15. July 2018
NAV/BC Azure Container Instances with Let’s Encrypt certificates
If you just want to have a Dynamics NAV / BC environment up and running without caring for anything around it, Azure Container Instances might be a very good way to go. I’ve explained about that here and here. One of the main problems there was that you could only use unsecured http or a self-signed certificate which also leads to bad looking warning messages. In the latest iteration of my Azure quickstart template this is solved by using a Let’s Encrypt certificate
Let’s Encrypt is a free service that provides you with SSL certificates. Freddy Kristiansen has shared a script to use those in connection with NAV / BC here and with some minor adjustments by myself, this works fine on Azure Container Instances as well. To use it, just go here, add all mandatory params including dns prefix and Let’s Encrypt email and you’ll get ready-to-use NAV/BC container on Azure with an https secured WebClient. Please note that the Let’s Encrypt certs are valid only for 3 months and while there are ways to script an automatic renewal, I didn’t bother because ACIs shouldn’t run for nearly as long as that in my opinion
Things I learned on the way
Setting up Let’s Encrypt certificates is amazingly simple. Basically you just let them know that you want a cert, they make sure that you own that domain by letting you know a secret that they expect to find in a specific path on that domain and then you get your cert. Even implementing that in PowerShell is quite easy as I did that before becoming aware of the fact that Freddy had shared his script. But reusing something from Microsoft almost always makes more sense, so I then decided to use Freddy’s script.
The Azure quickstart template got a bit more complicated, mainly because of two reasons:
- I needed to reference and download the Setup-script from somewhere because of the way the NAV images work. That is fine, but one of the understandable restrictions of the quickstart templates is that you have to have everything you need in their repo. Therefore I uploaded the .ps1 into the repo. However because the NAV image expects a .zip I needed to upload a .zip with that file as well. The alternative would have been to download the whole repository and just reference the right path but as that repo is quite big, that would have slowed down startup a lot. Also you can’t just use a URL but need to reference the path like this
[concat('c:\\run\\my=', uri(parameters('_artifactsLocation'), concat('scripts/SetupCertificate.zip', parameters('_artifactsLocationSasToken'))))]
Slightly more complicated… But also not impossible to create, so that works fine in the end as well
- Let’s Encrypt of course needs to know the FQDN of the domain, because it creates a certificate for it. However before startup of an ACI you can’t tell it to use a specific FQDN, only the dnslabel (the subdomain) which then also gets the region and something like “azurecontainer.io” which will be different in one of the Gov clouds. So in the end you’ll get something like mynavaci.westeurope.azurecontainer.io and while “mynavaci” is a parameter the user sets and “westeurope” is the location which is also easy to get, “azurecontainer.io” is something you can’t find out dynamically. In the beginning I had this hard coded, but that also isn’t allowed, so I ended up doing a combo box which currently only contains azurecontainer.io as none of the Gov clouds has support for ACIs yet, but that should probably expand over time
Running if from the command line
One of the use cases for this to me is to spin up a couple of test / demo environments for a workshop and then tear them down again. You probably don’t want to go through the Azure portal for that, so the answer is scripting (as so often 🙂 ) and would look something like this in e.g. the Azure Cloud Shell:
az group deployment create -g navworkshop --template-uri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/101-aci-dynamicsnav/azuredeploy.json --parameters name=navws1 dnsPrefix=navws1 letsEncryptMailfirstname.lastname@example.org username=admin password=abc123.A acceptEula=Y
I hope someone has a need like mine or something similar and can use the template. Have fun!