Skip to content

pczhao1210/Azure_Certification_Tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
Functions
Functions
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README_CN.md
README_CN.md
 
 
cert_manager.py
cert_manager.py
 
 
config.example.json
config.example.json
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Azure Let's Encrypt Certificate Manager

Automatically obtain Let's Encrypt SSL certificates and upload them to Azure Key Vault using Python.

中文文档 / Chinese Documentation

The Azure Functions deployment workflow is documented in Functions/README.md. The project now uses Functions/deploy.sh as the single entry point for Azure resource deployment, code upload, and configuration upload instead of a Deploy to Azure button.

Features

  • Automatically obtain Let's Encrypt certificates using DNS-01 challenge
  • Support for wildcard certificates (*.domain.com)
  • Automatic Azure DNS TXT record management
  • Automatic certificate upload to Azure Key Vault
  • Local certificate backup (organized by year-month)
  • Smart certificate renewal: Automatically check certificate expiry time, only renew when needed
  • Automatic PFX generation: Generate password-protected PFX files by default
  • Certificate chain validation: Built-in certificate chain integrity verification

Requirements

  • Python 3.7+
  • Azure subscription
  • Azure DNS zone
  • Azure Key Vault
  • Azure Service Principal (App Registration)

Installation

pip install -r requirements.txt

Configuration

  1. Copy the example configuration file:
cp config.example.json config.json
  1. Edit config.json with your actual configuration:
    • ACME email and domains
    • Azure Key Vault information
    • Azure DNS configuration
    • Azure authentication information

Azure Permissions

Ensure your Azure Service Principal has the following permissions:

  1. DNS Zone Contributor - For managing DNS records
  2. Key Vault Certificate Officer - For uploading certificates

Usage

Basic Usage

python cert_manager.py

Command Line Arguments

# Force certificate renewal (ignore expiry check)
python cert_manager.py --force

# Set renewal to start 15 days before expiry
python cert_manager.py --days 15

# Verify certificate chain integrity
python cert_manager.py --verify-chain

# Verify PFX file integrity
python cert_manager.py --verify-pfx

# Combined usage
python cert_manager.py --force --days 15

Certificate Verification

# Verify certificate chain integrity
python cert_manager.py --verify-chain

# Verify PFX file integrity
python cert_manager.py --verify-pfx

Configuration Reference

ACME Configuration

  • email: Let's Encrypt account email
  • domains: List of domains to request certificates for
  • directory_url: ACME server address

Azure Configuration

  • key_vault_url: Key Vault URL
  • tenant_id: Azure tenant ID
  • client_id: Application ID
  • client_secret: Application secret
  • certificate_name: Certificate name in Key Vault

DNS Configuration

  • provider: DNS provider (currently supports azure)
  • subscription_id: Azure subscription ID
  • resource_group: Resource group containing DNS zone
  • zone_name: DNS zone name
  • challenge_zone_name: Optional dedicated DNS zone for _acme-challenge records. Recommended value: _acme-challenge.example.com with NS delegation from the parent zone
  • challenge_resource_group: Optional resource group for the dedicated challenge zone if it differs from resource_group

Recommended DNS Strategy

  • Keep _acme-challenge TXT records alive instead of deleting the whole record set. This tool now removes only the current validation values and keeps a placeholder TXT value to avoid NXDOMAIN negative caching.
  • For better reliability, use a dedicated validation zone such as _acme-challenge.example.com, delegate it from the parent zone, and configure challenge_zone_name accordingly.
  • Before responding to Let's Encrypt, the tool now waits until all authoritative NS and multiple public recursive DNS servers can see all challenge TXT values, then keeps a short stability window before submitting the challenge.

Automation

Windows Scheduled Task

# Check daily, only renew when needed
schtasks /create /tn "SSL Certificate Update" /tr "python E:\path\to\cert_manager.py" /sc daily

Linux Cron

# Check daily at 2 AM
0 2 * * * cd /path/to/cert_update && python cert_manager.py

Notes

  • Ensure DNS zone is properly configured
  • If you configure challenge_zone_name, delegate _acme-challenge.<domain> from the parent zone to that dedicated zone before running the tool
  • Service Principal needs appropriate permissions
  • Certificates are valid for 90 days, default renewal 30 days before expiry
  • Configuration file contains sensitive information, do not commit to version control
  • Program automatically checks certificate status, only renews when necessary
  • PFX files are automatically generated with password "1234" by default
  • Built-in certificate chain validation ensures complete trust chain
  • Supports independent verification of certificate chains and PFX files

License

MIT License

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages