Browse Source
Merge pull request #708 from owengriffin/azure-cli-dns
dns_scripts for Azure CLIpull/710/head
Tim Kimber
4 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 104 additions and 0 deletions
Unified View
Diff Options
-
+26 -0dns_scripts/Azure-README.txt
-
+40 -0dns_scripts/dns_add_azure
-
+38 -0dns_scripts/dns_del_azure
+ 26
- 0
dns_scripts/Azure-README.txt
View File
| @ -0,0 +1,26 @@ | |||||
| Using Azure for LetsEncrypt domain verification | |||||
| Guide for using Azure for LetsEncrypt domain verification. | |||||
| Prerequisites: | |||||
| - Azure CLI tools installed - see https://docs.microsoft.com/en-us/cli/azure/install-azure-cli | |||||
| - Logged in with azure-cli - i.e. azure login | |||||
| Ensure dns_add_azure and dns_del_azure scripts are called when the DNS is validated by modifying the .getssl.cfg: | |||||
| VALIDATE_VIA_DNS=true | |||||
| DNS_ADD_COMMAND=dns_scripts/dns_add_azure # n.b use valid path | |||||
| DNS_DEL_COMMAND=dns_scripts/dns_del_azure | |||||
| The dns_add_azure and dns_del_azure scripts assume that the following environment variables are added to the configuration file: | |||||
| - AZURE_RESOURCE_GROUP - the name of the resource group that contains the DNS zone | |||||
| - AZURE_ZONE_ID - a comma-separated list of valid DNS zones. this allows the same certificate to be used across multiple top-level domains | |||||
| - AZURE_SUBSCRIPTION_ID - the name or ID of the subscription that AZURE_RESOURCE_GROUP is part of | |||||
| Each of these variables can be included in the .getssl.cfg, e.g: | |||||
| export AZURE_RESOURCE_GROUP=my-resource-group | |||||
| export AZURE_ZONE_ID=example.com,anotherdomain.com | |||||
| export AZURE_SUBSCRIPTION_ID=my-azure-subscriptin | |||||
+ 40
- 0
dns_scripts/dns_add_azure
View File
| @ -0,0 +1,40 @@ | |||||
| #!/usr/bin/env bash | |||||
| # Set the TXT DNS record with azure-cli | |||||
| fulldomain="${1}" | |||||
| token="${2}" | |||||
| if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then | |||||
| echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| if [[ -z "$AZURE_ZONE_ID" ]]; then | |||||
| echo "AZURE_ZONE_ID is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then | |||||
| echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| # Determine which zone ID to use from AZURE_ZONE_IDs | |||||
| # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop | |||||
| IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID" | |||||
| for item in "${zone_ids[@]}"; do | |||||
| # If the full domain ends with the current zone ID | |||||
| [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item" | |||||
| done | |||||
| if [ -z "$zone_id" ]; then | |||||
| echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}" | |||||
| exit 2 | |||||
| fi | |||||
| az account set --subscription "$AZURE_SUBSCRIPTION_ID" | |||||
| # Determine the recordset by removing the zone_id from the full domain and prefixing | |||||
| # with _acme-challenge. | |||||
| recordset="_acme-challenge.${fulldomain/.$zone_id/}" | |||||
| # The fulldomain should not be included in the recordset. It is used for subdomains. | |||||
| # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub | |||||
| # domain = example.com the record set is _acme-challenge | |||||
| [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge" | |||||
| az network dns record-set txt add-record -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" -v "$token" | |||||
+ 38
- 0
dns_scripts/dns_del_azure
View File
| @ -0,0 +1,38 @@ | |||||
| #!/usr/bin/env bash | |||||
| # Remove the TXT DNS record with azure-cli | |||||
| fulldomain="${1}" | |||||
| if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then | |||||
| echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| if [[ -z "$AZURE_ZONE_ID" ]]; then | |||||
| echo "AZURE_ZONE_ID is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then | |||||
| echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records." | |||||
| exit 2 | |||||
| fi | |||||
| # Determine which zone ID to use from AZURE_ZONE_IDs | |||||
| # Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop | |||||
| IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID" | |||||
| for item in "${zone_ids[@]}"; do | |||||
| # If the full domain ends with the current zone ID | |||||
| [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item" | |||||
| done | |||||
| if [ -z "$zone_id" ]; then | |||||
| echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}" | |||||
| exit 2 | |||||
| fi | |||||
| az account set --subscription "$AZURE_SUBSCRIPTION_ID" | |||||
| # Determine the recordset by removing the zone_id from the full domain and prefixing | |||||
| # with _acme-challenge. | |||||
| recordset="_acme-challenge.${fulldomain/.$zone_id/}" | |||||
| # The fulldomain should not be included in the recordset. It is used for subdomains. | |||||
| # E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub | |||||
| # domain = example.com the record set is _acme-challenge | |||||
| [[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge" | |||||
| az network dns record-set txt delete --yes -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" | |||||