Comments (5)
Hello, at the moment this authentication method is not embedded in the DefaultAzureCredential
which is the function used inside azuredns
provider.
For that we need to implement the logic to retrieve OIDC token like the one used inside azrerm
terraform provider.
@ldez I can add it in a new PR
from lego.
Hello,
I think it's better to open an issue inside the repo https://github.com/vancluever/terraform-provider-acme
from lego.
@pchanvallon do you have an idea?
from lego.
Testing on local machine bypassing Terraform ACME provider
Ensure cli is logged out
az logout
Export environment variables (Values taken from Terraform Cloud agent runner)
export AZURE_SUBSCRIPTION_ID=******-****-****-****-********
export AZURE_RESOURCE_GROUP=*********
export AZURE_TENANT_ID=******-****-****-****-********
export AZURE_CLIENT_ID=******-****-****-****-********
export AZURE_USE_OIDC=true
export AZURE_OIDC_TOKEN="**************************"
Also exported last two envs as ARM_OIDC_TOKEN
& ARM_USE_OIDC
since this is the syntax they are actually exported by Terraform Cloud.
lego --domains example.****.com --email [email protected] --dns azuredns run
2023/10/05 13:18:38 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:18:39 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/*******
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:18:44 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:18:47 [WARN] [example.****.com] acme: cleaning up failed: azuredns: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
ManagedIdentityCredential: managed identity timed out
AzureCLICredential: ERROR: Please run 'az login' to setup account.
What seems to work is putting the AZURE_OIDC_TOKEN
value in a file and then exporting AZURE_FEDERATED_TOKEN_FILE=token.txt
.
I will see if I can do this in Terraform but would prefer if it works out of the box.
2023/10/05 13:41:10 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:41:11 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/********
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Trying to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Checking DNS record propagation using [*****]
2023/10/05 13:41:17 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/10/05 13:41:24 [INFO] [example.****.com] The server validated our request
2023/10/05 13:41:24 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:41:26 [INFO] [example.****.com] acme: Validations succeeded; requesting certificates
2023/10/05 13:41:27 [INFO] [example.****.com] Server responded with a certificate.
Thanks!
from lego.
Yes this case is working because it is the mechanism used by Workload Identity Authentication as described in this doc.
But we still need to handle the other cases.
from lego.
Related Issues (20)
- update liquidweb HOT 1
- route53: aws-sdk-go-v2 broke IAM instance role HOT 5
- Vercel provider: could not find zone for domain HOT 5
- NIFCLOUD's DNS provider is no longer working since version 4.12.0.
- go version HOT 1
- GANDIv5: API Key and PAT HOT 1
- S3 with custom endpoint HOT 3
- Error when using LEGO v4.14.2 with OVH API in azukaar/Cosmos-Server project HOT 2
- Support passing a cloudflare zone id instead of a zone read key HOT 4
- Don't create CSRs with a Common Name that is longer than 64 bytes HOT 3
- Dnspod api deprecated HOT 1
- Route53 with delegated zone for dns acme detects wrong zone HOT 2
- route53: aws-sdk-go-v2 no longer allows empty region HOT 4
- Can't get single certificate for both `DOMAIN.com` and `*.DOMAIN.com` HOT 19
- Help with Bunny DNS / Lego / Traefik setup HOT 1
- Please release Azure OIDC support
- desec: increase default `DESEC_PROPAGATION_TIMEOUT` by 60s HOT 4
- directadmin plugin HOT 1
- AutoDNS - mandatory credentials listed as additional HOT 2
- ionos: DNS records not removed HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lego.