Azure DNS
Create verification records in Azure DNS
| Plugin type | DNS validation | |
|---|---|---|
| Download | Version 2.3.0. Look for older releases on GitHub for files named like plugin.validation.dns.azure.v2.x.x.zip | |
| Compatibility | All platforms |
Description
Create the record in Microsoft Azure DNS.
Authentication
There are two ways to authenticate with Azure:
Create an Entra ID Service Principal Account
Use the Azure CLI to create a Service Principal
You then need to give this Service Principal access to change DNS entries. In the Azure Portal:
- Go to
DNS Zones>sub.example.com>Access Control (IAM) - Click
Add - For Role, choose
DNS Zone Contributor - Assign access to
Entra ID user, group, or application - Select your Service Principal
- Click
Save
Use a Managed Service Identity
More information here. Note that configuration can be different depending on your operating system version, e.g. #1413.
Configuring the plugin
During setup of the validation the program will ask several questions. Here is to answer them with information from the Azure Portal.
DNS Subscription ID: DNS Zones >sub.example.com>Subscription IDDNS Resource Group Name: DNS zones >sub.example.com>Resource Group
Only when authenticating as a Service Principal:
Directory/tenant id: Entra ID > Properties >Directory ID.Application client id: Entra ID > App registrations > [Service Principal] >Application ID.Application client secret: The password that was generated when you created the Service Principal.
Resources
The plugin need to be unpacked into the folder where you also unpacked
wacs.exe to able to use it. Depending on how you downloaded the file,
you may have to unblock all new .dll files before your computer will trust
them. You can do that from the Windows File Explorer by using the right mouse button
and then checking the `Unblock` box on the General tab.
If you are using simple-acme as a dotnet tool, the folder will be %userprofile%\.dotnet\tools\.store\simple-acme\2.3.0.33\simple-acme\2.3.0.33\tools\net8.0\any
To verify that the plugin is properly installed you can start the main executable
with ‑‑verbose and it will print information about found and loaded plugins at
start up. When the plugin is loaded, it manifests itself as extra menu choices and
command line parameters being made availalbe.
This plugin requires to you use the pluggable release of the main executable. It will not work on the smaller trimmed releases.
Command line
--validation azure |
Activates the plugin | |
|---|---|---|
‑‑azuresubscriptionid |
Subscription ID to login into Microsoft Azure DNS (blank to use default). | |
‑‑azurehostedzone |
Hosted zone (blank to find best match) | |
‑‑azureenvironment |
This can be used to specify a specific Azure endpoint. Valid inputs are AzureCloud (default), AzureChinaCloud, AzureGermanCloud, AzureUSGovernment or a specific URI for an Azure Stack implementation. | |
‑‑azureusemsi |
Use Managed Service Identity for authentication. | |
‑‑azuretenantid |
Directory/tenant identifier. Found in Entra ID > Properties. | |
‑‑azureclientid |
Application/client identifier. Found/created in Entra ID > App registrations. | |
‑‑azuresecret |
Client secret. Found/created under Entra ID > App registrations.
You may pass the secret in plain text, but can also use a reference to the secret vault like |
Examples
| Service Principal | --validation azure ‑‑azuretenantid 9741a4c9-0e0b-4f35-abbe-9af735194804 ‑‑azureclientid 2a32943f-e46b-469c-a42d-eb5c54bf798d ‑‑azuresecret ***** ‑‑azuresubscriptionid 6c1e8002-c547-4e93-a9b3-7163f51c380e ‑‑azureresourcegroupname myresourcegroup [‑‑azurehostedzone zone.example.com] |
|
|---|---|---|
| Managaged Identity | --validation azure ‑‑azureusemsi ‑‑azuresubscriptionid 6c1e8002-c547-4e93-a9b3-7163f51c380e ‑‑azureresourcegroupname myresourcegroup [‑‑azurehostedzone zone.example.com] |
JSON
| ID | aa57b028-45fb-4aca-9cac-a63d94c76b4a |
|---|
Looking for win-acme?
simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.