We are currently using an expensive wildcard SSL certificate from a CA for all of our websites, that is expiring soon. Yes – there IS a very simple and straightforward way within Azure to add this wildcard certificate for multiple domain and sub-domain DEV, TEST and PROD Azure-hosted websites – but at an annual cost in excess of $750 Canadian dollars!

With Azure supporting use of Let’s Encrypt, the free, automated and open CA for Azure-hosted websites, we decided to secure all our websites with free LetsEncrypt SSL certificates working for each website before the expensive wildcard SSL expired.

NOTE: The Let’s Encrypt certificates DO expire after 90 days, so a background process using Azure Web Jobs, is necessary to automatically renew and install new certificates. Simon J.K.Pedersen has developed the Azure Let’s Encrypt Web App Site Extension to do the heavy lifting of requesting, installing  and renewing of the Let’s Encrypt certificates. What a help this all is! Once the preparations are complete (as outlined below) the new Let’s Encrypt SSL certificate is working in less than 5 minutes.

After reading Simon’s documentation on How to Install, Known Issues, and How to Troubleshoot this is the process we used to change the SSL certificates on our websites. Simon J. K. Pedersen said he is actively working on an Azure extension to create a LetsEncrypt wildcard certificate. That will save even MORE time.

Preparations:

1. Update the App Service Plan to a minimum of allowing SSL certificates, if necessary.

2. Update Web.config for Certificate Renewal
All of our WordPress websites are coded to enforce HTTPS by using a rewrite rule in web.config. Read how to do that here. Because the Web Jobs and LetsEncrypt servers send renewal notices via http, add the following lines to the webapp’s web.config under ‘conditions’ and Save:

3. Delete the binding of the currently installed SSL certificate if one is present. Portal > Settings > SSL Settings > R-click on and select Delete:

4. Assign or create a Storage Account to save the LetsEncrypt and the Azure Web Jobs data. Save the Connection String of this storage account to a text file. This Connection String will be needed for the Azure Web Jobs to be added to Application Settings. Portal > Storage Account > Access Keys > copy Connection String:

5. Add 2 new Application Settings to the website named AzureWebJobsStorage and AzureWebJobsDashboard. PortalSettings > Application Settings > Connection strings > +Add new connection string. Paste the storage account’s Connection string into the Value > Save

6. Register an Azure Service Principal (service account) which is really a security identity used by app and services to access specific Azure Resources. We used the same Service Principal for all of our websites having the new Lets Encrypt SSL certificate added. Read here for how to register an Azure Service Principal in the Azure Portal – Read here for how to register a Service Account using PowerShell

7. Add Permission/Access for Azure Service Principal to the Resource Groups of the Azure App Service Plan and the Azure App/website. Portal > Resource Group > Access Control (IAM) > +Add > Add Contributor role, select specific Service Principal > Save. Note: We had to give the Azure Service Principal access to the Subscription level for a group of websites in an App Service Plan on a different subscription. This actually turned out to be faster because then the App Service Plan, Storage Account and Web Apps within that Subscription, all ‘inherited’ the permission/access for the Service Principal that the Azure LetsEncrypt Extension requires. In this case, those are the only objects in this Azure subscription.

8. Gather configuration information. Copy/paste the following information into the same text file the storage account Connection String was pasted into, all to be used to configure the Lets Encrypt Extension:

  • Resource Group name of both the App Service Plan and the Web App if they are different.
  • Subscription name of the App Service Plan hosting the websites
  • Service Principal Application ID/Client ID
  • Service Principal Client Secret (saved when the Service Principal was created)
  • Tenant ID which is the Azure Active Directory URL
Install and Configure Azure Let’s Encrypt Extension 

1. Portal > Web App > Development Tools > Extensions > +Add > Choose Extension > Azure Let’s Encrypt > OK

2. Stop and start the website to avoid or overcome the error “No route registered for ‘/Letsencrypt” from https://YOURSITENAME.scm.azurewebsites.net/SiteExtensions.

3. Configure the LetsEncrypt Site Extension – using ‘sidecar website’ running in the scm version of the website:

Portal > Web App >Development Tools > Extensions > Select the Azure Lets Encrypt Extension > Browse to be able to configure

Scroll down to the Automated Installation section of the webpage and paste in values saved in the text file in Preparations: Step 8 above:

A list of the Custom Domains and SSL Bindings for the web app will show:

Once you see the notice that ‘Certificate Successfully Installed‘, the Hostname SSL bindings should now be enabled with the new certificate(s) assigned. On this page, note the 3 month expiry date of the new Let’s Encrypt certificate(s). NOTE: On our site, the soon to expire expensive wildcard certificate is still showing for the subscription, even though it is not being used.

Check back in the Azure Portal, and add new Hostname binding if not already done by Azure:

To ensure the new Web Jobs are able to renew and install the new certificates at the end of 3 months, beside adding the code to the web.config file mentioned in Preparations: Step 2 above, in Application Settings > General Settings > ‘Always On’ option >’On‘ for the website, so web jobs will not fail because website is not loaded:

Restart website. Browse to website, verifying https connection and certificate:

  

In Azure Portal > Overview > the URL should now be https:xxxxxxxxxx.com