A repository containing my custom Azure Functions.
A function that acts as a receiver for webhooks from the DNSimple API. Only v2 of the API and the certificate.issue payload are currently supported.
The function queries the DNSimple API for the associated certificate re-issue (such as for a LetsEncrypt TLS certificate) to obtain the certificate chain, public, and private keys, which are then uploaded as blobs to an Azure storage account container. A PFX file is also generated using the public and private key and uploaded to the same blob container.
Files are stored in the certificates container in the configured storage account using the naming convention shown below where the files are available from the DNSimple API.
{commonName}_{thumbprint}_{timestamp}.cert.pem{commonName}_{thumbprint}_{timestamp}.chain.pem{commonName}_{thumbprint}_{timestamp}.chain.{index}.pem{commonName}_{thumbprint}_{timestamp}.root.pem{commonName}_{thumbprint}_{timestamp}.privkey.pem{commonName}_{thumbprint}_{timestamp}.privkey.pfx
{commonName}is the Common Name (CN={commonName}) value from the certificate with.characters replaced by_.{thumbprint}is the lower-case thumbprint of the certificate.{timestamp}is the Not Before UTC date of the certificate in the formatyyy-MM-dd.
| Key | Default Value | Description |
|---|---|---|
CERTIFICATE_PASSWORD |
None | The password to use for generated .pfx files uploaded to blob storage. |
CERTIFICATE_STORE_CONNECTION |
None | The connection string for the blob storage account to upload certificate files to. |
DNSIMPLE_URL |
https://api.dnsimple.com |
The URL of the DNSimple API. |
DNSIMPLE_TOKEN |
None | The access token to use for the DNSimple API. |
A function that is invoked when blobs are created/updated in the certificates container of the configured Azure storage account that match the naming convention {name}.privkey.pfx and binds them to any App Service instances in the configured Azure subscription.
The certificate is bound to the TLS/SSL bindings associated with the Common Name and any Subject Alternate Names associated with the certificate for an App Service instance provided that:
- The Not Before timestamp of the certificate is in the past.
- The Not After timestamp of the certificate is in the future.
- The host name has an existing TLS binding.
- The Thumbprint of the certificate differs from the currently configured certificate for the binding.
| Key | Default Value | Description |
|---|---|---|
AZURE_CREDENTIALS_FILE |
%USERPROFILE%\.azure\credentials.json |
The path to the Azure credentials file to use to authenticate with Azure Resource Management APIs if not using Service Principal or Managed Service Identity authentication. |
AZURE_SUBSCRIPTION_ID |
None | The Id of the Azure subscription to configure App Services instances in. |
CERTIFICATE_PASSWORD |
None | The password associated with the X.509 certificates stored in the Azure storage account. |
CERTIFICATE_STORE_CONNECTION |
None | The connection string for the blob storage account which X.509 certificates are stored in. |
SERVICE_PRINCIPAL_CLIENT_ID |
None | The client Id to use for Service Principal authentication. |
SERVICE_PRINCIPAL_CLIENT_SECRET |
None | The client secret to use for Service Principal authentication. |
SERVICE_PRINCIPAL_TENANT_ID |
None | The tenant Id to use for Service Principal authentication. |
USE_MANAGED_SERVICE_IDENTITY |
false |
Whether to use Managed Service Identity authentication with Azure Resource Management APIs. |
USE_SERVICE_PRINCIPAL |
true |
Whether to use a Service Principal for authentication with Azure Resource Management APIs. |
You must also set WEBSITE_LOAD_CERTIFICATES to * in the function's Application settings in the Azure portal so that the private keys for X.509 certificates can be loaded.