I have an Azure App Service which hosts a few web apps (all on Linux as you cannot have both Windows and Linux apps on the same App Service Plan, and to be honest the Linux ones just seemed more responsive than the Windows ones).
Azure has yet to embrace the LetsEncrypt movement, so the only options for setting up SSL certificates with your Web App is via Azure App Service Certificates (starting ~£50/year) or manually uploading an otherwise acquired certificate.
There is a helpful guide for setting up LetsEncrypt for Web Apps on Windows (https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/) however this does not work for Web Apps on Linux.
These are the steps I took to configure my sites (massive thanks to https://www.lastcoolnameleft.com/2017/08/letsencrypt-on-azure-app-service-for-linux/ for doing most of the ground work!).
Generating the certificate
To generate the certificates I used the Certbot tool. I chose to run this via docker.
docker run -it --rm --name certbot -v "[[Certificates folder e.g. C:/certs]]:/etc/letsencrypt" -v "[[Certificates folder e.g C:/certs]]:/var/lib/letsencrypt" certbot/certbot certonly --manual --preferred-challeneges http
Note: You’ll need to make sure you’ve enabled Shared Drives in Docker for Windows. To do this open Docker Settings and click Shared Drives. Tick the drive you want to share and click Apply.
Another Note: I tried the DNS challenge however with 123-reg at least, the TTL for the TXT record was 4 hours, and if you rerun the certbot it will give you new validation values everytime, meaning if you screw up you won’t get another chance for around 4 hours!
Follow the interactive steps:
- If this is the first time you’ve run it then you will need to enter your email address.
- Then follow the link to read the terms and conditions, then enter A to agree
- Decide whether you would like to share your email with the EFF
- Enter the domain name(s) you would like to generate a certificate for, note this does not support wildcards certificates
- Then agree to having your IP address logged (if you don’t you cannot generate the certificate so make sure you are using an IP address you are happy sharing?)
- Follow the instructions to validate you own the domain
- We picked the http option earlier which means we need to generate a file on the server
- To do this go the Kudu page and find the SSH page (will typically look like https://[[Web App Name]].scm.azurewebsites.net/webssh/host)
- You’ll want to
Shell1mkdir .well-known && cd .well-known
Shell1mkdir acme-challenge && cd acme-challenge
Shell1echo [[Certbot file contents]] > [[Certbot file name]]
Certbot will then spit out a bunch of files in your mounted folder.
Unfortunately these files aren’t quite usable. We’ll need to extract a certificate from them. For that we’ll need to install openssl locally. Navigate to https://slproweb.com/products/Win32OpenSSL.html and download the latest version (Win64 OpenSSL v1.1.0h was the one I used). I chose to install the binaries to the OpenSSL bin directory, and then added that directory to my path environment variable (for Windows 10, type environment variables into Start and add a new row to the Path variable).
Once installed we’ll need to run the following (I used the archive version as the live folder didn’t work for me, and it simply linked to the archive folder anyway)
openssl pkcs12 -export -out [[Domain Name]].pfx -inkey [[Certificates folder e.g. C:/certs]]/archive/[[Domain Name]]/privkey1.pem -in [[Certificates folder e.g. C:/certs]]/archive/[[Domain Name]]/fullchain1.pem
You will be prompted for an export password, which is important to remember as we’ll need it when we upload the certificate to Azure (use something memorable e.g. iHATEcertificates69!)
Using the certificate
Once we have our certificate we can navigate to the SSL certificates page on our Web App in Azure. Choose Upload Certificate, choose the [[Domain Name]].pfx file and enter the export password you chose earlier.
Then we simply click Add binding under the SSL bindings area on the same page and associate the certificate with the custom domain name we have already added.
One final thing that is probably worth doing is going to the Custom domains tab and enabling HTTPS Only, this essentially forces all HTTP traffic to use HTTPS.
LetsEncrypt only gives you certificates that are valid for 3 months. That means we’ll need to do the same steps in 3 months, which is a bit tedious.
I plan on building a tool to help with this (similar to the LetsEncrypt Windows App Service tool), so watch this space!