Add Dashboard page

[shibayan]

Implement a new web UI in /dashboard to add certificate issuance status and clear links to each UI.

Features

• [x] Show certificates that are nearing expiration
• [x] Add / Renew certificate in modal
  • [x] Add
  • [x] Renew
  • [x] Revoke #250
  • [x] Details

Future

• [ ] Execution history of the renewal process
• [ ] Configuration validation (DNS Provider / IAM, etc.)

[GeorgDangl]

That would be really useful, thank you for considering that! It would help a lot in keeping track which certificates are issued by the tool.

[adagioajanes]

This would be unbelievably useful. KeyVault doesn't give the best view for managing these certificates. At least being able to see the status of certificates issued with this app would be stellar.

[shibayan]

Thanks, I'm going to create a great dashboard, but I haven't made much progress lately because I haven't had much time to work on it.

[shibayan]

I'm pasting a screenshot of the work in progress in the comments of #342. Please comment if you have any feedback.

[shibayan]

The dashboard feature is now available as a preview in the recently released v3.7.0.

[siarheikuzmich]

Very cool feature! We are trying to implement it in our project, but faced with the next problem: dashboard does not show/add certificates, just an empty field We use GoDaddy, api credentials was provided to function as key-value parameters. GoDaddy api key was generated under admin account. Certificate permissions for Key Vault selected 16 items

[shibayan]

@siarheikuzmich Try the legacy Web UI. https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate

If you still can't see your domain list, there may be a problem with your GoDaddy credentials or the status of your domain. If the status of the domain is anything other than ACTIVE, it will not be displayed, so you will need to type the following command to verify.

curl -X GET "https://api.godaddy.com/v1/domains?statuses=ACTIVE&includes=nameServers" -H "Accept: application/json" -H "Authorization: sso-key <API Key>:<API Secret>"

[siarheikuzmich]

@shibayan you are right! I generated api keys via GoDaddy delegated account which does not have permission to domains record. When owner generate keys from his account all is ok. Thank you very much!

[booyaa]

Solved: we have an aggressive protection policy on this key vault (90 days). You cannot create a certificate with the same name even if it has been deleted. Spotted the 409 (conflict) during the "FinalizeOrder" exception. This has nothing to do with Key Vault Acmebot.

Let me know if you want a separate issue:

I'm getting the following exception when trying to provision a wildcard cert

IssueCertificate

Exception while executing function: IssueCertificate Orchestrator function 'IssueCertificate' failed: The activity function 'FinalizeOrder' failed: "Failed to deserialize exception from TaskActivity: {"$type":"ACMESharp.Protocol.AcmeProtocolException, ACMESharp","ProblemType":19,"ProblemTypeRaw":"urn:ietf:params:acme:error:unauthorized","ProblemDetail":"Error finalizing order :: CSR is missing Order domain \".sandbox7.REDACTED.app\"","ProblemStatus":403,"StackTrace":" at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(Uri uri, HttpMethod method, Object message, HttpStatusCode[] expectedStatuses, Boolean skipNonce, Boolean skipSigning, Boolean includePublicKey, CancellationToken cancel, String opName)\r\n at ACMESharp.Protocol.AcmeProtocolClient.FinalizeOrderAsync(String orderFinalizeUrl, Byte[] derEncodedCsr, CancellationToken cancel)\r\n at KeyVault.Acmebot.Functions.SharedActivity.FinalizeOrder(ValueTuple2 input) in /home/runner/work/keyvault-acmebot/keyvault-acmebot/KeyVault.Acmebot/Functions/SharedActivity.cs:line 379\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker2.InvokeAsync(Object instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs:line 52\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeWithTimeoutAsync(IFunctionInvoker invoker, ParameterHelper parameterHelper, CancellationTokenSource timeoutTokenSource, CancellationTokenSource functionCancellationTokenSource, Boolean throwOnTimeout, TimeSpan timerInterval, IFunctionInstance instance) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 572\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance, ParameterHelper parameterHelper, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 518\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance, FunctionStartedMessage message, FunctionInstanceLogEntry instanceLogEntry, ParameterHelper parameterHelper, ILogger logger, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 296","Message":"Error finalizing order :: CSR is missing Order domain \".sandbox7.REDACTED.app\"","Data":{"$type":"System.Collections.ListDictionaryInternal, System.Private.CoreLib"},"InnerException":null,"HelpLink":null,"Source":"ACMESharp","HResult":-2146233088}". See the function execution logs for additional details.

Here's what I'm doing (which is how I used to do it using the /add-certificate route)

We're using Azure DNS

[TheMorganator]

Hello. Does the introduction of the dashboard disable the legacy /add-certificate and /bulk-certificate paths? They no longer work on our deployments, and I was wondering if this was by design. It would be great to have all URLs working.

[shibayan]

@TheMorganator Yes, the old UI (add-certificate / bulk-certificate) has been removed. It will now be invested in dashboard functionality. Feedback on how to improve the dashboard is always welcome.

[Apps-Limited]

Once I have Key Vault Acmebot generating certificates by the function I created, what's up next? I made a certificate but now what? How to do I set it up in Azure? What steps I should take?

[shibayan]

@Apps-Limited Read the document. Also, I don't want comments that have nothing to do with this issue. https://github.com/shibayan/keyvault-acmebot/wiki#usage

[JelteF]

Having a delete and/or rename option would be very useful. I created a cert with a bit of a bad name, but there's no clear way to remove it or change that from the dashboard.

[shibayan]

It is not intended to be a management dashboard for Key Vault itself. It is intended to be a dashboard as a certificate issuing tool using ACME.

[tpetersvw]

a feature where you can do a selection of certificates (one , multiple, all) and perform the actions (Renew, Revoke and additionally Delete) also having the option to do a manual certificate (where you dont have dns api integration and need to add a acme dns record to issue the certificate manually) would be nice.

[shibayan]

Thanks for the feedback, Acmebot does not take manual DNS record setting into account as it is intended to be automated.

[tpetersvw]

thanks for your reaction, i can appreciate this application has automation in mind and won't use manual dns record validation. How about the features in the first sentence of my question?

[pufferandrew]

@siarheikuzmich Try the legacy Web UI. https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate

If you still can't see your domain list, there may be a problem with your GoDaddy credentials or the status of your domain. If the status of the domain is anything other than ACTIVE, it will not be displayed, so you will need to type the following command to verify.

curl -X GET "https://api.godaddy.com/v1/domains?statuses=ACTIVE&includes=nameServers" -H "Accept: application/json" -H "Authorization: sso-key <API Key>:<API Secret>"

Would it be possible to query for all domains in a GoDaddy account? Most of our domains are DNS Hosted so they have a status of PENDING_DNS_ACTIVE and don't show up in the dashboard. I have successfully tested adding records to those domains via the API without issues.

[shibayan]

@pufferandrew GoDaddy's documentation is unclear what PENDING_DNS_ACTIVE stands for, so we only show the sure ACTIVE. If PENDING_DNS_ACTIVE can also be used without problems, we would consider relaxing the condition.

[pir8g33k]

@shibayan can we add more options when the certificate will renew like for example 10 days before the actual expiration and display on dashboard when it will renew based on the date we set?

[shibayan]

I have created a new milestone and will manage the dashboard issues separately.

[rushikesh-outbound]

First, that's a great tool, and Thank you for the solution!

One thing I want to bring to your attention is that revoking certificates does not delete the certificate from Keyvault. If this by design with any special reason?