_FILE suffix not working for AzureDNS?

[arp-mbender]

I'm looking at the https://github.com/go-acme/lego/blob/master/providers/dns/azuredns/azuredns.go code and I can't see it taking _FILE suffixed values into account. These should supposedly work (see documentation: https://go-acme.github.io/lego/dns/azuredns/). The only thing in the code is a reference to OIDC_TOKEN_FILE_PATH, but that doesn't really satisfy the documentation:

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Does each provider implement the _FILE suffix handling itself? If so, then I can't find any relevant code in the link above. Or is it handled globally by another .go file?

I've noticed these values don't appear to work when I was trying to configure the ACME DNS challenge using the AzureDns in Traefik. Unfortunately I'm not sure which version is used by Traefik, which is why I'm making a discussion...

By comparison https://github.com/go-acme/lego/blob/master/providers/dns/oraclecloud/oraclecloud.go has a section for handling a _FILE suffix, but it appears to be used for only one value (where the documentation suggests this is possible for all configuration elements).

EDIT: OK, Found it. It should be globally handled... https://github.com/go-acme/lego/blob/master/platform/config/env/env.go#L144

---

Extracted from Traefik issue.

docker-compose.yml

services:
  traefik:
    image: "traefik:v3.1"
    container_name: "traefik"
    env_file:
      - ./azuredns/.env
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt/:/letsencrypt/"
      - "./traefik.yml:/etc/traefik/traefik.yml"
      - "./services/:/services/"
      - "./azuredns/:/azuredns/"
      - "./certs/:/certs/"
      - "/var/log/traefik/:/var/log/traefik/"

traefik.yml

entryPoints:
  web:
    address: :80

  websecure:
    asDefault: true
    address: :443
    http:
      tls:
        certResolver: le
        domains:
          - main: "*.domain.com"
            sans: 
              - "domain.com"
certificatesResolvers:
  le:
    acme:
      email: [email protected]
      storage: /letsencrypt/acme.json
      caserver: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: azuredns

Finally, I have the following in the /azuredns/ folder:

• /azuredns/.env

AZURE_SUBSCRIPTION_ID=<redacted>
AZURE_TENANT_ID=<redacted>
AZURE_CLIENT_ID=<redacted>
AZURE_CLIENT_SECRET_FILE=/azuredns/azuresecret
AZURE_RESOURCE_GROUP=<redacted>

• /azuredns/azuresecret:

MyAzureClientSecret

Logs:

ERR Unable to obtain ACME certificate for domains error="cannot get ACME client azuredns: discover DNS zones: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
    EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
    WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
    ManagedIdentityCredential: managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information
    AzureCLICredential: Azure CLI not found on path
    AzureDeveloperCLICredential: Azure Developer CLI not found on path"
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["*.domain.com","domain.com"] providerName=le-staging.acme routerName=to-sup@file rule=Host(`sup.domain.com`)

[ldez]

Hello,

based on your issue on Traefik you are using Traefik v3.1.2 and so lego v4.17.4

https://github.com/traefik/traefik/blob/v3.1.2/go.mod#L20

Does each provider implement the _FILE suffix handling itself?

No and yes, there is a specific code inside lego, that a provider can use to handle that.

azuredns uses this specific code, so _FILE should work, but the Azure client (the lib used to communicate with the API) is also using the same env var internally.
So it can have some unexpected behavior.

The specific code is the function env.GetOrFile()

lego/providers/dns/azuredns/azuredns.go

Lines 102 to 146 in 29e98f8

	func NewDNSProvider() (*DNSProvider, error) {
	config := NewDefaultConfig()
	environmentName := env.GetOrFile(EnvEnvironment)
	if environmentName != "" {
	switch environmentName {
	case "china":
	config.Environment = cloud.AzureChina
	case "public":
	config.Environment = cloud.AzurePublic
	case "usgovernment":
	config.Environment = cloud.AzureGovernment
	default:
	return nil, fmt.Errorf("azuredns: unknown environment %s", environmentName)
	}
	} else {
	config.Environment = cloud.AzurePublic
	}
	config.SubscriptionID = env.GetOrFile(EnvSubscriptionID)
	config.ResourceGroup = env.GetOrFile(EnvResourceGroup)
	config.PrivateZone = env.GetOrDefaultBool(EnvPrivateZone, false)
	config.ClientID = env.GetOrFile(EnvClientID)
	config.ClientSecret = env.GetOrFile(EnvClientSecret)
	config.TenantID = env.GetOrFile(EnvTenantID)
	config.OIDCToken = env.GetOrFile(EnvOIDCToken)
	config.OIDCTokenFilePath = env.GetOrFile(EnvOIDCTokenFilePath)
	config.ServiceDiscoveryFilter = env.GetOrFile(EnvServiceDiscoveryFilter)
	oidcValues, _ := env.GetWithFallback(
	[]string{EnvOIDCRequestURL, EnvGitHubOIDCRequestURL},
	[]string{EnvOIDCRequestToken, EnvGitHubOIDCRequestToken},
	)
	config.OIDCRequestURL = oidcValues[EnvOIDCRequestURL]
	config.OIDCRequestToken = oidcValues[EnvOIDCRequestToken]
	config.AuthMethod = env.GetOrFile(EnvAuthMethod)
	config.AuthMSITimeout = env.GetOrDefaultSecond(EnvAuthMSITimeout, 2*time.Second)
	return NewDNSProviderConfig(config)
	}

By comparison https://github.com/go-acme/lego/blob/master/providers/dns/oraclecloud/oraclecloud.go has a section for handling a _FILE suffix,

No really, oracle has just one value handle "manually".

Ping @pchanvallon

[arp-mbender]

I know this is somewhat annoying, because you're providing a library whilst I'm trying to figure out how it works inside of a tool that's using said library (i.e. Traefik vs LEGO), but are you perhaps aware of how I could try and debug this issue?

From my end it seems the configuration is sound, yet at the end an Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set error is thrown (with the secret being provided via a AZURE_CLIENT_SECRET_FILE variable). Just looking at the code it looks like it should work, so I'm leaning towards "it might be an issue with the underlying library" (especially since it appears the error is thrown by said library). But this is just guess work on my part and I'd really like it if someone could just confirm or deny if the _FILE suffixes should work with the azuredns provider...

[ldez]

As I said in my previous answer it should work because inside lego (Traefik just uses lego, there is no specific code to handle providers in Traefik) the code has been made to handle those env vars.

If you have some doubt about my Traefik knowledge: https://github.com/traefik/traefik/graphs/contributors

OIDC_TOKEN_FILE_PATH doesn't follow the pattern because it's handled by the Azure client itself.

Based on the log inside the Traefik issue:

incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set

The error comes from the Azure client, because AZURE_AUTH_METHOD(_FILE) is set to env and at least one of these env vars AZURE_CLIENT_ID(_FILE), AZURE_CLIENT_CERTIFICATE_PATH(_FILE), AZURE_TENANT_ID(_FILE) is empty/undefined.

But the full error stack says something different:

ERR Unable to obtain ACME certificate for domains error="cannot get ACME client azuredns: discover DNS zones: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
    EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
    WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
    ManagedIdentityCredential: managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information
    AzureCLICredential: Azure CLI not found on path
    AzureDeveloperCLICredential: Azure Developer CLI not found on path"
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["*.domain.com","domain.com"] providerName=le-staging.acme routerName=to-sup@file rule=Host(`sup.domain.com`)

This happens when AZURE_AUTH_METHOD(_FILE) is empty/undefined (this is the default), in this case, the "default" Azure client authentication is used.

So I recommend reading the doc to find the auth method that fits your context: https://go-acme.github.io/lego/dns/azuredns/index.html

[pchanvallon]

Hello @ldez, @arp-mbender,

I have tested this usecase successfully in my own Azure environment.
Here are the commands I ran :

# Create files containing Azure credentials
echo "<CLIENT-ID>" > "./client-id"
echo "<CLIENT-SECRET>" > "./client-secret"
echo "<TENANT-ID>" > "./tenant-id"

# Create environment variables to reference those files
export AZURE_CLIENT_ID_FILE="./client-id"
export AZURE_CLIENT_SECRET_FILE="./client-secret"
export AZURE_TENANT_ID_FILE="./tenant-id"

# Set authentication method to environment variables usage
export AZURE_AUTH_METHOD="env"

# Launch `lego` binary
./dist/lego --domains "<DOMAIN-NAME>" --email "<CONTACT-EMAIL>" --dns azuredns run

Hope it will help you to solve your issue.

[ldez]

@arp-mbender doesn't have AZURE_AUTH_METHOD="env" as I explained here

Can you try without it?

[ldez]

I updated the initial message to add the information from the Traefik issue.

[pchanvallon]

Without setting AZURE_AUTH_METHOD="env" variable it wont work as the DefaultAzureCredentials function doesn't support the _FILE variables (cf. doc). Therefore it is required to set this value in order to use file machanism.

[ldez]

Yes, it's what I explained, @arp-mbender should use the right auth method.

And from what I understand of your message it's env.

[arp-mbender]

I was under the impression that the AZURE_AUTH_METHOD was optional and used if more parameters were provided (if the system couldn't determine which auth method would be used in the end). From the LEGO documentation on Azure DNS there's no real mention on how this setting is required for _FILE suffixed values. In addition my initial setup (where I just provided the values "as is", i.e. no _FILE usage) worked without the AZURE_AUTH_METHOD, which then prompted me to go on this slightly wild goose chase...

Anyway, thank you very much for the clarification. With this additional setting provided everything works as expected. 🙂