15. Juli 2018

NAV/BC Azure Container Instances with Let’s Encrypt certificates

If you just want to have a Dynamics NAV / BC environment up and running without caring for anything around it, Azure Container Instances might be a very good way to go. I’ve explained about that here and here. One of the main problems there was that you could only use unsecured http or a self-signed certificate which also leads to bad looking warning messages. In the latest iteration of my Azure quickstart template this is solved by using a Let’s Encrypt certificate

The TL;DR

Let’s Encrypt is a free service that provides you with SSL certificates. Freddy Kristiansen has shared a script to use those in connection with NAV / BC here and with some minor adjustments by myself, this works fine on Azure Container Instances as well. To use it, just go here, add all mandatory params including dns prefix and Let’s Encrypt email and you’ll get ready-to-use NAV/BC container on Azure with an https secured WebClient. Please note that the Let’s Encrypt certs are valid only for 3 months and while there are ways to script an automatic renewal, I didn’t bother because ACIs shouldn’t run for nearly as long as that in my opinion

Things I learned on the way

Setting up Let’s Encrypt certificates is amazingly simple. Basically you just let them know that you want a cert, they make sure that you own that domain by letting you know a secret that they expect to find in a specific path on that domain and then you get your cert. Even implementing that in PowerShell is quite easy as I did that before becoming aware of the fact that Freddy had shared his script. But reusing something from Microsoft almost always makes more sense, so I then decided to use Freddy’s script.

The Azure quickstart template got a bit more complicated, mainly because of two reasons:

1. I needed to reference and download the Setup-script from somewhere because of the way the NAV images work. That is fine, but one of the understandable restrictions of the quickstart templates is that you have to have everything you need in their repo. Therefore I uploaded the .ps1 into the repo. However because the NAV image expects a .zip I needed to upload a .zip with that file as well. The alternative would have been to download the whole repository and just reference the right path but as that repo is quite big, that would have slowed down startup a lot. Also you can’t just use a URL but need to reference the path like this

   [concat('c:\\run\\my=', uri(parameters('_artifactsLocation'), concat('scripts/SetupCertificate.zip', parameters('_artifactsLocationSasToken'))))]
   

   Slightly more complicated… But also not impossible to create, so that works fine in the end as well

2. Let’s Encrypt of course needs to know the FQDN of the domain, because it creates a certificate for it. However before startup of an ACI you can’t tell it to use a specific FQDN, only the dnslabel (the subdomain) which then also gets the region and something like „azurecontainer.io“ which will be different in one of the Gov clouds. So in the end you’ll get something like mynavaci.westeurope.azurecontainer.io and while „mynavaci“ is a parameter the user sets and „westeurope“ is the location which is also easy to get, „azurecontainer.io“ is something you can’t find out dynamically. In the beginning I had this hard coded, but that also isn’t allowed, so I ended up doing a combo box which currently only contains azurecontainer.io as none of the Gov clouds has support for ACIs yet, but that should probably expand over time

Running if from the command line

One of the use cases for this to me is to spin up a couple of test / demo environments for a workshop and then tear them down again. You probably don’t want to go through the Azure portal for that, so the answer is scripting (as so often 🙂 ) and would look something like this in e.g. the Azure Cloud Shell:

az group deployment create -g navworkshop --template-uri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/101-aci-dynamicsnav/azuredeploy.json --parameters name=navws1 dnsPrefix=navws1 letsEncryptMail=tobias.fenster@axians-infoma.de username=admin password=abc123.A acceptEula=Y

I hope someone has a need like mine or something similar and can use the template. Have fun!

Der Autor

Tobias Fenster

Kategorien

Container, Docker

Schlagwörter

3 Kommentare zu “NAV/BC Azure Container Instances with Let’s Encrypt certificates”

1. Dear Tobias,

   I tried to run the script but I got the error message

   {„code“:“DeploymentFailed“,“message“:“At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.“,“details“:[{„code“:“BadRequest“,“message“:“{\r\n \“error\“: {\r\n \“code\“: \“InaccessibleImage\“,\r\n \“message\“: \“The image ‚2018-cu7-be‘ in container group ‚acinavcontainergroup‘ is not accessible. Please check the image and registry credential.\“\r\n }\r\n}“}]}

   As you can see I tried to deploy a Beglium NAV Version.

   Is there anything I can do to make it work?

   Zum Antworten anmelden

2. Hello Bastian,

   you need to enter the image name as microsoft/dynamics-nav:2018-cu7-be in your case. I’ll have to improve the documentation there… 🙁 But if you look at the default value, you probably get the idea and if you use the value mentioned above, it should work

   Zum Antworten anmelden

3. Hello, what is the exact LetsEncrypt (certbot) command you ran to generate a cert using the FQDN? Since I’m using ACI, the subdomain in this case for me is going to be ACI’s case westus.azurecontainer.io

   Zum Antworten anmelden