-
Notifications
You must be signed in to change notification settings - Fork 51
/
Copy pathSet-LetsEncryptConfiguration.ps1
353 lines (248 loc) · 11.6 KB
/
Set-LetsEncryptConfiguration.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
<#
.SYNOPSIS
Sets up the confguration for a Let's Encrypt renewal web app (https://github.com/ohadschn/letsencrypt-webapp-renewer)
.DESCRIPTION
The Set-LetsEncryptSettings script sets up your letsencrypt-webapp-renewer web app with the required renewal Settings.
More information is available at https://github.com/ohadschn/letsencrypt-webapp-renewer#configuration.
.PARAMETER LetsEncryptSubscriptionId
Required. The ID of the subscription containing the letsencrypt-webapp-renewer Web App.
.PARAMETER LetsEncryptResourceGroup
Required. The name of the resource group containing the letsencrypt-webapp-renewer Web App.
.PARAMETER LetsEncryptWebApp
Required. The name of the letsencrypt-webapp-renewer Web App.
.PARAMETER SubscriptionId
Required. The ID of the subscription containing the Web App for which the certificate will be generated.
.PARAMETER ResourceGroup
Required. The name of the resource group containing the Web App for which the certificate will be generated.
.PARAMETER TenantId
Required. The ID of the tenant containing the letsencrypt-webapp-renewer Web App and the Web App(s) for which the certificate(s) will be generated.
.PARAMETER WebApp
Required. A semicolon-delimited list of App Service names for which the certificates will be generated.
.PARAMETER Hosts
Required. The hostnames to add to the SAN certificate(s).
Remarks: For multiple web apps, e.g. "foo;bar", use this syntax:
<WebAppName>:<Hostname>;<Hostname>,<WebAppName>:<Hostname>;<Hostname>.
Example: -Hosts "foo:foo.com;www.foo.com,bar:bar.com;www.bar.com"
.PARAMETER ClientId
Required. The ID of the AAD Service Principal for the WebJob.
.PARAMETER ClientSecret
Required. The token of the AAD Service Principal for the WebJob.
.PARAMETER Email
Required. E-mail for Let's Encrypt registration and expiry notifications.
.PARAMETER ServicePlanResourceGroup
Optional. The name of the Service Plan Resource Group.
Default: The value of the ResourceGroup parameter.
.PARAMETER UseIpBasedSsl
Optional. Indicates whether to use IP Based SSL.
Default: false
.PARAMETER RsaKeyLength
Optional. The length of the certificate's RSA key.
Default: 2048
.PARAMETER AcmeBaseUri
Optional. The ACME base URI.
Default: https://acme-v02.api.letsencrypt.org/directory
Staging: https://acme-staging-v02.api.letsencrypt.org/directory
.PARAMETER WebRootPath
Optional. Web Root Path for the HTTP challenge answer.
.PARAMETER RenewXNumberOfDaysBeforeExpiration
Optional. The number of days before certificate expiry to renew.
Default: -1
Remarks: Use a negative value to force renewal regardless of certificate expiry time.
.PARAMETER AzureDnsZoneName
Optional. The name of the Azure DNS Zone (e.g. domain.com)
.PARAMETER AzureDnsRelativeRecordSetName
Optional. The name of the Azure DNS Relative Record Set (e.g. subdomain).
.PARAMETER AzureDnsTenantId
Optional. The ID of the Azure DNS Tenant ID.
Default: The value of the TenantId parameter.
.PARAMETER AzureDnsSubscriptionId
Optional. The ID of the Azure DNS Subscription.
Default: The value of the SubscriptionId parameter.
.PARAMETER AzureDnsResourceGroup
Optional. The name of the Azure DNS Resource Group.
Default: The value of the ResourceGroup parameter.
.PARAMETER AzureDnsClientId
Optional. The ID of the Azure DNS Client for the WebJob.
Default: The value of the ClientId parameter.
.PARAMETER AzureDnsClientSecret
Optional. The token of the Azure DNS Client Secret for the WebJob.
Default: The value of the ClientSecret parameter.
.PARAMETER SendGridApiKey
Optional. The SendGrid API key for sending email notifications.
#>
Param(
[Parameter(Mandatory=$true)]
[string]$LetsEncryptSubscriptionId,
[Parameter(Mandatory=$true)]
[string]$LetsEncryptResourceGroup,
[Parameter(Mandatory=$true)]
[string]$LetsEncryptWebApp,
[Parameter(Mandatory=$true)]
[string]$WebApp,
[Parameter(Mandatory=$true)]
[string]$Hosts,
[Parameter(Mandatory=$true)]
[string]$SubscriptionId,
[Parameter(Mandatory=$true)]
[string]$ResourceGroup,
[Parameter(Mandatory=$true)]
[string]$TenantId,
[Parameter(Mandatory=$true)]
[string]$ClientId,
[Parameter(Mandatory=$true)]
[string]$ClientSecret,
[Parameter(Mandatory=$true)]
[string]$Email,
[Parameter(Mandatory=$false)]
[string]$ServicePlanResourceGroup,
[Parameter(Mandatory=$false)]
[bool]$UseIpBasedSsl,
[Parameter(Mandatory=$false)]
[int]$RsaKeyLength,
[Parameter(Mandatory=$false)]
[string]$AcmeBaseUri,
[Parameter(Mandatory=$false)]
[string]$WebRootPath,
[Parameter(Mandatory=$false)]
[int]$RenewXNumberOfDaysBeforeExpiration,
[Parameter(Mandatory=$false)]
[string]$AzureDnsZoneName,
[Parameter(Mandatory=$false)]
[string]$AzureDnsRelativeRecordSetName,
[Parameter(Mandatory=$false)]
[string]$AzureDnsTenantId,
[Parameter(Mandatory=$false)]
[string]$AzureDnsSubscriptionId,
[Parameter(Mandatory=$false)]
[string]$AzureDnsResourceGroup,
[Parameter(Mandatory=$false)]
[string]$AzureDnsClientId,
[Parameter(Mandatory=$false)]
[string]$AzureDnsClientSecret,
[Parameter(Mandatory=$false)]
[string]$SendGridApiKey
)
#- Load functions -----------------------------------------------------------------------------------------------------------------------------------
Function Set-LetsEncryptConfig {
Param(
[Parameter(Mandatory=$true)]
[hashtable]$AppSettings,
[Parameter(Mandatory=$true)]
[string]$WebApp,
[Parameter(Mandatory=$true)]
[string]$Name,
[Parameter(Mandatory=$false)]
[object]$Value
)
If ($Value) {
$WebApps = $WebApp.Split(";")
$WebApps | ForEach-Object {
$WebApp = $_
If ($Name.ToLower() -eq "hosts") {
$Items = $Value.Split(",")
$Items | ForEach-Object {
$Item = $_
$AppService = $Item.Split(":")[0]
$NewValue = $Item.Split(":")[1]
If ($AppService -eq $WebApp) {
Register-Setting -AppSettings $AppSettings -WebApp $WebApp -Name $Name -Value $NewValue
}
}
} Else {
Register-Setting -AppSettings $AppSettings -WebApp $WebApp -Name $Name -Value $Value
}
}
} Else {
Write-Information "Value not provided for optional app setting '$Name' - skipping..."
}
}
Function Register-Setting {
Param (
[Parameter(Mandatory=$true)]
[hashtable]$AppSettings,
[Parameter(Mandatory=$true)]
[string]$WebApp,
[Parameter(Mandatory=$true)]
[string]$Name,
[Parameter(Mandatory=$true)]
[string]$Value
)
Write-Information "Setting '$Name' to '$Value'..."
$AppSettings["$LetsEncryptPrefix$WebApp-$Name"] = $Value.ToString()
}
#- Start script -------------------------------------------------------------------------------------------------------------------------------------
Set-StrictMode -Version Latest
Clear
$InformationPreference = "Continue"
$ErrorActionPreference = "Stop"
$LetsEncryptPrefix = "letsencrypt:"
Write-Information "Signing in to Azure Resource Manager account (use the account that contains your Let's Encrypt renewal web app)..."
Login-AzureRmAccount
Write-Information "Setting context to the Let's Encrypt subscription ID..."
Set-AzureRmContext -SubscriptionId $LetsEncryptSubscriptionId
Write-Information "Reading existing Let's Encrypt app settings..."
$LetsEncryptWebAppInfo = Get-AzureRmWebApp -ResourceGroupName $LetsEncryptResourceGroup -Name $LetsEncryptWebApp
Write-Information "Updating existing app settings..."
$UpdatedAppSettings = @{}
ForEach ($AppSetting in $LetsEncryptWebAppInfo.SiteConfig.AppSettings) {
$UpdatedAppSettings[$AppSetting.Name] = $AppSetting.Value
}
Write-Information "Adding new app settings..."
$WebAppsKey = $LetsEncryptPrefix + "webApps"
If ($UpdatedAppSettings.ContainsKey($WebAppsKey)) {
$CurrentWebApps = $UpdatedAppSettings[$WebAppsKey].Split(";")
$WebApps = $WebApp.Split(";")
$WebApps | ForEach-Object {
$NewWebApp = $_
If ($CurrentWebApps -notcontains $NewWebApp) {
$CurrentWebApps += $NewWebApp
}
}
$UpdatedAppSettings[$WebAppsKey] = $CurrentWebApps -join ";"
} Else {
$UpdatedAppSettings[$WebAppsKey] = $WebApp
}
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "acmeBaseUri" -Value $AcmeBaseUri
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsClientId" -Value $AzureDnsClientId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsRelativeRecordSetName" -Value $AzureDnsRelativeRecordSetName
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsResourceGroup" -Value $AzureDnsResourceGroup
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsSubscriptionId" -Value $AzureDnsSubscriptionId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsTenantId" -Value $AzureDnsTenantId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "azureDnsZoneName" -Value $AzureDnsZoneName
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "clientId" -Value $ClientId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "email" -Value $Email
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "hosts" -Value $Hosts
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "renewXNumberOfDaysBeforeExpiration" -Value $RenewXNumberOfDaysBeforeExpiration
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "resourceGroup" -Value $ResourceGroup
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "rsaKeyLength" -Value $RsaKeyLength
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "servicePlanResourceGroup" -Value $ServicePlanResourceGroup
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "subscriptionId" -Value $SubscriptionId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "tenantId" -Value $TenantId
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "useIpBasedSsl" -Value $UseIpBasedSsl
Set-LetsEncryptConfig -AppSettings $UpdatedAppSettings -WebApp $WebApp -Name "webRootPath" -Value $WebRootPath
Write-Information "Updating existing connection strings..."
$UpdatedConnectionStrings = @{}
ForEach ($ConnectionString in $LetsEncryptWebAppInfo.SiteConfig.ConnectionStrings) {
$UpdatedConnectionStrings[$ConnectionString.Name] = @{ Type = $ConnectionString.Type.ToString(); Value = $ConnectionString.ConnectionString }
}
Write-Information "Adding new connection string..."
If ($ClientSecret) {
$WebApps = $WebApp.Split(";")
$WebApps | ForEach-Object {
$NewWebApp = $_
$UpdatedConnectionStrings["$LetsEncryptPrefix$NewWebApp-clientSecret"] = @{ Type = "Custom"; Value = $ClientSecret }
}
}
If ($AzureDnsClientSecret) {
$WebApps = $WebApp.Split(";")
$WebApps | ForEach-Object {
$NewWebApp = $_
$UpdatedConnectionStrings["$LetsEncryptPrefix$NewWebApp-azureDnsClientSecret"] = @{ Type = "Custom"; Value = $AzureDnsClientSecret }
}
}
If ($SendGridApiKey) {
$UpdatedConnectionStrings[$LetsEncryptPrefix + "SendGridApiKey"] = @{ Type = "Custom"; Value = $SendGridApiKey }
}
Write-Information "Updating settings..."
Set-AzureRmWebApp -ResourceGroupName $LetsEncryptResourceGroup -Name $LetsEncryptWebApp -AppSettings $UpdatedAppSettings -ConnectionStrings $UpdatedConnectionStrings
Write-Information "Let's Encrypt settings updated successfully"