{"id":23415,"library":"certbot-dns-azure","title":"Certbot DNS Azure Authenticator","description":"Azure DNS Authenticator plugin for Certbot. Allows automated Let's Encrypt certificate issuance and renewal via Azure DNS. Current version 2.6.1, requires Python >=3.6. Maintained irregularly with occasional breaking changes.","status":"active","version":"2.6.1","language":"python","source_language":"en","source_url":"https://github.com/terricain/certbot-dns-azure","tags":["certbot","letsencrypt","dns","azure","ssl","tls"],"install":[{"cmd":"pip install certbot-dns-azure","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Core Certbot runtime dependency","package":"certbot","optional":false},{"reason":"Azure DNS management SDK","package":"azure-mgmt-dns","optional":false},{"reason":"Azure authentication (Managed Identity, CLI, etc.)","package":"azure-identity","optional":false},{"reason":"Azure resource management (if using Managed Identity)","package":"azure-mgmt-resource","optional":false}],"imports":[{"note":"Internal import path; plugin is auto-detected by Certbot","wrong":"","symbol":"CertbotDnsAzure","correct":"from certbot_dns_azure._internal.dns_azure import CertbotDnsAzure"},{"note":"Use for custom scripting, but normally you don't import directly","wrong":"","symbol":"AzureClient","correct":"from certbot_dns_azure._internal.client import AzureClient"}],"quickstart":{"code":"certbot certonly --authenticator dns-azure --dns-azure-credentials /path/to/azure.ini -d example.com","lang":"bash","description":"Run Certbot with Azure DNS authenticator. The credentials file should contain environment variable references or inline secrets. See warning about managed identity vs service principal."},"warnings":[{"fix":"Update your credentials file to the new INI format (see README). Example: dns_azure_environment = 'AzureCloud' (optional) and use AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID env vars.","message":"v2.0.0+ changed credential file format from YAML to INI. Old YAML files will cause parse errors.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Ensure the service principal or managed identity has 'DNS Zone Contributor' role on the target zone's subscription.","message":"The plugin requires Azure DNS zones to be in the same subscription as the authenticated principal. If using cross-subscription, you must grant access manually.","severity":"gotcha","affected_versions":"all"},{"fix":"Upgrade to v2.4.0+ or use service principal authentication.","message":"Managed Identity authentication (DefaultAzureCredential) is only available in v2.4.0+ and requires the plugin to run on an Azure resource (VM, App Service, etc.) with a system-assigned or user-assigned identity.","severity":"gotcha","affected_versions":"<2.4.0"},{"fix":"Use --dns-azure-credentials path instead of env var.","message":"Usage of AZURE_AUTH_LOCATION environment variable is deprecated in favor of the credentials file.","severity":"deprecated","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Ensure certbot-dns-azure is installed in the same Python environment as certbot. Run: pip install certbot-dns-azure","cause":"Plugin not installed or not recognized by Certbot.","error":"certbot: error: --authenticator dns-azure: Plugin 'dns-azure' is not supported"},{"fix":"Switch to service principal authentication by setting AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID environment variables or use a credentials file with proper values.","cause":"Managed Identity not properly configured or not running on an Azure resource.","error":"azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials"},{"fix":"Verify the resource group name in the credentials file or environment, and ensure the principal has reader access to the resource group.","cause":"Specified Azure resource group for the DNS zone does not exist or the authenticated principal has no access.","error":"azure.core.exceptions.ResourceNotFoundError: (ResourceNotFound) Resource group '...' could not be found."},{"fix":"Convert credentials file to INI format. See https://github.com/terricain/certbot-dns-azure#credentials-file-format","cause":"Credentials file is not in the required INI format (commonly leftover YAML from older versions).","error":"ValueError: Invalid credentials file format. Expected .ini file with sections."}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}