Let’s encrypt lets you get SSL certificates for free, the only constraints being that:

  • You need to possess the domain, and to direct it to a server that hosts the letsencrypt software piece
  • You need to install letsencrypt software on your server
  • Certificates are valid for 3 months only

Fortunately Simon J.K. Pedersen developed an Azure webapp extension for letsencrypt. The process is a bit hairier than just getting a certificate and installing it, but you’ll survive it.

Note that free webapps don’t allow you to have SSL bindings.

Setup an app registration principal

You need to start through the Azure portal’s Azure Active Directory, then open the App registrations blade and add a new app.

Domain

You’ll need to give it a name. Be wild and call it “letsencrypt” (the name doesn’t matter). Then you’re asked for a sign-on URL which doesn’t matter for our case. Just give your website’s URL and you should be ok. Click create.

App 2

Go to the keys section of your application, then add a new one. Set the validity to what you want. Save, then copy the key value. While you’re at it, also copy the application id of your new app registration.

Keys

Gather info

Copy your AD tenant name somewhere. You can find it in the menu.

Tenant

Copy your subscription id somewhere, you’ll find it in the “Subscriptions” blade

Tenant

Configure your app

Go to your web app. Let’s start by adding your app user in the AIM. Go to Access Control and add the user as a contributor.

AIM

Select “Contributor”, then you’ll have to search for the user you just created.

Add user

Click OK, then your user should appear in the list.

If you didn’t do it yet, add your domain to your application. You’ll need to set your DNS to point to your Azure Webapp before you can proceed. You’ll need to do that on your DNS provider’s website. For a subdomain (e.g. www.something.com or blog.somethingelse.net), add a CNAME. For a top level domain (e.g. something.com), add a A Record. Go to the “Custom Domains” blade, then click “Add hostname”, and add your record.

Extensions

Letsencrypt extension

In the “Extension” blade of your web app, click Add, and select “Azure Let’s Encrypt (x86 or x64)”. You’ll have to pick the architecture corresponding to that of you application.

Extensions

Click the extension, then go “Browse”. It should lead you to https://[your webapp].scm.azurewebsites.net/letsencrypt/.

Fill in the form with the information you copied earlier. Service Plan Resource group name is optional and can be left empty if your webapp and service plan are on the same resource group. Then click next.

Extensions

The next page is gonna display your currently installed certificates and mapping. If you didn’t install a certificate yet, it’s gonna be empty. Click next

You’ll arrive on a page where you can select the custom hostnames you added to your webapp. Select the ones you want a certificate for. The “use staging” option lets you test your setup using the staging area of letsencrypt. You’re allowed a limited number of certificates issued per domain per week, so I recommend you test your setup on the staging environment, and repeat on the prod environment if it worked. Email address is used to send you renew reminders or revoke certificates. Use one you’re checking.

Request and install

Then you’ll be brought back to the certificate list, where your new certificate is now listed. The extension also triggers a binding between hostname and certificate, but it takes a minute to show up.

Certificate list

You can check that the binding was done successfully from the settings of the webapp. If it’s not there after a minute, you can add the binding manually:

Bindings

Now you can go to your website and verify that the SSL certificate works

SSL works

Renewing the certificate

Your certificate is valid for only 3 months, which means it needs to be renewed often. Luckily enough, a webjob gets setup to do that automatically. You can check it’s working by going to your webjobs list:

Webjobs

As far as I’ve seen, the extension is missing a few settings when installing the webjob. You’ll need to do the following:

  1. Create a storage account
  2. Setup the webapp config to use it.

Go to the storage accounts blade, create a new storage account, then go to the keys blade.

Storage account

Copy the storage account name and one of the keys, then go back to your webapp, and open the Application Settings. Add two connection strings:

  • AzureWebJobsDashboard
  • AzureWebJobsStorage

Set these two to the following connection string:

DefaultEndpointsProtocol=https;AccountName=[YOUR STORAGE ACCOUNT NAME];AccountKey=[THE KEY YOU JUST COPIED]

Application settings

Save the settings and go back to the webjob, it should work. You can check it periodically to make sure it does its job, but you should receive an email from letsencrypt every 2.5 months telling you the renewal was successful.

Application settings

There you go, all set!

Last detail about the webjob. It’s stored in the application folder, so if you cleanup your application folder on each deployment, the webjob is gonna get deleted as well. Either include it in your deployment, or don’t use cleanup.