Automated Certificates

[kingofzeal]

I love what you've put together, and it works awesome with Azure Container Apps.

One thing I don't understand, however, is how to use the API that is noted for issuing certificates in an automated fashion. If the entire thing is configured to use Security, there's no way of hitting the function endpoint without logging in - when you try, it returns an HTML login page (as you would expect from a browser).

Additionally, it looks like the endpoint that's noted does a check to ensure the user is authorized to hit the app, but in an automated environment there is no user context to be authorized.

I would love to see if there is a more comprehensive information around the automated methodology in general, as my understanding of Security and Azure AD (and how it relates to Function keys) is rather limited.

Finally, I do have one final question - it looks like when going through the process it always orders a new certificate. Is there a good way to request a certificate only if one does not already exist so we can use the existing one (if available) when updating the Container App? If there isn't a good solution for that, I can check for the certificate and conditionally call the endpoint to issue, but would be nicer if it was all baked into one call.

[shibayan]

Sorry for the delay. The REST API for issuing certificates can be easily invoked by using the Host Key of Azure Functions. This behavior is the same as the Key Vault version, so please refer to that document.

https://github.com/shibayan/keyvault-acmebot/wiki/REST-API
https://github.com/shibayan/keyvault-acmebot/wiki/App-Role-based-authorization

Since Acmebot only uses DNS to issue certificates and upload them to the Container App Environment, it should be possible to issue certificates even if Container Apps themselves do not exist.

I most likely do not understand the scenario, so please point out if I am wrong.

[kingofzeal]

The issue I'm running into is that when I try to use a rest client to hit the API (as documented - POST /api/certificate, with an X-Functions-Key header set to the value defined in the Host Keys section of the App Keys area of the function app), I get a 401 Unauthorized response.

As documented in the readme (step 3), I have the functions app configured to require authentication with a Microsoft identify provider. When I originally started this thread, the response I received from my request was not just a 401 Unauthorized, but it was an HTML payload that matched the login screen that would be presented to a user. This led me to believe that the request (even with a valid X-Functions-Key header) was being intercepted by the Microsoft identity provider and requiring a valid session cookie before the request even made it to the Function App to be handled.

If I navigate to the /add-certificate endpoint in my browser, I am appropriately prompted to log in with my Microsoft identity, and the ability to issue the certificate like this does not seem to be impaired. I also see that the site presented uses the POST /api/certificate endpoint, but it sends my session cookie as the authentication method, which I believe what allows it to work.

If I no longer require authentication to be required, presumably I will no longer get the 401 Unauthorized response, but looking over the code I see all endpoints have a check validating the authentication state, so would not work anyway.

I'm trying to determine if there is something I have misconfigured or that I'm missing that would allow me to use the API endpoint directly. I have the followed the instructions on the readme, and my settings (particularly the Functions App Authentication) look identical to the images provided. However, this configuration only appears to allow a user to use the webpage to issue a certificate, not another application.

This issue is not as critical as it was when I first posted (as we are now using a wildcard certificate that was generated manually using the webpage and referencing that as necessary), but I would still be curious if there is something I'm doing wrong when trying to use the API.

[shibayan]

App Service Authentication must be turned off when using the API with X-Functions-Key. Acmebot is designed to work exclusively with App Service Authentication and X-Functions-Key.

If you call the API with App Service Authentication enabled, you must obtain an access token according to the Azure AD mechanism.