Today we are going to configure Let’s Encrypt SSL Certificates on Azure using the Webapp renewer extension. This extension makes it a lot easier to configure multiple Azure websites at the same time.
Here is a link to the original site extension. You can read through all the benifits here: https://github.com/ohadschn/letsencrypt-webapp-renewer. To get this to work I had to modify the steps slightly. The major key is to make sure your web config allows your Website app to serve extensionless pages. (More on that later).
1) Create a new Web App that you can run this extension from.
Click Create a Resource and give your web app a name (Make sure to put all your resources in the same Resource Group):
All of the configuration settings for this site extension are going to be stored in the Web App Application Settings section. This is where the extension will pull the info it needs to generate the certificates for each site. This works great if you have multiple sites to certify. We will set this up later right before the Web Job is set up.
2) Create a Service Principal
A service principal is a Azure AD entry that can be used for unattended access to Azure resources. You can consider it service account. You need a service principal with Access to your Resource Group(s) in order for the Let's Encrypt site extension to renew your certificate without manual involvement once they expire. The service principal is also used to install the certificate the first time, in order to validate that it is setup correctly. This is probably the most difficult part of the setup.
a) Select Active Directory
b) Select New Application Registration
c) Give the App Registration a Name : Letsencrypt / Application Type: Web app / API : Sign on URL https://letsencrypapp.azurewebsites.net (same name as the web app you just created)
d) Create a client secret. Click on the All settings and click Keys to setup a new key for your application (the service principal password).
e) Give the new key a description, select a duration and hit Save, after saving the client secret will show up in the value column. Save that for later, You will not be able to retrieve the key later so you will want to copy it now.
3) Grant permissions to the Service Principal
a) In the portal find the resource group for your App Service and App Service plan, click the Access button.
b) Click Add, and select the Role Contributor
c) Now add the service principal user you created earlier to the role, you can find the service principal by searching for the Application Name you used in step 7 of creating the Service Principal. (Note: you have to do a search otherwise you wont find the User).
Refer to the Configuration Settings here for the webapp: https://github.com/ohadschn/letsencrypt-webapp-renewer
5) Download the WebJob zip file
a) Goto the web application and select WebJobs Add +. Upload the zip file you just downloaded. Set the type to triggered and the CRON expression to 0 0 0 1 1,3,5,7,9,11 * .
b) Important: Add this line to your webconfig in your root level directory. I couldn’t get this to work without this setting.
<rule name="LetsEncrypt Rule" stopProcessing="true">
<match url="^\.well-known.*$" />
<action type="None" />
Congratulations you have SSL certificates working on all your web apps.