Add Ssl To Azure Webapps With Letsencrypt
Let’s encrypt lets you get SSL certificates for free, the only constraints being that:
- You need to possess the domain, and to direct it to a server that hosts the letsencrypt software piece
- You need to install letsencrypt software on your server
- Certificates are valid for 3 months only
Fortunately Simon J.K. Pedersen developed an Azure webapp extension for letsencrypt. The process is a bit hairier than just getting a certificate and installing it, but you’ll survive it.
Note that free webapps don’t allow you to have SSL bindings.
Setup an app registration principal
You need to start through the Azure portal’s Azure Active Directory, then open the App registrations blade and add a new app.
You’ll need to give it a name. Be wild and call it “letsencrypt” (the name doesn’t matter). Then you’re asked for a sign-on URL which doesn’t matter for our case. Just give your website’s URL and you should be ok. Click create.
Go to the keys section of your application, then add a new one. Set the validity to what you want. Save, then copy the key value. While you’re at it, also copy the application id of your new app registration.
Gather info
Copy your AD tenant name somewhere. You can find it in the menu.
Copy your subscription id somewhere, you’ll find it in the “Subscriptions” blade
Configure your app
Go to your web app. Let’s start by adding your app user in the AIM. Go to Access Control and add the user as a contributor.
Select “Contributor”, then you’ll have to search for the user you just created.
Click OK, then your user should appear in the list.
If you didn’t do it yet, add your domain to your application. You’ll need to set your DNS to point to your Azure Webapp before you can proceed. You’ll need to do that on your DNS provider’s website. For a subdomain (e.g. www.something.com or blog.somethingelse.net), add a CNAME. For a top level domain (e.g. something.com), add a A Record. Go to the “Custom Domains” blade, then click “Add hostname”, and add your record.
Letsencrypt extension
In the “Extension” blade of your web app, click Add, and select “Azure Let’s Encrypt (x86 or x64)”. You’ll have to pick the architecture corresponding to that of you application.
Click the extension, then go “Browse”. It should lead you to https://[your webapp].scm.azurewebsites.net/letsencrypt/.
Fill in the form with the information you copied earlier. Service Plan Resource group name is optional and can be left empty if your webapp and service plan are on the same resource group. Then click next.
The next page is gonna display your currently installed certificates and mapping. If you didn’t install a certificate yet, it’s gonna be empty. Click next
You’ll arrive on a page where you can select the custom hostnames you added to your webapp. Select the ones you want a certificate for. The “use staging” option lets you test your setup using the staging area of letsencrypt. You’re allowed a limited number of certificates issued per domain per week, so I recommend you test your setup on the staging environment, and repeat on the prod environment if it worked. Email address is used to send you renew reminders or revoke certificates. Use one you’re checking.
Then you’ll be brought back to the certificate list, where your new certificate is now listed. The extension also triggers a binding between hostname and certificate, but it takes a minute to show up.
You can check that the binding was done successfully from the settings of the webapp. If it’s not there after a minute, you can add the binding manually:
Now you can go to your website and verify that the SSL certificate works
Renewing the certificate
Your certificate is valid for only 3 months, which means it needs to be renewed often. Luckily enough, a webjob gets setup to do that automatically. You can check it’s working by going to your webjobs list:
As far as I’ve seen, the extension is missing a few settings when installing the webjob. You’ll need to do the following:
- Create a storage account
- Setup the webapp config to use it.
Go to the storage accounts blade, create a new storage account, then go to the keys blade.
Copy the storage account name and one of the keys, then go back to your webapp, and open the Application Settings. Add two connection strings:
- AzureWebJobsDashboard
- AzureWebJobsStorage
Set these two to the following connection string:
DefaultEndpointsProtocol=https;AccountName=[YOUR STORAGE ACCOUNT NAME];AccountKey=[THE KEY YOU JUST COPIED]
Save the settings and go back to the webjob, it should work. You can check it periodically to make sure it does its job, but you should receive an email from letsencrypt every 2.5 months telling you the renewal was successful.
There you go, all set!
Last detail about the webjob. It’s stored in the application folder, so if you cleanup your application folder on each deployment, the webjob is gonna get deleted as well. Either include it in your deployment, or don’t use cleanup.