CTW with Azure DNS validation and push to Azure App Proxy?

I’m interested in moving from Win-ACME to CTW because my Let’s Encrypt setup is becoming more complex. I’m going to be securing web apps behind an Azure Application Proxy and I need a solution that can achieve two main goals:

  • Validate domain ownership using Azure DNS (since the web apps will no longer be reachable over port 80)
  • Export the certificate to Azure Application Proxy (PFX?) as an automated renewal step.

I do have one non-public web app I can freely tinker with while attempting to get this working, but the end goal would be to license CTW for a handful of web apps I’m placing behind the Azure Application Proxy and get the whole renewal process under one solution. Thank you!

Hi, We do have some built in tasks for Azure deployment (Key Vault and App Services), but currently not a specific solution for Azure App Proxy. I’ve looked at others azure targets (app gateway etc) but for us it’s a balance of how many libraries and dependencies we want to add to the app vs the benefit for users, and also every scenario we add is one we have to maintain.

We do support Azure DNS for DNS validation.

Can Azure App Proxy use a certificate from a keyvault? If so, I’d suggest adding a Deploy To Azure KeyVault deployment task then let the proxy pickup the certificate from there.

You can also perform scripted deployments to some extent, using the Powershell script task.

Ah, darn. I appreciate your quick reply! From what I’ve found, it doesn’t look like Azure App Proxy can utilize Azure keyvault. I’m trying to determine if Azure Application Gateway might have the functionality I’m looking for; it looks like App Gateway and App Proxy share some overlap, with App Gateway having more cert features. I’m communicating with MS support but it’s slow going.

It sounds like I should stick with Win-ACME with the Azure challenge option and either automate the cert export myself through Powershell (if App proxy supported) or reconsider whether I need custom domains in the App Proxy.

Thank you!

I believe app gateway can use keyvault, so theoretically you could just publish to keyvault (you need to set a certificate password in your PFX, under Certificate > Advanced > Signing & Security, then re-request the cert).

Anther approach is to publish to keyvault (or anywhere, even the filesystem, using the certificate export task), then have your own scheduled task pick up the file and publish it (anywhere) using powershell. This splits your steps into certificate renewal vs certificate deployment and they can be independent of each other.

In general if it can be done in win-acme it can also be done in Certify The Web, and vice-versa, the main difference is in manageability at scale. Certify The Web is designed to handle thousands of certificates on one server and has a few advanced features (like our deployment tasks).

That makes sense. Thank you very much for the comprehensive reply! You are correct that App Gateway can tap into keyvault, but I don’t believe App Proxy can. There’s not a lot of info about App Proxy online for some reason.

For now, I’m going to stick with Win-ACME since my servers are already using it and I have successfully implemented the Azure DNS validation feature. But I will keep CTW in mind in case I have scaling issues or Azure ever updates app proxy to allow access from keyvault. I’m going to rely on a wildcard cert for app proxy and continue to automate my internal web app certs individually with Let’s Encrypt.

Here’s wishing you a happy new year!

1 Like