How to use Azure Automation to issue Let's Encrypt certificates

Use Azure Automation with the Let's Encrypt free certificate authority to create, validate and install certificates on a firewall.

CSO > Azure automation for Let's Encrypt certificates
KrulUA / GettyImages

The Let's Encrypt open certificate authority ensures that the internet is no longer transmitted in plaintext. It issues digital certificates for free, and the service is completely automated in the right circumstances.

Let’s Encrypt is fully automated in most instances. In Windows, for example, you can automatically issue certificates from Let’s Encrypt using PowerShell and AWS.

pearman lets azure 1 Robert Pearman

Issued certificate

If you’ve followed the steps outlined in the linked article from the previous sentence, you can then configure Azure Automation to handle the creation, validation and installation of a certificate on a firewall. Here’s what you need to do.

Log into your Azure portal. Click on “Create a Resource” and search for Azure Automation.

pearman lets azure 2 Robert Pearman

Add Azure Automation

You will need to enter information about the Automation account including the location it will run (Azure Datacenter geographic location) and the resource group. In a separate browser window, go to PowerShell Gallery. Search for “Posh-ACME”. In the results, select “Posh-ACME” and click on “Azure Automation” under “Installation Options”. Click on “Deploy to Azure Automation”.

pearman lets azure 3 Robert Pearman

Deploy to Azure Automation

It will ask you which Automation account to import into. Choose the one created in the previous step, then click “OK”. It may take a few minutes to import. Repeat this process for AwsPowerShell and Posh-SSH, making sure each deployment completes before moving to the next.

Create credential objects

Now you will create some credential objects, which are a way to securely store credentials in Azure Automation for use in run books. Under “Shared Resources”, click on “Credentials”. Click on “Add a Credential”.

pearman lets azure 4 Robert Pearman

Modules gallery

The name you enter is a descriptive name you will call in the run book, so make sure it is descriptive enough that you know what it does. I am creating a credential object to store my AWS Route53 IAM credentials.

pearman lets azure 5 Robert Pearman

Add a credential

I am also repeating the process to create credentials for the Fortinet router I want to connect to later.

Create a runbook

Next, you will create a runbook. Under “Process Automation” select “Runbook” and click on “Create a runbook”. You need to enter a runbook name, choose the type, which should be PowerShell, and then click on “Create”. A runbook is essentially an instance of a PowerShell task.

pearman lets azure 6 Robert Pearman

Create a runbook

Once the runbook is created, you are entered into the Runbook editor, which is a page where you can edit your PowerShell code. First, you define some parameters, which you will need to request the certificate. Those are:

  • LE_SERVER
  • Domain
  • Challenge Domain
  • Contact
  • AWSCredential

The LE_Server can either be “Stage” or “Production”. The staging server is used for testing and allows you to request many certificates issued by a non-browser trusted certificate authority compared to the production, which issues browser-trusted certificates but is limited to a number of requests per week.

The domain is the common name (cn) you want your certificate to be issued for. The challenge domain is the fully qualified domain name (FQDN) of the cname record created in the article on using Let’s Encrypt with PowerShell and AWS. Contact is the email address you are using for notifications about the certificate. AWSCredential is the name of the credential object you stored our IAM credentials in.

pearman lets azure 7 Robert Pearman

Runbook request certificate

You can click on “Test Pane” to do a test run of the code. The Azure portal reads your code and prompts you to enter the parameters you specified in the runbook.

pearman lets azure 8 Robert Pearman

Click on "Test Pane" to run a check on the code

When you have filled out the parameters, you can click on “Start”, and Azure Automation will queue and run your runbook.

As the LE Challenge takes 120 seconds, you will need to wait for the outcome. Why not have a coffee and come back. Once the test completes the display automatically refreshes and you should see the certificate has been issued.

pearman lets azure 9 Robert Pearman

Test runbook result

You will also notice the path information relating to the certificate files. In my testing this path changes each time a certificate is requested, which differs slightly to how Posh-ACME runs on a standard desktop. You can work around that potential issue by doing the following:

  1. Once you are happy that it is issuing your certificates, add a schedule to make this runbook reoccur.
  2. Choose to publish your runbook and exit the editor. You need to go back to the main automation account dashboard to define a schedule.
  3. Under “Shared Resources”, go to schedules. Click “Add a schedule”.
  4. Enter a name, a start time and the recurrence pattern. It should be easy enough to follow this through. I have created a recurring schedule for every 60 days.
pearman lets azure 10 Robert Pearman

Creating a 60-day recurring schedule

  1. Go back into the runbook and we can now choose to add a schedule. You can also define the parameters the runbook will use on this schedule.
pearman lets azure 11 Robert Pearman

Schedule runbook

You now have Azure Automation getting your Let’s Encrypt certificates for you, but not much else.

Connecting your router

I'm moving on now and editing my runbook to connect to a router and add a new certificate for the web management portal. For this I will use the Posh-SSH module. These steps are specific to a Fortinet router (at OS 5.6.2 or higher), so if you have another brand the next step won't be something you can follow along with. However, it may be enough guidance to adapt it to your own hardware as long as you have SSH access.

Connecting to your Fortinet via SSH is probably something you are familiar with, adding certificates via SSH possibly not. The commands to add a certificate are straightforward:

Config vpn certificate local

Edit "my new certificate"

Set comments "my certificate valid until June"

Set password password

Set private key "private key text"

Set certificate "certificate text"

End

You can copy and paste the values for the private key and certificate straight out of their corresponding files, but you must retain the formatting. The content also must be encapsulated in quotes.

pearman lets azure 12 Robert Pearman

Copy and paste private key and certificate values

To this end I created two functions, which may not be required if you know how to wrap quotes around a portion of text, but for me it was needed. The functions simply add a quote to the beginning and end of the content of the key or cert file if it is the first or last line.

pearman lets azure 13 Robert Pearman

Function to add quotation marks

To retain the formatting, you need to do some other magic: converting carriage returns to new lines. You are also going to add in a few more tweaks to make things easier on the Fortinet hardware. This allows you to quickly identify a certificate on the Fortinet router if you need to manage them.

pearman lets azure 14 Robert Pearman
pearman lets azure 15 Robert Pearman
pearman lets azure 15 Robert Pearman
pearman lets azure 16 Robert Pearman

Retaining formatting and tweaks for the Fortinet hardware

Then add the commands you will run in SSH and store those in a variable $command. Finally, add code to connect to the Fortinet router and send a $command. You will notice I am using more parameters here, so you will need to add those at the top of the script.

pearman lets azure 17 Robert Pearman

Adding parameters at the top of the script

pearman lets azure 18 Robert Pearman

Add SSH $commands

You can then move all that code inside a try/catch section and test it out. All being well, you will see something similar to the following. If you also log into your Fortinet router, you will see the certificate is installed. If you are using the SSL VPN feature and want to wrap in updating the certificate there as well simply add this to your $command.

pearman lets azure 19 Robert Pearman

Code moved inside a try/catch session

Once you are happy you have the runbook working as desired, you can switch from LE_Stage to LE_Prod and issue your first fully automated certificate.

pearman lets azure 20 Robert Pearman

SSH certificate installed

I know what you’re thinking: Why did I do this? My reasons are threefold.

  1. No browser warnings when managing devices
  2. Less admin overhead on certificate management
  3. It’s cool

I could probably add a fourth, which is the Let’s Encrypt certificates are free, but that’s obvious.

The example I have written about may be an edge case. However, as someone said to me when I mentioned what I was doing, “Some people need inspiration to figure out how they are going to use this stuff.” So, while you may not be configuring a Fortinet router, I hope this inspires you to use Azure Automation to do… something!

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!