When it was discovered that a ‘staging’ SSL certificate had been initially added to a website with the issuer set as ‘Fake LE Intermediate X1’, (Read about that here) we replaced the SSL Certificate with one that would be acceptable to all browsers.

Steps to Replace the Let’s Encrypt SSL certicate on Azure Web App (working in Azure Portal)

  1. Delete the current SSL Binding to the SSL Certificate:

2. Then the attached incorrect SSL certificate could be deleted:

2. Registered a new Azure Active Directory Security Principal

  • This wasn’t necessary, but we wanted to delete the previous Security Principal we’d used for installing Let’s Encrypt certificates number of DEV and DR sites that have all been deleted. Make a fresh start!
  • Added the new Security Principal to the Resource Group of the App Service Plan of the web app, and the Resource Group of the Storage Account used for the Let’s Encrypt SSL and the Web Jobs required for automatic renewal
  • These preparations are outlined in detail here. NOt all steps needed to be redone, because we were only changing the Security Principal for the process. If you’re installing a Let’s Encrypt SSL certificate for the first time, be sure to do ALL the Preparation steps required. We didn’t have to do steps 2, 4, & 5 of the Preparations Outline

3. Gather the information needed to install and configure a new Let’s Encrypt SSL certificate for the Hostname of the web app. The App Service Plan and the Resource Group of the Storage Account holding the new certificate details are different, so both are needed

4. To install & configure the new SSL cert (Read the details on how to do this here.)

Portal > Web App > Development Tools > Extensions > select Azure Let’s Encrypt (first install any updates) > Browse:


5. A webpage will open in a browser  – scroll down and paste in the saved info from Step 3 above > Next

When a message saying the SSL certificate has been successfully installed – just restart the website and the SSL will active on the domain in a few moments.

6. Contents of the Blob storage after the process – Azure Web Jobs has been set up to automatically renew the certificate every 3 months:

7. If you get a server error while going through the install and configure pages, it is important to go into the Storage Account appointed to receive the Lets Encrypt registration and DELETE the ‘firstrun.job’ file in Blob storage, or you will not be able to successfully proceed to requesting and installing a certificate! When we first trid to install the Let’s Encrypt SSL certificates 10 months ago, we got stuck in a ‘fault loop’ until we read about having to delete this file – and had to wait a week before we could apply for a certificate for the domain again due to the daily 5 request limits!

Initial Error that was about incorrect info inputted for the Resource Group of the App Service Plan: