SSL certificate for Azure web app

(28 Nov 2018)

For the secure HTTPS access to the Azure web site, a free certificate from Let’s Encrypt was installed in the Azure app service by using the Let’s Encrypt extension. The extension created also a web job for automatic renewal of the certificate (the default validity time of the certificate was 90 days).

The certificate installation steps were as follows (with Azure Let’s Encrypt extension v0.8.7):

  • Create first an Azure AD app registration for Let’s Encrypt in Azure Active Directory > App registrations. Select Settings > Keys and create a key for the app (e.g. with name “login”).
  • In Azure portal, select the app service to be protected and go to its Access control (IAM) page.
  • Add contributor role for the Let’s Encrypt app that was registered above.
  • Go to App Service > Extensions page and add the extension “Azure Let’s Encrypt”.
  • Go to App Service > Application Settings and define endpoint strings for app settings “AzureWebJobsDashboard” and “AzureWebJobsStorage”. The endpoint strings should point to your Azure storage account (e.g.¬†DefaultEndpointsProtocol=https;AccountName=[youraccount];AccountKey=[yourkey];)
  • In App Service > Extensions page click the “Azure Let’s Encrypt” extension and select “Browse”.
  • In the web page that opens up, under Automated Installation, give your AD Tenant name (see your AD settings), Azure subscription id, ClientId (from the AD app registration above), ClientSecret (from the AD app registration above) and the Resource group name.
  • Select “Next” and “Update” to save the settings.
  • After a while a new web page and wizard opens up where you can select the hostnames which should be included in the certificate. Select all the hostnames with which your app service will be accessed. The primary hostname will be added in the certificate Subject field and the additional hostnames in the Subject Alternative Names field. Click “Request and Install the certificate” and wait for the certificate request to be signed by Let’s Encrypt CA and installed in Azure.

If all goes well, you can access your app service with https://<server address> and the data traffic will be SSL encrypted. Also, in the App Service > WebJobs page there should be “Let’s encrypt” webjob added that will renew the certificate before it expires.