1. Microsoft Azure Account
Of course, you need an Azure account to get started. You can sign up for free at azure.com. You’ll receive $200 USD credit, which should probably last a few months depending on how many apps you are running. You’ll need to be familiar with Azure, and also be able to navigate your way around azure web apps.
2. Domain Name
Of course, this should be obvious, but you need a domain name, otherwise there’s no point in installing the SSL in the first place. You can buy a domain for cheap at powhost.com. You’ll also need to be able to access your administration area of the domain name, specifically the DNS settings.
3. Storage Account
The Azure Let’s Encrypt site extension leverages a feature of Azure Web Apps called WebJobs. WebJobs persist various bits of state over time, which requires a Storage account to be created.
4. Application Settings
With Storage account in hand, go to Application Settings in the Portal and add two App Settings to the web app in question called AzureWebJobsStorage
and AzureWebJobsDashboard
. Set the value of these two settings to your storage account connection string, which looks something like this: DefaultEndpointsProtocol=https;AccountName={storage account name};AccountKey={storage account key}
.
5. Register a Service Principal
First, you need to login to PowerShell in your azure portal.
Next, store a unique URI and secure password into a couple variables:
$uri = 'http://{some random name}'
$password = '{some strong password}'
With those set, create a new application:
$app = New-AzureRmADApplication -DisplayName {some display name} -HomePage $uri -IdentifierUris $uri -Password $password
Then a Service Principal for the new application:
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Finally, assign the Contributor
role to the Service Pincipal:
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
While you’re still in the PowerShell conosole, run $app.ApplicationId
and save the GUID that is displayed. Later on it will be refered to as your ClientId
and the value of $password
will be refered to as your ClientSecret
.
With the Service Principal properly registered, Azure Let’s Encrypt will be able to use the Azure API’s on your behalf to configure certificates.
Setup
With the prerequisites out of the way, we can install and configure the site extension.
1. Install Site Extension
To install the Azure Let’s Encrypt site extension, open your site’s SCM page at the url https://{your site name}.scm.azurewebsites.net
.
If authentication is required, log in with the same credentials you’d use to access the Azure Portal.
In the SCM site’s main navigation, click on Site extensions, then the Gallery tab and search for “Azure Let’s Encrypt”. Find it in the list and install it by clicking the +
button.
Once the site extension has finished installing, you’ll be required to restart the site. After the restart, click the triangle Launch button that replaced the extension’s install button.
Note: If you get a “No route registered for ‘/letsencrypt/'” error, go to the portal, Stop then Start your site (not Restart), and try again.
2. Configure Azure Let’s Encrypt
The Azure Let’s Encrypt site extension will greet you with this, slightly intimidating screen:
It’s a tad confusing, but don’t fill in the boxes you see near the bottom of the screen. Instead, go back to the Portal’s Application Settings screen and input App Settings for letsencrypt:Tenant
, letsencrypt:SubscriptionId
, letsencrypt:ClientId
, letsencrypt:ClientSecret
and letsencrypt:ResourceGroupName
Some of the values can be found very easily in the portal:
letsencrypt:Tenant
is actually in the ‘azure active directory’ pageletsencrypt:SubscriptionId
is in the main page of your web appletsencrypt:ResourceGroupName
is just the name you used when you created your resource group
The other values come from the Service Principal that was registered in the prerequisites:
letsencrypt:ClientId
is the GUID from$app.ApplicationId
letsencrypt:ClientSecret
is the value from$password
Once the App Settings are saved, refresh the Azure Let’s Encrypt page and the form field boxes will be automatically filled in.
Click the Next button at the bottom of the screen. If everything is configured properly, you’ll be presented a page showing a list of the Hostnames, SSL bindings and Certificates form your site.
Click Next on this screen to finally get to the last step: requesting and installing a certificate.
3. Request and Install a Certificate
If you’ve made it this far, the good news is that this step is the easiest to complete.
Select the Hostname you’d like a certificate for from the drop down menu, enter your email address and click the Request and Install certificate button.
(Don’t check the Use Staging option, it’s mostly useful for testing Let’s Encrypt without running into their rate limits.)
In the background, the site extension uses ACMESharp to obtain and verify a certificate from Let’s Encrypt. Once it has the certificate, it leverages Azure API’s to automate configuring the certificate in IIS using the provided Service Principal credentials. Let’s Encrypt never recieves the Service Principal credentials.
4. Success!
Once complete, you can browse to the HTTPS version of the hostname you selected. As long as you don’t have any mixed content issues (HTTP resources on the HTTPS page), you’ll see the familiar “Secure Connection” padlock and notification.
nice job!