It’s 2019 and your site needs a SLL/TLS certificate. These can be quite expensiv, but fear not, there are solutions that are free! Enter Let’s Encrypt.
Scenario and prerequisite
The scenario for this blog post is that you have a Web App in Azure with your own domain that you would like to secure up with https. For simplicity sake, we will say that we have the domainname “yourwebsite.com” and the web app “yourwebsite” aka. “yourwebsite.azurewebsites.net”
Make sure that your web app is in a Web service plan that supports custom domains and SSL/TLS.
Add your custom hostname/-s under “Custom domains”. Preferably you could add both yourwebsite.com and www.yourwebsite.com.
Make shure your DNS has the right configuration
Add A and CNAME records in your DNS. In this example we have added:
Where 188.8.131.52 is the ip-address for your web app in Azure.
As we will use a site extension called “Azure Let’s Encrypt” to set up and refresh the certificate we need two web jobs, and these web jobs needs som storage so make shure that you have an Storage Account available as well. Let’s Encrypts certificates will last only 90 days and you have to refresh them prior to those 90 days. This site extension will do that automatically for you, so you do not need to worry.
Go to the application setting for you web app (yourwebsite) and add two settings; one named “AzureWebJobsStorage” and the other “AzureWebJobsDashboard”. These two shall have the value of the Storage Accounts connection string (Go to the Storage Account > “Access keys” > copy key1 connection string)
Registration of Service Principal
As the site extension states: “The certificate is installed and renewed using the Azure Resource Manager API, because the renewal process should run unattended you need to register an Azure AD service principal that have access to at least the Azure Web App.”
Azure Powershell module
Open Powershell and make shure that you have the Azure Powershell module installed.
If you do not have the Azure Powershell module installed, go here and read more on how to install:https://docs.microsoft.com/sv-se/powershell/azure/install-az-ps?view=azps-1.2.0
Get the information you need
You need to get the following information: SubscriptionId for the subscription that has your web app (yourwebsite)
Login to your account and subscription:
Login-AzureRmAccount -SubscriptionId SUBSCRIPTION_ID
Register some variables that will be used:
$uri = 'http://yourwebsite.com'
$SecurePassword=ConvertTo-SecureString 'SECRETPASSWORD' –asplaintext –force
$app = New-AzureRmADApplication -DisplayName PreserveTime
-HomePage $uri -IdentifierUris $uri -Password $SecurePassword
Since New-AzureRmADApplication needs a secure string, we convert our password to that. Later on we will need the password and at that point we will use the password as stated above in clear text, not as a secure string.
Create an service principal in Active Directory:
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Assign the contributor role to the service principal
New-AzureRmRoleAssignment -RoleDefinitionName Contributor
You will need the appId (also called later on, ClientId)
Now it’s time to insta the Azure Let’s Encrypt site extension.
After the installation of the extension has finnished, restart your web app by stopping and starting it. After the restart has finished, click the “Launch”-button on the extension (looks like a play button).
At a first glance, the Authentication Settings page could look a bit daunting, but fear not. If you have successfully finnished the previous steps, this part will not be that hard. Begin with adding these six application settings to your web app:
When all the application settings above has been saved, go back to the “Authentication Settings”-page for the site extension and refresh that page. You will see the form fields updated. Click the “Next”-button.
Inspect that Hostnames, SSL bindings and certificates looks fine. Click the “Next”-button.
Select the hostnames for which you want to request Let’s Encrypt SSL certificates, in our case yourwebsite.com and www.yourwebsite.com. Enter a email for contact purposes. Don’t check the UseStaging checkbox. Click the “Request and Install certificate”-button
Yes, our work is done here. Congratulations! 😊