We were using an expensive wildcard SSL certificate from a CA for all of our websites, that was expiring soon. Yes – there IS a very simple and straightforward way within Azure to add this wildcard certificate for multiple domain and sub-domain DEV, TEST and PROD Azure-hosted websites – but at an annual cost to us in excess of $750 Canadian dollars!

With Azure supporting use of Let’s Encrypt, the free, automated and open CA for Azure-hosted websites, we decided to secure all our websites with free LetsEncrypt SSL certificates working for each website before the expensive wildcard SSL expired.

NOTE: The Let’s Encrypt certificates DO expire after 90 days, so a background process using Azure Web Jobs, is necessary to automatically renew and install new certificates. Simon J.K.Pedersen has developed the Azure Let’s Encrypt Web App Site Extension to do all of the work of requesting, installing  and renewing of the Let’s Encrypt certificates. What a help this all is! Once the preparations are complete (as outlined below) the new Let’s Encrypt SSL certificate is working in less than 5 minutes.

After reading Simon’s documentation on How to Install, Known Issues, and How to Troubleshoot this is the process we used to change the SSL certificates on our websites. Simon J. K. Pedersen said he is actively working on an Azure extension to create a LetsEncrypt wildcard certificate. That will save even MORE time.

Preparations:

1. Update the App Service Plan to a minimum of allowing SSL certificates, if necessary.

2. Update Web.config for Certificate Renewal
All of our WordPress websites are coded to enforce HTTPS by using a rewrite rule in web.config. Read how to do that here. Because the Web Jobs and LetsEncrypt servers send renewal notices via http, add the following lines to the webapp’s web.config under ‘conditions’ and Save:

3. Delete the binding of the currently installed SSL certificate if one is present. Portal > Settings > SSL Settings > R-click on and select Delete:

4. Assign or create a Storage Account to save the LetsEncrypt and the Azure Web Jobs data. Save the Connection String of this storage account to a text file. This Connection String will be needed for the Azure Web Jobs to be added to Application Settings. Portal > Storage Account > Access Keys > copy Connection String:

5. Add 2 new Application Settings to the website named AzureWebJobsStorage and AzureWebJobsDashboard. PortalSettings > Application Settings > Connection strings > +Add new connection string. Paste the storage account’s Connection string into the Value > Save

6. Register an Azure Service Principal (service account) which is really a security identity used by app and services to access specific Azure Resources. We used the same Service Principal for all of our websites having the new Lets Encrypt SSL certificate added.

7. Add Permission/Access for Azure Service Principal to the Resource Groups of the Azure App Service Plan and the Azure App/website. Portal > Resource Group > Access Control (IAM) > +Add > Add Contributor role, select specific Service Principal > Save. Note: We had to give the Azure Service Principal access to the Subscription level for a group of websites in an App Service Plan on a different subscription. This actually turned out to be faster because then the App Service Plan, Storage Account and Web Apps within that Subscription, all ‘inherited’ the permission/access for the Service Principal that the Azure LetsEncrypt Extension requires. In this case, those are the only objects in this Azure subscription.

8. Gather configuration information. Copy/paste the following information into the same text file the storage account Connection String was pasted into, all to be used to configure the Lets Encrypt Extension:

  • Resource Group name of both the App Service Plan and the Web App if they are different.
  • Subscription name of the App Service Plan hosting the websites
  • Service Principal Application ID/Client ID
  • Service Principal Client Secret (saved when the Service Principal was created)
  • Tenant ID which is the Azure Active Directory URL

Install and Configure Azure Let’s Encrypt Extension