acme-http-01-azure-key-vault-middleware
Advanced tools
Use Let's Encrypt and other RFC 8555 providers natively and securely on Azure
Use Let's Encrypt and other RFC 8555 providers natively and securely on Azure.
Supports Azure Web Apps, Azure Functions, Azure Front Door, Azure CDN, and services outside of Azure.
We use popular and high-quality industry standard libraries: node-fetch, node-forge, @azure/keyvault-*.
In 2.0.0, we further restricted access policy for web server. Please change it from "get secret" to "list secret".
Unlike Greenlock, the whole operation is done over Azure Key Vault. It gives us a few benefits:
Estimated cost for Azure Key Vault on each certificate issued by Let's Encrypt is less than USD 0.10 per month, given 1 certificate renewal per week.
Certificates stored in Azure Key Vault is available to use for all Azure services, such as Azure Web Apps, Azure Functions, Azure Front Door, Azure CDN, etc.
If you prefer to use certificates outside of Azure, you can always export the certificate as PFX.
The solution is cloud native and easy to set up.
Isolated access policies design means better security.
| Role | Key | Secrets | Certificates |
|---|---|---|---|
| Enrollment agent | Get, Sign | Get, Set | Import |
| Web server | List |
"List secrets" policy do not have access to the content of secret.
The middleware is only used to statically serve responses generated by the enrollment agent. It do not have access to the ACME account credentials or certificates.
If you are not on Express, you can consider porting it to platform of your choice. It is about 50 lines only.
We are using Azure Key Vault for storing the certificate and ACME challenges. It is designed to store certificates securely and integrates seamlessly with other Azure services.
You can use the certificates on Azure Functions and ZIP file deployment on Azure Web Apps. ZIP file deployment disable access to local file system, which improves security and reduce deployment time.
Unlike other Certbot implementation, we do not ship with any web UI for ordering certificates. This is to prevent unintended exposure of the website. We recommend running the enrollment agent in a secure environment, such as your CI/CD environment.
In this sample setup, we are assuming you are installing SSL certificates for an Express web server hosted on Azure Web Apps.
It is recommended to set up a new Azure Key Vault resource for each certificate.
Visit https://portal.azure.com/#create/Microsoft.KeyVault to create a new Azure Key Vault.
On your Azure Key Vault, generate or import a key to use with your ACME provider. For Let's Encrypt, it support key algorithm EC P-256.
You can follow this article to add a key.
Create Service Principal Names using Azure CLI. az is preinstalled on Azure Cloud Shell and can be accessed using Azure Portal or Windows Terminal.
az ad sp create-for-rbac -n http://mydomain.com/acme-enrollment-agent --skip-assignment
az ad sp create-for-rbac -n http://mydomain.com/acme-web-server --skip-assignment
Write down both results. We will use it throughout this guide.
These steps are from this article.
On your Azure Key Vault, add access policies for each SPNs. Follow this article to assign new access policies.
| SPN | Key | Secrets | Certificates |
|---|---|---|---|
http://mydomain.com/acme-enrollment-agent | Get, Sign | Get, Set | Import |
http://mydomain.com/acme-web-server | List |
You can use the SSL certificate on any services supported by Azure Key Vault. For simplicity, we are setting it up on Express hosted on Azure Web Apps.
You can also use this package on Azure Functions, please refer to this article.
Add the following environment variables to your Azure Web Apps resource. This is the credential for SPN http://mydomain.com/acme-web-server.
AZURE_CLIENT_ID=12345678-1234-5678-abcd-12345678abcd
AZURE_CLIENT_SECRET=12345678-1234-5678-abcd-12345678abcd
AZURE_TENANT_ID=12345678-1234-5678-abcd-12345678abcd
KEY_VAULT_NAME: my-key-vault
If you prefer to use other forms for authentication, such as certificate-based credential, you can refer to this article for details.
AZURE_CLIENT_ID is the appId from the result of SPN creation. AZURE_CLIENT_SECRET is password, and AZURE_TENANT_ID is tenant.
Install both @azure/identity and acme-http-01-azure-key-vault-middleware package.
npm install @azure/identity acme-http-01-azure-key-vault-middleware
In your Express app, attach the middleware. It will mount to all GET requests to /.well-known/acme-challenge/.
const { DefaultAzureCredential } = require('@azure/identity');
const createACMEMiddleware = require('acme-http-01-azure-key-vault-middleware/express');
app.use(
createACMEMiddleware({
azureCredential: new DefaultAzureCredential(),
azureKeyVaultName: process.env.KEY_VAULT_NAME
})
);
Optionally, you can pass a
rateLimiteroption for throttling requests. By default, the middleware use in-memory rate limiter and throttle at a rate of 10 requests per second and 100 requests per 5 minutes.
Follow this article to add your custom domain to your Azure Web Apps. Or this article for Azure Functions.
To avoid rate-limiting by your SSL provider, you should not order new certificate more than once a week. Let's Encrypt allows 50 certificates per registered domain per week.
You should run the enrollment steps periodically in your scheduler, such as cron or GitHub Actions.
Before running the enrollment agent, set the following environment variables. This is the credential for SPN http://mydomain.com/acme-enrollment-agent.
ACME_ACCOUNT_CONTACTS=mailto:johndoe@mydomain.com
ACME_ACCOUNT_TOS_AGREED=1
ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
AZURE_CLIENT_ID=12345678-1234-5678-abcd-12345678abcd
AZURE_CLIENT_SECRET=12345678-1234-5678-abcd-12345678abcd
AZURE_TENANT_ID=12345678-1234-5678-abcd-12345678abcd
KEY_VAULT_ACME_ACCOUNT_KEY_NAME=my-acme-key
KEY_VAULT_CERTIFICATE_NAME=my-ssl-certificate
KEY_VAULT_NAME=my-key-vault
DOMAINS=mydomain.com,myanotherdomain.com
For testing purpose, you should order it from https://acme-staging-v02.api.letsencrypt.org/directory instead.
Then, run:
npx -p acme-http-01-azure-key-vault-middleware@1 order
If succeeded, you should see:
Creating or signing into ACME provider.
Creating a new certificate order.
Order created at https://acme-v02.api.letsencrypt.org/acme/order/12345678/23456789.
Preparing HTTP-01 challenge responses.
Waiting for order to become ready.
Order is ready for pickup (finalize) at https://acme-v02.api.letsencrypt.org/acme/finalize/12345678/34567890.
Downloading certificate from https://acme-v02.api.letsencrypt.org/acme/cert/1234567890abcdef1234567890abcdef12345678.
Certificate downloaded, serial number is 1234567890abcdef1234567890abcdef12345678 and will expires at 2021-01-01T12:34:56.789Z.
Uploading certificate to Azure Key Vault as "my-ssl-certificate".
Certificate uploaded to Azure Key Vault as "my-ssl-certificate".
After the first SSL certificate is uploaded to Azure Key Vault, you can start using it in your Azure Web Apps. Follow this tutorial to enable SSL on web app.
If you are using the certificates on Azure Functions, please follow this tutorial.
Here is a non-exhaustive list of things your team should consider when adopting this package in your production environment.
As always, when deploying code to production environment, your team should always review code produced by third parties.
HTTP-01 challenge requires public GET request to /.well-known/acme-challenge/. And every GET request to this endpoint will trigger an Azure Key Vault operation.
By default, in our Express middleware, we use rate-limiter-flexible with memory-based bursty throttling, up to 50 requests per second or 100 requests per 5 minutes. If spam attack occurs at extreme rate, it will cost about USD 3 per month per server (based on Azure Key Vault pricing at the time of this writing, at USD 0.03/10,000 operations).
You can configure throttling by passing your own RateLimiter object.
const { BurstyRateLimiter, RateLimiterMemory } = require('rate-limiter-flexible');
app.use(
createACMEMiddleware({
azureCredential: new DefaultAzureCredential(),
azureKeyVaultName: 'my-key-vault',
rateLimiter: new BurstyRateLimiter(
new RateLimiterMemory({
duration: 300,
points: 100
}),
new RateLimiterMemory({
duration: 1,
points: 50
})
)
})
);
To disable throttling, pass a falsy value to rateLimiter option.
If your SSL provider publish IP addresses of their HTTP-01 challengers, you should allow-list them to reduce attack surface.
You may want to log all requests made to /.well-known/acme-challenge/ for monitoring this attack surface.
(TBD)
Greenlock™ is a trademark of AJ ONeal
[2.0.0] - 2021-01-09
@azure/identity@1.2.1FAQs
Use Let's Encrypt and other RFC 8555 providers natively and securely on Azure
The npm package acme-http-01-azure-key-vault-middleware receives a total of 23 weekly downloads. As such, acme-http-01-azure-key-vault-middleware popularity was classified as not popular.
We found that acme-http-01-azure-key-vault-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.