Share via

Front Door, enable-https for custom domain with certificate in AzureKeyVault

Per Søderlind 1 Reputation point
2021-01-28T19:12:59.163+00:00

Enabling HTTPS and adding a certificate from my keyvault works fine using the portal (i.e. I have the access rights needed).

I'm trying to do the same using az but can't find an explanation on how to do:

az network front-door frontend-endpoint enable-https --resource-group $RG \
    --front-door-name $AFD \
    --name $name \
    --vault-id $kv_id \
    --certificate-source AzureKeyVault \
    --secret-name $NN \
    --secret-version $XX

Especially, how do I retrieve $NN and $XX using az keyvault ... ?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,156 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
608 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 11,006 Reputation points MVP
    2021-01-28T21:05:59.26+00:00

    Hello @Per Søderlind
    You want to retrieve secret-name and secret-version from AzureKeyVault.
    Here is a list of az keyvault secret commands
    https://learn.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#commands

    However, I am not sure how do you want to get secret name and its version in AzureKeyVault without knowing secret's name or id.

  2. Per Søderlind 1 Reputation point
    2021-01-28T23:22:41.37+00:00

    I know, it's a catch 22. I'm adding the certificate using code so how can I get its secret name and id.

    The reason why I'm doing this is that I'm onboarding 50+ custom domains, and doing that via the portal will take too much time.

    My script so far is below, it's paperware at the moment, i.e. not tested:

    In 3b (in the comments) I need to find secret name ( $NN ) and secret id ( $XX ) so I can use them in 3c

    # zone file = domain name.
for zone in "$zone_dir"/*
do

# 1 Update DNS, point apex and www to the front door
    printf "\nUpdating $zone\n"

    front_door_id=$(az network front-door show --resource-group $RG --name $AFD --query id -o tsv)

    az network dns record-set a update --resource-group $RG --name "@" --zone-name $zone --target-resource $front_door_id
    az network dns record-set cname set-record --resource-group $RG --record-set-name "www" --zone-name $zone --cname $afd_host

# 2 Create certificate: 

# https://github.com/shibayan/keyvault-acmebot/issues/232

# 3 Add custom domain to Front Door and connect the certificate to the domain (i.e. enable HTTPS)


# 3a is the domain pointing to the front door ?
    has_domain=$(az network front-door check-custom-domain --resource-group $RG --name $AFD --host-name $zone --query customDomainValidated)
    has_cname=$(az network front-door check-custom-domain --resource-group $RG --name $AFD --host-name "www.${zone}" --query customDomainValidated)

# 3b TODO: Find keyvault id, secret-name,secret id etc  
    $kv_id=$(az keyvault list --resource-group $RG  | jq -r '[.[].id]|join("")')

    az keyvault certificate list --vault-name $KV 

        az keyvault certificate show --id $kv_id

    az keyvault certificate get-default-policy 

# 3c Enable HTTPS and attach the certificate to the domain. 

    if [[ "true" == $has_domain  ]]
        az network front-door frontend-endpoint create --resource-group $RG --front-door-name $AFD --name $zone --host-name $zone
        az network front-door frontend-endpoint enable-https --resource-group $RG --front-door-name $AFD --name $zone --vault-id $kv_id -- --certificate-source AzureKeyVault --secret-name $NN --secret-version $XX
    fi
    if [[ "true" == $has_cname ]]
        az network front-door frontend-endpoint create --resource-group $RG --front-door-name $AFD --name "www.${zone}" --host-name "www.${zone}"
        az network front-door frontend-endpoint enable-https --resource-group $RG --front-door-name $AFD --name "www.${zone}" --vault-id $kv_id -- --certificate-source AzureKeyVault --secret-name $NN --secret-version $XX
    fi

done

ALL_FRONTENDS=$(az network front-door frontend-endpoint list --resource-group $RG --front-door-name $AFD | jq -r '[.[].name]|join(" ")' )
for RULE in $ROUTINGRULES; do
    echo "Adding ALL endpoints/domains to $RULE"
    az network front-door routing-rule update --resource-group $RG --front-door-name $AFD --name $RULE --frontend-endpoints $ALL_FRONTENDS
done
    0 comments
  3. Per Søderlind 1 Reputation point
    2021-01-29T00:19:19.883+00:00

    BTW, if I could use Front Door managed certificates for apex domains, I would do that instead of using certificates in the keyvault, but Front Door managed certificates doesn't support apex domains

    0 comments