2018-01-23 17:24:08 +00:00
#!/usr/bin/env sh
2023-11-18 16:57:12 +00:00
# shellcheck disable=SC2034
dns_azure_info = ' Azure
Site: Azure.microsoft.com
Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_azure
Options:
AZUREDNS_SUBSCRIPTIONID Subscription ID
AZUREDNS_TENANTID Tenant ID
AZUREDNS_APPID App ID. App ID of the service principal
AZUREDNS_CLIENTSECRET Client Secret. Secret from creating the service principal
AZUREDNS_MANAGEDIDENTITY Use Managed Identity. Use Managed Identity assigned to a resource instead of a service principal. "true" /"false"
'
2018-02-18 15:32:39 +00:00
2018-01-23 17:24:08 +00:00
######## Public functions #####################
2018-01-24 08:59:05 +00:00
# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
2018-01-23 17:24:08 +00:00
# Used to add txt record
#
# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate
#
2021-12-14 19:27:40 +00:00
2018-01-25 14:58:11 +00:00
dns_azure_add( ) {
fulldomain = $1
txtvalue = $2
AZUREDNS_SUBSCRIPTIONID = " ${ AZUREDNS_SUBSCRIPTIONID :- $( _readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID) } "
if [ -z " $AZUREDNS_SUBSCRIPTIONID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
2021-12-14 19:27:40 +00:00
_err "You didn't specify the Azure Subscription ID"
2018-01-25 14:58:11 +00:00
return 1
fi
2021-12-14 19:27:40 +00:00
#save subscription id to account conf file.
_saveaccountconf_mutable AZUREDNS_SUBSCRIPTIONID " $AZUREDNS_SUBSCRIPTIONID "
2018-01-23 17:24:08 +00:00
2021-12-14 19:27:40 +00:00
AZUREDNS_MANAGEDIDENTITY = " ${ AZUREDNS_MANAGEDIDENTITY :- $( _readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY) } "
if [ " $AZUREDNS_MANAGEDIDENTITY " = true ] ; then
_info "Using Azure managed identity"
#save managed identity as preferred authentication method, clear service principal credentials from conf file.
_saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY " $AZUREDNS_MANAGEDIDENTITY "
_saveaccountconf_mutable AZUREDNS_TENANTID ""
_saveaccountconf_mutable AZUREDNS_APPID ""
_saveaccountconf_mutable AZUREDNS_CLIENTSECRET ""
else
_info "You didn't ask to use Azure managed identity, checking service principal credentials"
AZUREDNS_TENANTID = " ${ AZUREDNS_TENANTID :- $( _readaccountconf_mutable AZUREDNS_TENANTID) } "
AZUREDNS_APPID = " ${ AZUREDNS_APPID :- $( _readaccountconf_mutable AZUREDNS_APPID) } "
AZUREDNS_CLIENTSECRET = " ${ AZUREDNS_CLIENTSECRET :- $( _readaccountconf_mutable AZUREDNS_CLIENTSECRET) } "
2018-01-25 14:58:11 +00:00
2021-12-14 19:27:40 +00:00
if [ -z " $AZUREDNS_TENANTID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure Tenant ID "
return 1
fi
2018-01-25 14:58:11 +00:00
2021-12-14 19:27:40 +00:00
if [ -z " $AZUREDNS_APPID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure App ID"
return 1
fi
if [ -z " $AZUREDNS_CLIENTSECRET " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure Client Secret"
return 1
fi
#save account details to account conf file, don't opt in for azure manages identity check.
_saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false"
_saveaccountconf_mutable AZUREDNS_TENANTID " $AZUREDNS_TENANTID "
_saveaccountconf_mutable AZUREDNS_APPID " $AZUREDNS_APPID "
_saveaccountconf_mutable AZUREDNS_CLIENTSECRET " $AZUREDNS_CLIENTSECRET "
2018-01-25 14:58:11 +00:00
fi
2018-01-23 17:24:08 +00:00
2021-12-14 19:27:40 +00:00
accesstoken = $( _azure_getaccess_token " $AZUREDNS_MANAGEDIDENTITY " " $AZUREDNS_TENANTID " " $AZUREDNS_APPID " " $AZUREDNS_CLIENTSECRET " )
2018-01-24 08:59:05 +00:00
2018-01-26 12:14:51 +00:00
if ! _get_root " $fulldomain " " $AZUREDNS_SUBSCRIPTIONID " " $accesstoken " ; then
_err "invalid domain"
return 1
2018-01-25 14:58:11 +00:00
fi
_debug _domain_id " $_domain_id "
_debug _sub_domain " $_sub_domain "
_debug _domain " $_domain "
2018-01-26 12:14:51 +00:00
acmeRecordURI = " https://management.azure.com $( printf '%s' " $_domain_id " | sed 's/\\//g' ) /TXT/ $_sub_domain ?api-version=2017-09-01 "
2018-01-25 14:58:11 +00:00
_debug " $acmeRecordURI "
2018-02-18 15:32:39 +00:00
# Get existing TXT record
_azure_rest GET " $acmeRecordURI " "" " $accesstoken "
values = " {\"value\":[\" $txtvalue \"]} "
timestamp = " $( _time) "
if [ " $_code " = "200" ] ; then
2018-03-25 15:47:56 +00:00
vlist = " $( echo " $response " | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"" ) "
2018-02-18 15:32:39 +00:00
_debug "existing TXT found"
_debug " $vlist "
2018-03-25 15:47:56 +00:00
existingts = " $( echo " $response " | _egrep_o "\"acmetscheck\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"" ) "
2018-02-18 15:32:39 +00:00
if [ -z " $existingts " ] ; then
# the record was not created by acme.sh. Copy the exisiting entires
existingts = $timestamp
fi
_diff = " $( _math " $timestamp - $existingts " ) "
_debug " existing txt age: $_diff "
# only use recently added records and discard if older than 2 hours because they are probably orphaned
if [ " $_diff " -lt 7200 ] ; then
_debug " existing txt value: $vlist "
for v in $vlist ; do
values = " $values ,{\"value\":[\" $v \"]} "
done
fi
fi
# Add the txtvalue TXT Record
body = " {\"properties\":{\"metadata\":{\"acmetscheck\":\" $timestamp \"},\"TTL\":10, \"TXTRecords\":[ $values ]}} "
2018-01-25 14:58:11 +00:00
_azure_rest PUT " $acmeRecordURI " " $body " " $accesstoken "
if [ " $_code " = "200" ] || [ " $_code " = '201' ] ; then
2018-02-18 15:32:39 +00:00
_info "validation value added"
2018-03-12 09:27:56 +00:00
return 0
2018-01-25 14:58:11 +00:00
else
2018-02-18 15:32:39 +00:00
_err " error adding validation value ( $_code ) "
2018-01-23 17:24:08 +00:00
return 1
2018-01-26 12:14:51 +00:00
fi
2018-01-23 17:24:08 +00:00
}
# Usage: fulldomain txtvalue
# Used to remove the txt record after validation
#
# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/delete
#
2018-01-25 14:58:11 +00:00
dns_azure_rm( ) {
fulldomain = $1
txtvalue = $2
AZUREDNS_SUBSCRIPTIONID = " ${ AZUREDNS_SUBSCRIPTIONID :- $( _readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID) } "
if [ -z " $AZUREDNS_SUBSCRIPTIONID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure Subscription ID "
return 1
fi
2021-12-14 19:27:40 +00:00
AZUREDNS_MANAGEDIDENTITY = " ${ AZUREDNS_MANAGEDIDENTITY :- $( _readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY) } "
if [ " $AZUREDNS_MANAGEDIDENTITY " = true ] ; then
_info "Using Azure managed identity"
else
_info "You didn't ask to use Azure managed identity, checking service principal credentials"
AZUREDNS_TENANTID = " ${ AZUREDNS_TENANTID :- $( _readaccountconf_mutable AZUREDNS_TENANTID) } "
AZUREDNS_APPID = " ${ AZUREDNS_APPID :- $( _readaccountconf_mutable AZUREDNS_APPID) } "
AZUREDNS_CLIENTSECRET = " ${ AZUREDNS_CLIENTSECRET :- $( _readaccountconf_mutable AZUREDNS_CLIENTSECRET) } "
2018-01-25 14:58:11 +00:00
2021-12-14 19:27:40 +00:00
if [ -z " $AZUREDNS_TENANTID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure Tenant ID "
return 1
fi
2018-01-25 14:58:11 +00:00
2021-12-14 19:27:40 +00:00
if [ -z " $AZUREDNS_APPID " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure App ID"
return 1
fi
if [ -z " $AZUREDNS_CLIENTSECRET " ] ; then
AZUREDNS_SUBSCRIPTIONID = ""
AZUREDNS_TENANTID = ""
AZUREDNS_APPID = ""
AZUREDNS_CLIENTSECRET = ""
_err "You didn't specify the Azure Client Secret"
return 1
fi
2018-01-25 14:58:11 +00:00
fi
2018-01-23 17:24:08 +00:00
2021-12-14 19:27:40 +00:00
accesstoken = $( _azure_getaccess_token " $AZUREDNS_MANAGEDIDENTITY " " $AZUREDNS_TENANTID " " $AZUREDNS_APPID " " $AZUREDNS_CLIENTSECRET " )
2018-01-24 08:59:05 +00:00
2018-01-26 12:14:51 +00:00
if ! _get_root " $fulldomain " " $AZUREDNS_SUBSCRIPTIONID " " $accesstoken " ; then
_err "invalid domain"
return 1
2018-01-25 14:58:11 +00:00
fi
_debug _domain_id " $_domain_id "
_debug _sub_domain " $_sub_domain "
_debug _domain " $_domain "
2018-01-26 12:14:51 +00:00
acmeRecordURI = " https://management.azure.com $( printf '%s' " $_domain_id " | sed 's/\\//g' ) /TXT/ $_sub_domain ?api-version=2017-09-01 "
2018-01-25 14:58:11 +00:00
_debug " $acmeRecordURI "
2018-02-18 15:32:39 +00:00
# Get existing TXT record
_azure_rest GET " $acmeRecordURI " "" " $accesstoken "
timestamp = " $( _time) "
if [ " $_code " = "200" ] ; then
2020-08-03 13:22:32 +00:00
vlist = " $( echo " $response " | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"" | grep -v -- " $txtvalue " ) "
2018-02-18 15:32:39 +00:00
values = ""
comma = ""
for v in $vlist ; do
values = " $values $comma {\"value\":[\" $v \"]} "
comma = ","
done
if [ -z " $values " ] ; then
# No values left remove record
_debug " removing validation record completely $acmeRecordURI "
_azure_rest DELETE " $acmeRecordURI " "" " $accesstoken "
if [ " $_code " = "200" ] || [ " $_code " = '204' ] ; then
_info "validation record removed"
else
_err " error removing validation record ( $_code ) "
return 1
fi
else
# Remove only txtvalue from the TXT Record
body = " {\"properties\":{\"metadata\":{\"acmetscheck\":\" $timestamp \"},\"TTL\":10, \"TXTRecords\":[ $values ]}} "
_azure_rest PUT " $acmeRecordURI " " $body " " $accesstoken "
if [ " $_code " = "200" ] || [ " $_code " = '201' ] ; then
_info "validation value removed"
2018-03-12 09:27:56 +00:00
return 0
2018-02-18 15:32:39 +00:00
else
_err " error removing validation value ( $_code ) "
return 1
fi
fi
2018-01-25 14:58:11 +00:00
fi
2018-01-23 17:24:08 +00:00
}
################### Private functions below ##################################
_azure_rest( ) {
2018-01-25 14:58:11 +00:00
m = $1
ep = " $2 "
data = " $3 "
accesstoken = " $4 "
2018-02-18 15:32:39 +00:00
MAX_REQUEST_RETRY_TIMES = 5
_request_retry_times = 0
while [ " ${ _request_retry_times } " -lt " $MAX_REQUEST_RETRY_TIMES " ] ; do
_debug3 _request_retry_times " $_request_retry_times "
export _H1 = " authorization: Bearer $accesstoken "
export _H2 = "accept: application/json"
export _H3 = "Content-Type: application/json"
# clear headers from previous request to avoid getting wrong http code on timeouts
2020-08-17 14:18:20 +00:00
: >" $HTTP_HEADER "
2018-02-18 15:32:39 +00:00
_debug " $ep "
if [ " $m " != "GET" ] ; then
_secure_debug2 " data $data "
response = " $( _post " $data " " $ep " "" " $m " ) "
else
response = " $( _get " $ep " ) "
fi
2018-03-12 09:27:56 +00:00
_ret = " $? "
2018-02-18 15:32:39 +00:00
_secure_debug2 " response $response "
2018-03-25 15:47:56 +00:00
_code = " $( grep "^HTTP" " $HTTP_HEADER " | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n" ) "
2018-02-18 15:32:39 +00:00
_debug " http response code $_code "
if [ " $_code " = "401" ] ; then
# we have an invalid access token set to expired
_saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "0"
_err " access denied make sure your Azure settings are correct. See $WIKI "
return 1
fi
# See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
2018-03-12 09:27:56 +00:00
if [ " $_ret " != "0" ] || [ -z " $_code " ] || [ " $_code " = "408" ] || [ " $_code " = "500" ] || [ " $_code " = "503" ] || [ " $_code " = "504" ] ; then
2018-02-18 15:32:39 +00:00
_request_retry_times = " $( _math " $_request_retry_times " + 1) "
_info " REST call error $_code retrying $ep in $_request_retry_times s "
_sleep " $_request_retry_times "
continue
fi
break
done
if [ " $_request_retry_times " = " $MAX_REQUEST_RETRY_TIMES " ] ; then
_err " Error Azure REST called was retried $MAX_REQUEST_RETRY_TIMES times. "
_err " Calling $ep failed. "
2018-01-26 12:14:51 +00:00
return 1
2018-01-25 14:58:11 +00:00
fi
2018-02-18 15:32:39 +00:00
response = " $( echo " $response " | _normalizeJson) "
2018-01-25 14:58:11 +00:00
return 0
2018-01-23 17:24:08 +00:00
}
## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
_azure_getaccess_token( ) {
2021-12-14 19:27:40 +00:00
managedIdentity = $1
tenantID = $2
clientID = $3
clientSecret = $4
2018-01-25 14:58:11 +00:00
2018-02-18 15:32:39 +00:00
accesstoken = " ${ AZUREDNS_BEARERTOKEN :- $( _readaccountconf_mutable AZUREDNS_BEARERTOKEN) } "
expires_on = " ${ AZUREDNS_TOKENVALIDTO :- $( _readaccountconf_mutable AZUREDNS_TOKENVALIDTO) } "
# can we reuse the bearer token?
if [ -n " $accesstoken " ] && [ -n " $expires_on " ] ; then
if [ " $( _time) " -lt " $expires_on " ] ; then
# brearer token is still valid - reuse it
_debug "reusing bearer token"
printf "%s" " $accesstoken "
return 0
else
_debug "bearer token expired"
fi
fi
_debug "getting new bearer token"
2021-12-14 19:27:40 +00:00
if [ " $managedIdentity " = true ] ; then
# https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
export _H1 = "Metadata: true"
response = " $( _get http://169.254.169.254/metadata/identity/oauth2/token\? api-version= 2018-02-01\& resource = https://management.azure.com/) "
response = " $( echo " $response " | _normalizeJson) "
accesstoken = $( echo " $response " | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" )
expires_on = $( echo " $response " | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" )
else
export _H1 = "accept: application/json"
export _H2 = "Content-Type: application/x-www-form-urlencoded"
body = " resource= $( printf "%s" 'https://management.core.windows.net/' | _url_encode) &client_id= $( printf "%s" " $clientID " | _url_encode) &client_secret= $( printf "%s" " $clientSecret " | _url_encode) &grant_type=client_credentials "
_secure_debug2 " data $body "
response = " $( _post " $body " " https://login.microsoftonline.com/ $tenantID /oauth2/token " "" "POST" ) "
_ret = " $? "
_secure_debug2 " response $response "
response = " $( echo " $response " | _normalizeJson) "
accesstoken = $( echo " $response " | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" )
expires_on = $( echo " $response " | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" )
fi
2018-01-25 14:58:11 +00:00
2018-01-26 12:39:41 +00:00
if [ -z " $accesstoken " ] ; then
2018-02-18 15:32:39 +00:00
_err " no acccess token received. Check your Azure settings see $WIKI "
2018-01-26 12:14:51 +00:00
return 1
2018-01-25 14:58:11 +00:00
fi
2018-03-12 09:27:56 +00:00
if [ " $_ret " != "0" ] ; then
2018-01-25 14:58:11 +00:00
_err " error $response "
return 1
fi
2018-02-18 15:32:39 +00:00
_saveaccountconf_mutable AZUREDNS_BEARERTOKEN " $accesstoken "
_saveaccountconf_mutable AZUREDNS_TOKENVALIDTO " $expires_on "
2018-01-25 14:58:11 +00:00
printf "%s" " $accesstoken "
return 0
2018-01-23 17:24:08 +00:00
}
_get_root( ) {
2018-01-25 14:58:11 +00:00
domain = $1
subscriptionId = $2
accesstoken = $3
2018-03-25 15:47:56 +00:00
i = 1
2018-01-25 14:58:11 +00:00
p = 1
## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list
## returns up to 100 zones in one response therefore handling more results is not not implemented
## (ZoneListResult with continuation token for the next page of results)
## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways
##
2018-11-05 13:52:26 +00:00
_azure_rest GET " https://management.azure.com/subscriptions/ $subscriptionId /providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01 " "" " $accesstoken "
2019-06-29 16:14:34 +00:00
# Find matching domain name in Json response
2018-01-25 14:58:11 +00:00
while true; do
h = $( printf "%s" " $domain " | cut -d . -f $i -100)
_debug2 " Checking domain: $h "
if [ -z " $h " ] ; then
#not valid
_err "Invalid domain"
return 1
fi
2018-01-23 17:24:08 +00:00
if _contains " $response " " \"name\":\" $h \" " >/dev/null; then
2019-06-29 16:14:34 +00:00
_domain_id = $( echo " $response " | _egrep_o " \\{\"id\":\"[^\"]*\\/ $h \" " | head -n 1 | cut -d : -f 2 | tr -d \" )
2018-01-23 17:24:08 +00:00
if [ " $_domain_id " ] ; then
2018-03-25 15:47:56 +00:00
if [ " $i " = 1 ] ; then
#create the record at the domain apex (@) if only the domain name was provided as --domain-alias
_sub_domain = "@"
else
_sub_domain = $( echo " $domain " | cut -d . -f 1-$p )
fi
2018-01-23 17:24:08 +00:00
_domain = $h
return 0
fi
return 1
2018-01-25 14:58:11 +00:00
fi
p = $i
i = $( _math " $i " + 1)
done
return 1
2018-01-23 17:24:08 +00:00
}