certbot version 2.3.0
certbot-dns-azure version 1.5.0

While trying to update certs I noticed something peculiar.
certbot renew --cert-name test.domain.com
This tried to create the _acme_challenge TXT post in domain.com, not test.domain.com which I expected.

So I took a look at azure.ini

dns_azure_zone4 = domain.io:/subscriptions//resourceGroups/group-dns?
dns_azure_zone5 = prod.domain.io:/subscriptions//resourceGroups/group-dns
dns_azure_zone6 = test.domain.io:/subscriptions//resourceGroups/group-dns

Could it be that the top domain incorrectly got selected? I switched the order to have the top domain last.

dns_azure_zone4 = prod.domain.io:/subscriptions//resourceGroups/group-dns
dns_azure_zone5 = test.domain.io:/subscriptions//resourceGroups/group-dns
dns_azure_zone6 = domain.io:/subscriptions//resourceGroups/group-dns?

Now the renew command works fine, the _acme post ends up in the DNS for test.domain.io instead, so azure.ini seems to be order dependant.

I read through the documentation here:
https://certbot-dns-azure.readthedocs.io/en/latest/
But I could find that the azure.ini file is supposed to be order dependent and there were no examples reflecting my use case with both subdomains and the top domain.

I took a look at certbot-dns-azure code, added comments of how I understand the flow.

def _get_ids_for_domain(self, domain: str):
        # domain_zoneid.items format
        # key: domain.io 
        # value: /subscriptions/<subscription-id>/resourceGroups/group-dns

        # I'm assuming the domain argument is what I'm supplying on commandline
        # ie test.domain.io

        try:
            for azure_dns_domain, resource_group in self.domain_zoneid.items():
                # If the first item in the list is the top domain
                # azure_dns_domain = domain.io
                # resource_group = /subscriptions/<subscription-id>/resourceGroups/group-dns 

                # Look to see if domain ends with key, to cover subdomains
                if domain.endswith(azure_dns_domain):
                    # if "test.domain.io" ends with "domain.io"
                    # Ok, my sub domain ends with the first item in the list which is the top domain.

                    subscription_id = resource_group.split('/')[2]
                    # subscription_id = <subscription-id>
                    rg_name = resource_group.split('/')[4]
                    # rg_name = group_dns
                    return azure_dns_domain, subscription_id, rg_name
                    # return domain.io, <subscription-id>, group_dns

It seems this function will return the top domain, rather than the subdomain, if the top domain comes first in the list.
The _perform function seems to use the return azure_dns_domain, while printing error messages using the domain.

I am trying to renew a certificate, and the DNS TXT record is not getting set for one of my two DNS zones. There have been some other similar resolved issues (#9, #35) but I'm still having a problem.

n.b. some information is redacted below and I changed the domain name to mywebsite.

I have 2 Azure DNS Zones, mywebsite.com and pages.mywebsite.com. When I look on the Azure dashboard, I can see two DNS TXT records getting added to the mywebsite.com zone, but I don't see any records for pages.mywebsite.com. See screenshots below.

mywebsite.com DNS Zone

pages.mywebsite.com DNS Zone

sudo /usr/local/bin/certbot certificates Output

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mywebsite.com
    Serial Number: xxx
    Key Type: RSA
    Domains: *.mywebsite.com *.pages.mywebsite.com
    Expiry Date: 2023-06-13 23:02:30+00:00 (VALID: 1 day)
    Certificate Path: /etc/letsencrypt/live/mywebsite.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mywebsite.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sudo /usr/local/bin/certbot renew --dry-run Output

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mywebsite.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for *.mywebsite.com and *.pages.mywebsite.com
Waiting 10 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-azure). The Certificate Authority reported these problems:
  Domain: pages.mywebsite.com
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.pages.mywebsite.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-azure. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-azure-propagation-seconds (currently 10 seconds).

Failed to renew certificate mywebsite.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mywebsite.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

As you can see, the mywebsite.com zone has 2 entries, one called _acme-challenge and one called _acme-challenge.pages. I'm pretty sure the _acme-challenge.pages one is supposed to be in the other DNS zone.

I'm not sure how to set up the configuration to fix this. I have had these certificates auto-renewing via a cron job for over a year, so I'm not sure why it failed now.

I have been changing around my certbot and certbot-dns-azure versions to try to fix this. I started today on certbot version 1.14.0 and certbot-dns-azure version 1.0.1, but I tried updating to the latest (certbot 2.6.0 and certbot-dns-azure 2.1.0). I also tried updating to certbot-dns-azure 2.2.0b0, which reverted my certbot to 2.6.0... Not sure what version to use now.

Hi, thanks for your work on this, I've been able to certify multiple subdomains successfully in different dns regions. However, I've noticed an odd bug (?) where some domains won't get a DNS record at all in Azure unless they are placed at the start of the list of certbot domains. I.e. -d flakey-subdomain-1 -d flakey-subdomain-2.

So far I've not been able to identify why this might be and I'm concerned that it may fail in the future. Is there anything I can try to figure out what would cause this?

The list of domains are in the following format:
*.[different].subdomain.domain.com

Thank you
Charles

Hi,

Any chance of adding this as a Snap package? I have Certbot installed using Snap and cannot use this plugin because of that.

Hi,

I'm logging in to a service principal using OIDC (using https://github.com/marketplace/actions/azure-login and yes I know how horrible the things are that led me to a solution that include running certbot in a github actions runner, and I am ashamed of doing it, don't ask) and thus don't have a service principal secret - is there a way to use that authentication, basically the authentication of az cli, with this plugin?

I believe the azure SDK:s that provide a DefaultAzureCredential would pick this up (such as the python one), so an option to authenticate using that or AzureCliCredential would be really helpful

Sorry my bad english skills.

When I tried to run certbot using dns-azure as authenticator, I got the following error.

$ certbot certonly \
--authenticator dns-azure \
--preferred-challenges dns \
--noninteractive \
--agree-tos \
--email [email protected] \
--dns-azure-config azure.ini \
--config-dir config-dir/ \
--work-dir work-dir/ \
--logs-dir logs-dir/ \
--cert-name example.com \
--domains example.com
Saving debug log to /path/to/logs-dir/letsencrypt.log
Plugins selected: Authenticator dns-azure, Installer None
Account registered.
Requesting a certificate for example.com
Performing the following challenges:
dns-01 challenge for example.com
Cleaning up challenges
Encountered exception during recovery: AttributeError: 'ServicePrincipalCredentials' object has no attribute 'get_token'
An unexpected error occurred:
AttributeError: 'ServicePrincipalCredentials' object has no attribute 'get_token'
Please see the logfiles in /path/to/logs-dir for more details.

This is due to the recent version release of azure-mgmt-dns.

• Release azure-mgmt-dns_8.0.0 · Azure/azure-sdk-for-python
• azure-mgmt-dns · PyPI

Versions 3.0.0 and 8.0.0 are not compatible.

I think this plugin needs to support version 8.0.0 of azure-mgmt-dns or fix the version of azure-mgmt-dns to 3.0.0, can you give me your opinion?

Created a Pull Request for each.

• Support azure-mgmt-dns 8.0.0 by rnakamine · Pull Request #5 · binkhq/certbot-dns-azure
• Fixed major version by rnakamine · Pull Request #6 · binkhq/certbot-dns-azure

Azure allows a principal to manage individual records of a zone. This allows to have different credentials per record.

It would be nice to clear the TXT record (setting it to blank ot '-') instead of deleting the record, so the role assignment is persisted.

IMHO, security-wise, not sure how much advantage leaving a blank record instead of deleting it, as you can query https://crt.sh/ (certificate transparency logs) for a given domain, so knowing that exists an _acme-challenge entry in a domain isn't any different at all from querying crt.sh.

Still, when combined with #14 is very useful to have a single zone to hold challenges across several domains without having multiple zones registered in Azure DNS (saving on billing, since it charges per zone + per million queries).

Hello,

For anyone wanting to use this plugin in a container I have the following example:

FROM alpine:latest

RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
RUN python3 -m ensurepip
RUN pip3 install --no-cache --upgrade pip setuptools certbot certbot-dns-azure

The docker build command would simply be:

docker build -t certbot-azuredns -f Dockerfile .

As an example the newly created container can be used as follows (a bit brave to mount directly the host's /etc/letsencrypt directory):

docker run -it --rm --name certbot-azure-dns \
           -v /etc/letsencrypt/:/etc/letsencrypt/ \
           certbot-azuredns \
           certbot certonly \
           --authenticator dns-azure \
           --preferred-challenges dns \
           --agree-tos \
           --email '[email protected]' \
           --noninteractive \
           --dns-azure-config /etc/letsencrypt/clouddns/azuredns.ini \
           --domains example.com \
           --domains '*.example.com'

And the contents of the azuredns.ini is as per the service principal example with 400 permission.

dns_azure_sp_client_id = AAA...
dns_azure_sp_client_secret = BBB...
dns_azure_tenant_id = CCC...

dns_azure_environment = "AzurePublicCloud"

dns_azure_zone1 = example.com:/subscriptions/DDD.../resourceGroups/rg-dns001

Please let me know if code snippet above this is adequate to be included in a subsequent PR.

Hello,

thank you for making this solution open source.

I am wondering if i can use this plugin for multilevel subdomain wildcards?

For example

*.example.com
*.staging.example.com
*.development.example.com

If so how would the configuration of the ini file look like?

Hi,

I´m currently facing the issue that certbot renew will fail with error:
Failed to renew certificate bag.software with error: Missing command line flag or config entry for this setting: Input the path to your Azure config INI file

My /etc/letsencrypt/renewal/domain.conf looks like:

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/domain
cert = /etc/letsencrypt/live/domain/cert.pem
privkey = /etc/letsencrypt/live/domain/privkey.pem
chain = /etc/letsencrypt/live/domain/chain.pem
fullchain = /etc/letsencrypt/live/domain/fullchain.pem

[renewalparams]
authenticator = dns-azure
dns-azure-config = /etc/default/certbot/azure.ini
server = https://acme-v02.api.letsencrypt.org/directory
manual_public_ip_logging_ok = None

When running certbot renew --dns-azure-config /etc/default/certbot/azure.ini the renewal is working fine.

Is the config wrong or does this setting not work?

Thanks

Sorry my bad english skills.

Abstract

Cannot specify --dns-azure option

$ certbot certonly --dns-azure --dns-azure-config azure.ini -d <my domain> --config-dir ./config-dir --work-dir ./work-dir --logs-dir ./logs-dir
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: ambiguous option: --dns-azure could match --dns-azure-propagation-seconds, --dns-azure-config

So I can't run the certbot command in non-interactive mode.

Hi,

When I try to use your plugin, i get the following exception:

2022-05-01 11:23:09,325:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-05-01 11:23:09,325:ERROR:certbot._internal.error_handler:Encountered exception during recovery: TypeError: __init__() got an unexpected keyword argument 'credential_scopes'
2022-05-01 11:23:09,326:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/main.py", line 1723, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/main.py", line 1582, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.8/dist-packages/certbot/_internal/auth_handler.py", line 86, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.8/dist-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.8/dist-packages/certbot_dns_azure/_internal/dns_azure.py", line 182, in _perform
    client = self._get_azure_client(subscription_id)
  File "/usr/local/lib/python3.8/dist-packages/certbot_dns_azure/_internal/dns_azure.py", line 268, in _get_azure_client
    return DnsManagementClient(self.credential, subscription_id, None, self._arm_endpoint, credential_scopes=[self._arm_endpoint + "/.default"])
TypeError: __init__() got an unexpected keyword argument 'credential_scopes'
2022-05-01 11:23:09,326:ERROR:certbot._internal.log:An unexpected error occurred:
2022-05-01 11:23:09,326:ERROR:certbot._internal.log:TypeError: __init__() got an unexpected keyword argument 'credential_scopes' 

I try to obtain a certificate using the following command:
certbot certonly --test-cert --authenticator dns-azure --preferred-challenges dns --noninteractive --agree-tos --email [email protected] --dns-azure-config /etc/azure.ini -d "test.certificate.com"

My /etc/azure.ini has the following:

dns_azure_msi_client_id = <client id of user assigned identity>
dns_azure_zone1 = certificate.com:/subscriptions/<subscription>/resourceGroups/<resource group>

Installed versions:
user@host:/home/adm# pip list | grep -E "certbot|azure-mgmt-dns"
azure-mgmt-dns 8.0.0
certbot 1.26.0
certbot-dns-azure 1.5.0

Python 3.8.10
Ubuntu 20.04.4 LTS

This allows the domain used for validation to be completely different than the domain name you are requesting a certificate for.

Here is the best example of how this works I can find:
https://cert-manager.io/docs/configuration/acme/dns01/#delegated-domains-for-dns01

c696da3 added a certbot>=1.18.0,<2.0 constraint to the plugin.

We recently pushed the Certbot snap out to every snap user, so the plugin is broken there due to a constraint conflict.

This was reported at https://community.letsencrypt.org/t/certbot-versionconflict-after-update-on-ubuntu/193141/5.

Would it be possible to remove the constraint and republish the snap? The plugin should otherwise work just fine with Certbot 2.x. Thank you.

Is it possible to add the support of Azure AD workload identity authentication for the azure dns zone? Thanks!

It seems there have been some releases to snap (2.0.0 and 2.0.1), but PyPis history for this project is still at 1.5.0.

I am attempting to register *.subdomain.example.com and subdomain.example.com in the same request. I always get an error that it can't validate the TXT record on one of the two domains that are listed. If I do them one at a time things seem to work just fine.

This seems like it may be the same issue that was talked about here certbot/certbot#5673

certbot certonly --authenticator dns-azure --preferred-challenges dns --noninteractive --agree-tos --email [email protected] --dns-azure-config /etc/azure.ini -d subdomain.example.com -d *.subdomain.example.com

Hi,

I just tried to use certbot-dns-azure with the newly released certbot 2.0.0 and got the following stack trace:

2022-11-27 15:50:30,511:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.10/site-packages/certbot/_internal/main.py", line 1707, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/local/lib/python3.10/site-packages/certbot/_internal/plugins/disco.py", line 208, in find_all
    cls._load_entry_point(entry_point, plugins)
  File "/usr/local/lib/python3.10/site-packages/certbot/_internal/plugins/disco.py", line 215, in _load_entry_point
    plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/local/lib/python3.10/site-packages/certbot/_internal/plugins/disco.py", line 56, in __init__
    self.plugin_cls: Type[interfaces.Plugin] = entry_point.load()
  File "/usr/local/lib/python3.10/site-packages/pkg_resources/__init__.py", line 2471, in load
    return self.resolve()
  File "/usr/local/lib/python3.10/site-packages/pkg_resources/__init__.py", line 2477, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.10/site-packages/certbot_dns_azure/_internal/dns_azure.py", line 20, in <module>
    @zope.interface.implementer(interfaces.IAuthenticator)
AttributeError: module 'certbot.interfaces' has no attribute 'IAuthenticator'
2022-11-27 15:50:30,511:ERROR:certbot._internal.log:An unexpected error occurred:
2022-11-27 15:50:30,511:ERROR:certbot._internal.log:AttributeError: module 'certbot.interfaces' has no attribute 'IAuthenticator'

Seems like something does not properly work together with certbots zope interface implementations.

I haven't had the time to dig into it, but i got it working by going back to certbot==1.32.0 and acme==1.32.0 using pip.

Hi,

I am getting an issue when i try to renew or create a new ssl cert using this plugin:
An unexpected error occurred:
pkg_resources.VersionConflict: (certbot 2.2.0 (/snap/certbot/2683/lib/python3.8/site-packages), Requirement.parse('certbot<2.0,>=1.18.0'))

Is this an issue with the plugin?

Regards
Mark

Hello, I am here through NginxProxyManager/nginx-proxy-manager#1087.

Unlike most other dns plugins your plugin needs the path to the config ini file passed in with the --dns-azure-config flag, instead of --dns-azure-credentials.
Maybe you could consider also supporting the --dns-azure-credentials flag? One could just take precedence over the other, if both are specified. This way the custom flag would still be supported for current implementations, but it would also support the standard approach.

Thanks!

We are currently implementing a wrapper library for DNS challenge based on certbot for Azure and were facing a small issue.

Use case:
We want to use a "shared" TXT record for CName delegation, so that multiple users/identities can gather a Certficate with only one TXT record, instead of creating a dedicated TXT record for every user/identity.

The DNS Validation sometimes fails, if the challenges take place in parallel.
I believe this section is the problem:

Proposal:
Only remove TXT record entry that was validated and only set TXT record to '-' if that entry was the last one of this record

I generated a config file like this:

dns_azure_sp_client_id = aaaaaa
dns_azure_sp_client_secret = bbbbbb
dns_azure_tenant_id = cccccc
dns_azure_zone1 = xxxxxx.onmicrosoft.com:/subscriptions/dddddd/resourceGroups/eeeeee

and I ran certbot like this:

kkovacs@gitlab:~$ sudo /usr/local/bin/certbot certonly --dns-azure-config ./mycredentials.ini -d *.xxxxxx.onmicrosoft.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using a DNS TXT record (if you are using Azure for DNS).
(dns-azure)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-azure, Installer None
Requesting a certificate for *.xxxxxx.onmicrosoft.com
Performing the following challenges:
dns-01 challenge for xxxxxx.onmicrosoft.com
Cleaning up challenges
Failed to add TXT record to domain xxxxxx.onmicrosoft.com, error: Azure Error: ParentResourceNotFound
Message: Can not perform requested operation on nested resource. Parent resource 'xxxxxx.onmicrosoft.com' not found.

but I got the error "Azure Error: ParentResourceNotFound."

Perhaps I missed a step in setting up things on the Azure side. I have a virtual network with multiple VMs on it and I can connect to them over SSH/RDP while logged in over the P2S VPN connection via Azure AD authentication.

I've been using this plugin for quite some time now, and as of some recent update having it connected causes certbot to crash with the following error message:

An unexpected error occurred:
pkg_resources.ContextualVersionConflict: (cryptography 38.0.1 (/snap/certbot/2414/lib/python3.8/site-packages), Requirement.parse('cryptography<38,>=0.6'), {'msal'})
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-_bnwfto2/log or re-run Certbot with -v for more details.

I confirmed that this is being caused via this plugin, since removing it allows certbot to run again.

Dear,

I am trying to get a certificate from my domain and I am getting the following error:

Encountered exception during recovery: certbot.errors.PluginError: Failed to check TXT record for domain <my domain>, error: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.

I have followed the example for User Assigned Managed Identity, non-interactive mode, from here:
https://certbot-dns-azure.readthedocs.io/en/latest/

Certbot version is: 1.32.1
Ubuntu Server 18.04

It seems that this issue is related to this problem:
https://stackoverflow.com/questions/67845857/can-a-user-assigned-managed-identity-be-used-locally

We are running certbot on a non-azure virtual machine. And on Line 152 of dns_azure.py we find:

return ManagedIdentityCredential(client_id=msi_client_id)

Perhaps it should use DefaultAzureCredential with the Client Id.

Thank you!

In 0b158bb the usage of azure.core.utils.CaseInsensitiveDict was added.

However, this implementation wasn't added until azure-core-1.25.0.

Currently, certbot-dns-azure only depends on azure-identity>=1.11.0 and azure-mgmt-dns>=8.0.0. Currently, azure-mgmnt-dns doesn't depend on azure-core entirely and azure-identity depends on azure-core<2.0.0,>=1.11.0, so that's not enough either.

Perhaps it's wise to add a dependency on azure-core>=1.25.0?