Skip to content

Getting Started

Jump to bottom
Tatsuro Shibamura edited this page Dec 25, 2022 · 4 revisions

1. Deploy Acmebot

Use Azure Portal (ARM Template)

Azure (Public) Azure China Azure Government

Use Terraform Module

Learn more at https://registry.terraform.io/modules/shibayan/containerapps-acmebot/azurerm/latest

Use Bicep Module

  • Private Registry cracmebotprod.azurecr.io/bicep/modules/containerapps-acmebot

2. Add application settings

Update the following configuration settings of the Function App:

  • Acmebot:Webhook
    • Webhook destination URL (optional, Slack and Microsoft Teams are recommended)

There are also additional settings that will be automatically created by Container Apps Acmebot:

  • Acmebot:Endpoint
    • The ACME endpoint used to issue certificates
  • Acmebot:Contacts
    • The email address (required) used in ACME account registration

3. Enable App Service Authentication

You must enable Authentication on the Function App that is deployed as part of this application.

In the Azure Portal, open the Function blade then select the Authentication menu and enable App Service authentication. Click on the Add identity provider button to display the screen for adding a new identity provider. If you select Microsoft as your Identity provider, the required settings will be automatically filled in for you. The default settings are fine.

Add an Identity provider

Make sure that the App Service Authentication setting is set to Require authentication. The permissions can basically be left at the default settings.

App Service Authentication settings

If you are using Sovereign Cloud, you may not be able to select Express. Enable authentication from the advanced settings with reference to the following document.

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-configure-with-advanced-settings

Finally, you can save your previous settings to enable App Service authentication.

4. Add access control (IAM) to the target resource group

Open the Access control (IAM) of the target resource group and assign the roles Contributor to the deployed Container Apps and Azure DNS zones.

RBAC setting

Assign the DNS Zone Contributor role to the deployed Acmebot if Azure DNS resides in a separate resource group.

5. Access to function app

Access https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate with a browser and authenticate with Azure Active Directory and the Web UI will be displayed. Select the target Container Apps Environment and DNS zone from that screen and run it, and after a few tens of seconds, the certificate will be issued.

Add certificate

If the Access control (IAM) setting is not correct, nothing will be shown in the drop-down list.

Clone this wiki locally