Skip to content

Add automatic dns-01/http-01 challenge detection for Let's Encrypt via Azure DNS REST API #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Add automatic dns-01/http-01 challenge detection for Let's Encrypt via Azure DNS REST API #2

wants to merge 5 commits into from
+627 −5

Conversation

Copy link

Copilot AI commented Oct 29, 2025
edited
Loading

Extends letsencrypt_drupal.sh to support DNS-01 challenge validation via Azure DNS, enabling wildcard certificates and validation without web server access. Challenge type is automatically detected based on domain types.

Changes

Script modification:

  • Automatic challenge type detection based on domains in configuration file
  • Hook selection logic routes to appropriate hook based on detected domain types
# Single command - challenge type auto-detected
./letsencrypt_drupal.sh projectname prod

Automatic detection logic:

  • dns-01 challenge: Automatically used for apex domains (example.com) and wildcard domains (*.example.com)
  • http-01 challenge: Automatically used for subdomains (www.example.com, api.example.com)

The script analyzes the domains file at runtime and selects the appropriate challenge type - no manual parameter needed.

Azure DNS hook (hooks/azure_dns_hook.sh):

  • Implements dehydrated hook interface for DNS-01 validation
  • Azure REST API integration using curl (no Azure CLI dependency)
  • OAuth2 token acquisition, TXT record lifecycle management
  • 60-second DNS propagation wait

Required environment variables (for dns-01):

  • AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
  • AZURE_RESOURCE_GROUP, AZURE_DNS_ZONE

Documentation:

  • Azure Service Principal setup instructions
  • Configuration template with credential placeholders
  • Testing guide covering automatic detection scenarios

Implementation notes

  • Challenge type selection is implicit and automatic based on domain analysis
  • Apex domains detected by counting dots (domain.tld = 1 dot)
  • Wildcard domains detected by *. prefix
  • Service Principal requires DNS Zone Contributor role (for dns-01 only)
  • TXT records created at _acme-challenge.[subdomain] with 60s TTL
  • Subdomain extraction handles root and nested subdomains correctly
  • Certificate deployment logic reused from existing http-01 hook
Original prompt

Enhance letsencrypt_drupal.sh script to allow dns-01 challenge type, keeping http-01 as default. Challenge type should be provided as the script parameter. use appropriate configuration for the "dehydrated" script (https://github.com/dehydrated-io/dehydrated). Instructions: https://github.com/dehydrated-io/dehydrated/blob/master/docs/dns-verification.md . Create separate shell script to create respective TXT record on Azure DNS using REST API and curl (avoid using az cli). Use environment variables/secrets for all required Azure information.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits October 29, 2025 20:23
@Jura
Add dns-01 challenge support with Azure DNS hook
c514ad9 
Co-authored-by: Jura <417604+Jura@users.noreply.github.com>
@Jura
Fix shellcheck style warnings in Azure DNS hook
9495907 
Co-authored-by: Jura <417604+Jura@users.noreply.github.com>
@Jura
Add comprehensive testing documentation
bde4e9c 
Co-authored-by: Jura <417604+Jura@users.noreply.github.com>
Copilot AI changed the title [WIP] Enhance letsencrypt_drupal.sh for dns-01 challenge Add dns-01 challenge support for Let's Encrypt via Azure DNS REST API Oct 29, 2025
Copilot AI requested a review from Jura October 29, 2025 20:35
Copilot finished work on behalf of Jura October 29, 2025 20:35
@Jura
Copy link
Member

Jura commented Oct 29, 2025

@copilot Make challenge choice implicit, based on the domain name type which needs to be verified: apex domains (example.com) and wildcard domains (*.example.com) should use dns-01 challenge, other domains (i.e. www.example.com) - http-01 challenge

@Jura
Make challenge type automatic based on domain type
0e91739 
Co-authored-by: Jura <417604+Jura@users.noreply.github.com>
Copy link
Author

Copilot AI commented Oct 29, 2025

@copilot Make challenge choice implicit, based on the domain name type which needs to be verified: apex domains (example.com) and wildcard domains (*.example.com) should use dns-01 challenge, other do...

Done! Challenge type is now automatically detected based on domain types in the domains file:

  • dns-01: Apex domains (example.com) and wildcard domains (*.example.com)
  • http-01: Subdomains (www.example.com, api.example.com)

The script analyzes domains at runtime and selects the appropriate challenge type automatically. No manual parameter needed.

Changes in commit: 0e91739

Copilot AI changed the title Add dns-01 challenge support for Let's Encrypt via Azure DNS REST API Add automatic dns-01/http-01 challenge detection for Let's Encrypt via Azure DNS REST API Oct 29, 2025
Copilot finished work on behalf of Jura October 29, 2025 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jura Jura Awaiting requested review from Jura

Assignees

@Jura Jura

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jura