renewing of SRE SSL cert

[mattwestby]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a problem observed when deploying a Data Safe Haven.
• I can reproduce this with the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

💻 System information

• Operating System:
• Data Safe Haven version:

📦 Packages

List of packages

Paste list of packages here

🚫 Describe the problem

When the SRE SSL cert is near for renewal re-running the SRE deployment doesnt detect this so it doesnt create a new SRE SSL cert.

🌳 Log messages

Relevant log messages

Your log details here

♻️ To reproduce

[JimMadge]

I tried just deleting the "SSLCertificate" resource from the stack. That led to a Snapshot Integrity Error in the Pulumi CLI. Possibly because other resources in the stack make reference to the cert.

[mattwestby]

Yes I had that aswell. For now I’ve used certbot to renew it with letsencrypt. Maybe that’s an option? Thanks Matt

[JimMadge]

The restrictions are,

• We filter IP lists so HTTP(file) challenges are not possible.
• DNS challenges are possible but require permissions (managed identity).

Options for a permanent solution,

• Modern reverse proxies like Traefik and Caddy can automate SSL certs with Let's Encrypt using DNS challenges. Could replace the application gateway with one of these reverse proxies.
• It looks like these build upon Lego to do this, we could run Lego ourselves.
• (Less clean) modify the SSLCertificateProvider so that the resource will be recreated when the cert is ~60 days old. This would still require manual intervention, running Pulumi Update.

[jemrobinson]

We prefer to use the Application Gateway as:

• it's another resource that we can rely on Azure to manage (rather than configuring our own SSL termination)
• it's integrated with Azure Keyvault for certificate management
• it's easy to help users debug if something goes wrong
• it's cheaper than running a container (~£7 per month rather than £20-£50)

Using Lego (or similar) to automatically update the certificate is still a good idea though. This could run as a container instance or (preferably) an Azure Function. Note that you'd also need a managed identity with appropriate privileges to change DNS records in order to meet the DNS-01 challenge requirements.

[JimMadge]

Lego looks like a good route.

On an existing SRE I can use az CLI credentials and the DNS challenge to create/renew certs. To automate this without the CLI we can create and use a managed identity.

Would be possible to put this process in a container, or maybe serverless compute.

[jemrobinson]

+1 for serverless (e.g. function app) as this should be cheaper for something that needs to run rarely and for a short time on each invocation.

[JimMadge]

Agreed. Should only need to run once a day or week and each run will only be a few minutes.