Getting Started
This walkthrough deploys a new Acmebot v5 environment and issues a certificate into Azure Key Vault.
Prerequisites
- An Azure public cloud subscription where you can create Function App, Storage, monitoring, and Key Vault resources.
- Permission to create role assignments, which the template needs when it configures Key Vault access.
- A DNS zone hosted by a supported provider.
- Credentials or managed identity access that can create and delete TXT records in that zone.
- A contact email address for the ACME account.
- A plan for App Service Authentication, typically with Microsoft Entra ID, for dashboard access.
1. Choose an ACME Endpoint
For a first test, use a staging endpoint if your certificate authority offers one. For production, the deployment form includes these verified endpoints:
| CA | Endpoint |
|---|---|
| Let's Encrypt | https://acme-v02.api.letsencrypt.org/directory |
| GlobalSign | https://emea.acme.atlas.globalsign.com/directory |
| Google Trust Services | https://dv.acme-v02.api.pki.goog/directory |
| SSL.com ECC | https://acme.ssl.com/sslcom-dv-ecc |
| SSL.com RSA | https://acme.ssl.com/sslcom-dv-rsa |
| ZeroSSL | https://acme.zerossl.com/v2/DV90 |
If a verified CA requires external account binding, the deployment form fixes the credential type to EAB. For custom endpoints, select EAB when your CA requires it. See Certificate Authorities for details.
2. Deploy Acmebot
Open Deployment and start the Azure Public deployment template. During deployment:
- Select the subscription, resource group, and region.
- Choose a resource naming mode.
- Enter the ACME endpoint and contact email.
- Configure one DNS provider.
- Choose a system-assigned or user-assigned managed identity.
- Create a new Key Vault or select an existing one.
- Create a new Log Analytics workspace or select an existing one.
The template creates the Function App, Flex Consumption plan, Storage account, Application Insights resource, and required app settings.
3. Grant DNS Access
The template configures Key Vault access for the Function App identity, but DNS access depends on the provider.
- Azure DNS: assign the Function App identity a role that can read zones and manage TXT records, such as
DNS Zone Contributor, on the zone or a resource group that contains only the relevant zones. - Azure Private DNS: assign
Private DNS Zone Contributoron the private zone or resource group. - External providers: use credentials scoped to the hosted zones Acmebot should manage, and prefer least-privilege API tokens when the provider supports them.
When possible, store provider secrets in Key Vault and reference them from Function App settings with App Service Key Vault references. The app setting remains readable while the secret value moves under Key Vault access control.
4. Enable Dashboard Authentication
The dashboard and HTTP API require authenticated requests. Configure App Service Authentication on the Function App and require sign-in before requests reach the app. A typical setup uses Microsoft Entra ID as the identity provider.
After authentication is enabled, browse to the Function App URL and sign in. To require app roles for issue, manual renewal, and revoke operations, see Security.
5. Issue Your First Certificate
In the dashboard:
- Open the certificate creation dialog.
- Select the DNS provider and zone.
- Enter the record name. Leave it empty for the zone apex, or use
*for a wildcard certificate. - Review the full DNS name that will be requested.
- Keep the default RSA 2048 key unless you need a different key type.
- Submit the request.
Acmebot creates the _acme-challenge TXT record, waits for propagation, finalizes the ACME order, and stores the certificate in Key Vault.
6. Verify the Result
After the operation completes:
- Confirm the certificate appears in the dashboard.
- Open the Key Vault and confirm the certificate has a current version.
- Check Application Insights if the operation failed or stayed pending.
- Confirm that downstream Azure services can read the certificate from Key Vault or import the PFX.
7. Let Renewals Run
The RenewCertificates timer runs daily. When ACME renewal information is available for a certificate, Acmebot evaluates the certificate authority's suggested renewal window and Retry-After timing before renewing. Otherwise, it renews when the remaining certificate lifetime is no more than Acmebot__RenewBeforeExpiry percent (default 30).
See Operations for monitoring and troubleshooting guidance.
Next Steps
- Configure more providers in DNS Providers.
- Review CA-specific notes in Certificate Authorities.
- Learn dashboard operations in Dashboard.
- Connect certificates to Azure services in Azure Service Integration.
- Use Troubleshooting during first-issuance validation.
- Review every app setting in Configuration.