Browse Source
Merge pull request #708 from owengriffin/azure-cli-dns
dns_scripts for Azure CLIpull/710/head
Tim Kimber
4 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 104 additions and 0 deletions
Split View
Diff Options
-
+26 -0dns_scripts/Azure-README.txt
-
+40 -0dns_scripts/dns_add_azure
-
+38 -0dns_scripts/dns_del_azure
+ 26
- 0
dns_scripts/Azure-README.txt
View File
| @ -0,0 +1,26 @@ | |||
| Using Azure for LetsEncrypt domain verification | |||
| Guide for using Azure for LetsEncrypt domain verification. | |||
| Prerequisites: | |||
| - Azure CLI tools installed - see https://docs.microsoft.com/en-us/cli/azure/install-azure-cli | |||
| - Logged in with azure-cli - i.e. azure login | |||
| Ensure dns_add_azure and dns_del_azure scripts are called when the DNS is validated by modifying the .getssl.cfg: | |||
| VALIDATE_VIA_DNS=true | |||
| DNS_ADD_COMMAND=dns_scripts/dns_add_azure # n.b use valid path | |||
| DNS_DEL_COMMAND=dns_scripts/dns_del_azure | |||
| The dns_add_azure and dns_del_azure scripts assume that the following environment variables are added to the configuration file: | |||
| - AZURE_RESOURCE_GROUP - the name of the resource group that contains the DNS zone | |||
| - AZURE_ZONE_ID - a comma-separated list of valid DNS zones. this allows the same certificate to be used across multiple top-level domains | |||
| - AZURE_SUBSCRIPTION_ID - the name or ID of the subscription that AZURE_RESOURCE_GROUP is part of | |||
| Each of these variables can be included in the .getssl.cfg, e.g: | |||
| export AZURE_RESOURCE_GROUP=my-resource-group | |||
| export AZURE_ZONE_ID=example.com,anotherdomain.com | |||
| export AZURE_SUBSCRIPTION_ID=my-azure-subscriptin | |||
+ 40
- 0
dns_scripts/dns_add_azure
View File
| @ -0,0 +1,40 @@ | |||
| #!/usr/bin/env bash | |||
| # Set the TXT DNS record with azure-cli | |||
| fulldomain="${1}" | |||
| token="${2}" | |||
| if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then | |||
| echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| if [[ -z "$AZURE_ZONE_ID" ]]; then | |||
| echo "AZURE_ZONE_ID is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then | |||
| echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| # Determine which zone ID to use from AZURE_ZONE_IDs | |||
| # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop | |||
| IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID" | |||
| for item in "${zone_ids[@]}"; do | |||
| # If the full domain ends with the current zone ID | |||
| [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item" | |||
| done | |||
| if [ -z "$zone_id" ]; then | |||
| echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}" | |||
| exit 2 | |||
| fi | |||
| az account set --subscription "$AZURE_SUBSCRIPTION_ID" | |||
| # Determine the recordset by removing the zone_id from the full domain and prefixing | |||
| # with _acme-challenge. | |||
| recordset="_acme-challenge.${fulldomain/.$zone_id/}" | |||
| # The fulldomain should not be included in the recordset. It is used for subdomains. | |||
| # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub | |||
| # domain = example.com the record set is _acme-challenge | |||
| [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge" | |||
| az network dns record-set txt add-record -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" -v "$token" | |||
+ 38
- 0
dns_scripts/dns_del_azure
View File
| @ -0,0 +1,38 @@ | |||
| #!/usr/bin/env bash | |||
| # Remove the TXT DNS record with azure-cli | |||
| fulldomain="${1}" | |||
| if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then | |||
| echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| if [[ -z "$AZURE_ZONE_ID" ]]; then | |||
| echo "AZURE_ZONE_ID is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then | |||
| echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records." | |||
| exit 2 | |||
| fi | |||
| # Determine which zone ID to use from AZURE_ZONE_IDs | |||
| # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop | |||
| IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID" | |||
| for item in "${zone_ids[@]}"; do | |||
| # If the full domain ends with the current zone ID | |||
| [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item" | |||
| done | |||
| if [ -z "$zone_id" ]; then | |||
| echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}" | |||
| exit 2 | |||
| fi | |||
| az account set --subscription "$AZURE_SUBSCRIPTION_ID" | |||
| # Determine the recordset by removing the zone_id from the full domain and prefixing | |||
| # with _acme-challenge. | |||
| recordset="_acme-challenge.${fulldomain/.$zone_id/}" | |||
| # The fulldomain should not be included in the recordset. It is used for subdomains. | |||
| # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub | |||
| # domain = example.com the record set is _acme-challenge | |||
| [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge" | |||
| az network dns record-set txt delete --yes -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" | |||