under domain
• access to certificate in key vault used by application
• Securing Apex Domain with Azure Front Door (recommended, optional)

Guide

1. Import GitHub repo into your ADO project

2. Replace the values with your own:

            
                // Azure DNS Zone
                // /azure/az-renew-cert.ps1

                # Change these variables based on your domain info
                $domain             = "subdomain.cloudelements.ca"
                $certFileName       = "subdomain-cloudelements-ca"
                $email              = "info@cloudelements.ca" # let's encrypt account email
                $keyVaultName       = "snbdnstestkv" # keyvault to import cert
                $authHookPath       = "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)\azure\az-auth.ps1"
                $cleanupHookPath    = "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)\azure\cleanup.ps1"
                $env:AZ_DNS_RG_NAME = "DNSTestRg"
                $env:TXT_NAME       = "_acme-challenge"
            
        

            
                // Shell, Service Provider, GoDaddy
                // /service-provider/renew-cert.sh

                # Change these variables based on your domain info
                domain="subdomain.cloudelements.ca"
                email="info@cloudelements.ca"
                privkeypath="/etc/letsencrypt/live/$domain/privkey.pem"
                fullchainpath="/etc/letsencrypt/live/$domain/fullchain.pem"
                certFileName="subdomain-cloudelements-ca.pfx"
                vaultname="snbdnstestkv"
                cert_name="subdomain-cloudelements-ca"
                authHookPath="service-provider/godaddy-auth.sh"
                cleanupHookPath="service-provider/cleanup.sh"
            
        

            
                // /pipelines/az-pipeline.yml

                variables:
                - group: certbot-variables
                - name: serviceConnection
                    value: "CloudElementsSpn"
            
        

3. In ADO, navigate to pipelines, create new, and select the pipelines/az-pipeline.yml file

4. Create a variables group named 'certbot-variables' and add the following secret variables:

• 'PKPWD' with the value as the password you'd like for your private key
• 'dns_provider_key' with the value if you're using GoDaddy and have obtained your API key
• 'dns_provider_secret' with the value if you're using GoDaddy and have obtained your API key

5. Run the pipeline

References

• https://certbot.eff.org/docs/using.html?highlight=renew#renewing-certificates
• https://certbot.eff.org/docs/using.html?highlight=renew#pre-and-post-validation-hooks