Set up Let's Encrypt certificate solution on Azure

5 februari 2019
Jonas Peterson
Jonas Peterson
Utvecklare
jonas.peterson@jellyhive.com

Introduction

It’s 2019 and your site needs a SLL/TLS certificate. These can be quite expensiv, but fear not, there are solutions that are free! Enter Let’s Encrypt.

Scenario and prerequisite

The scenario for this blog post is that you have a Web App in Azure with your own domain that you would like to secure up with https. For simplicity sake, we will say that we have the domainname “yourwebsite.com” and the web app “yourwebsite” aka. “yourwebsite.azurewebsites.net”

Make sure that your web app is in a Web service plan that supports custom domains and SSL/TLS.

Add your custom hostname/-s under “Custom domains”. Preferably you could add both yourwebsite.com and www.yourwebsite.com.

Make shure your DNS has the right configuration

Add A and CNAME records in your DNS. In this example we have added:

Sub domainTypeTTLData
@TXT3600“yourwebsite.azurewebsites.net”
@A360040.123.21.67
wwwCNAME3600yourwebsite.azurewebsites.net

Where 40.123.21.67 is the ip-address for your web app in Azure.

As we will use a site extension called “Azure Let’s Encrypt” to set up and refresh the certificate we need two web jobs, and these web jobs needs som storage so make shure that you have an Storage Account available as well. Let’s Encrypts certificates will last only 90 days and you have to refresh them prior to those 90 days. This site extension will do that automatically for you, so you do not need to worry.

Go to the application setting for you web app (yourwebsite) and add two settings; one named “AzureWebJobsStorage” and the other “AzureWebJobsDashboard”. These two shall have the value of the Storage Accounts connection string (Go to the Storage Account > “Access keys” > copy key1 connection string)

Registration of Service Principal

As the site extension states: “The certificate is installed and renewed using the Azure Resource Manager API, because the renewal process should run unattended you need to register an Azure AD service principal that have access to at least the Azure Web App.”

Azure Powershell module

Open Powershell and make shure that you have the Azure Powershell module installed.

Run:

$PSVersionTable.PSVersion

If you do not have the Azure Powershell module installed, go here and read more on how to install:https://docs.microsoft.com/sv-se/powershell/azure/install-az-ps?view=azps-1.2.0

Get the information you need

You need to get the following information: SubscriptionId for the subscription that has your web app (yourwebsite)

Login to your account and subscription:

Login-AzureRmAccount -SubscriptionId SUBSCRIPTION_ID

Register some variables that will be used:

$uri = 'http://yourwebsite.com'
 $SecurePassword=ConvertTo-SecureString 'SECRETPASSWORD' –asplaintext –force
 $app = New-AzureRmADApplication -DisplayName PreserveTime 
            -HomePage $uri -IdentifierUris $uri -Password $SecurePassword

Since New-AzureRmADApplication needs a secure string, we convert our password to that. Later on we will need the password and at that point we will use the password as stated above in clear text, not as a secure string.

Create an service principal in Active Directory:

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Assign the contributor role to the service principal

New-AzureRmRoleAssignment -RoleDefinitionName Contributor 
        -ServicePrincipalName $app.ApplicationId

You will need the appId (also called later on, ClientId)

$app.ApplicationId

Install the site extension

Now it’s time to insta the Azure Let’s Encrypt site extension.

  • Go to: https://YOUR_SITE_NAME.scm.azurewebsites.net, ie. https://yourwebsite.scm.azurewebsites.net
  • Select “Site extensions” in the main menu.
  • Go to the Gallery-tab and search for “Encrypt”.
  • Click the “+” icon for the “AzureLet’s Encrypt”-extension with web jobs.

After the installation of the extension has finnished, restart your web app by stopping and starting it. After the restart has finished, click the “Launch”-button on the extension (looks like a play button).

Configure Azure Let’s Encrypt site extension

At a first glance, the Authentication Settings page could look a bit daunting, but fear not. If you have successfully finnished the previous steps, this part will not be that hard. Begin with adding these six application settings to your web app:

App settings nameValue
letsencrypt:TenantA GUID for your directory
letsencrypt:SubscriptionIdThe web apps subscription Id. Could be found on the web apps “Overview”-tab
letsencrypt:ClientIdThe AppId for the Azure Ad application you created in the beginning
letsencrypt:ClientSecretThe password you set when creating the Azure AD app
letsencrypt:ResourceGroupNameThe resource group name where the web app is located
letsencrypt:ServicePlanResourceGroupNameThe resource group name for the serviceplan that is connected to the web app

When all the application settings above has been saved, go back to the “Authentication Settings”-page for the site extension and refresh that page. You will see the form fields updated. Click the “Next”-button.

Inspect that Hostnames, SSL bindings and certificates looks fine. Click the “Next”-button.

Request and install certificate

Select the hostnames for which you want to request Let’s Encrypt SSL certificates, in our case yourwebsite.com and www.yourwebsite.com. Enter a email for contact purposes. Don’t check the UseStaging checkbox. Click the “Request and Install certificate”-button

Finnished

Yes, our work is done here. Congratulations! 😊