Getting SSL running on Azure for Free!

1. Microsoft Azure Account

You need an Azure account to get started before proceeding to install ssl certificate. You can sign up for free account at azure. You will get $200 USD credit. The $200 should last you for few months depending on how many apps you run.

To use the free ssl, you need to know your way around Azure, and also be able to navigate through azure web apps.

2. Domain Name

It is no brainer that one cannot use ssl without a domain name, so before you continue your domain must be ready.

You can purchase a domain at cheaper rate from powhost. You need access your administration area of the domain name, specifically the DNS settings.

3. Storage Account

Azure Let’s Encrypt website extension supports a feature of Azure Web Apps known as WebJobs. WebJobs continously persevere various tads of state over time, which requires the creation of storage account.

4. Application Settings

Now that you have a storage account, navigate to Application Settings in the Portal and include 2 Application Settings to the web app in question named AzureWebJobsDashboard and AzureWebJobsStorage. Configure the value of these two settings to your storage account connection string, which looks similar to this: DefaultEndpointsProtocol=https;AccountName={storage account name};AccountKey={storage account key}.

5. You need to Register a Service Principal

First and foremost, you need to login to PowerShell in your azure portal. 

The next thing to do is to store a unique URI and secure the password into two variables:

$uri = 'http://{some random name}'
$password = '{some strong password}'

With those configured, start a new application:

$app = New-AzureRmADApplication -DisplayName {some display name} -HomePage $uri -IdentifierUris $uri -Password $password

Then a Service Principal for the newly created application:

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Lastly, you need to allot the Contributor role to the Service Pincipal:

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

Still in the PowerShell conosole page, it is a must to run $app.ApplicationId and save the GUID that is showm. As we proceed, it will be regarded to as your ClientId and the value of $password will be referred to as your ClientSecret.

If Service Principal is duly registered, Azure Let’s Encrypt will have the ability to use the Azure API’s on your behalf to set certificates.


With the prerequisites known, we can now install and configure the site extension.

1. Install Site Extension

If you want to install the Azure Let’s Encrypt site extension, launch your site’s SCM page like in the url https://{your site name}

If they required authentication, log in with exactly the same credentials you use to gain access the Azure Portal.

In the SCM site’s main navigation, press Site extensions, then followed by the Gallery tab and search for this keyword “Azure Let’s Encrypt”. Locate it in the list shown and install it by pressing the + button.

Installation of site extension must be done by now, you will be required to reboot the site. When the website is restarted, press the triangle Launch button that that was put in place of the extension’s install button.

Note: If you receive a “No route registered for ‘/letsencrypt/'” response error, navigate to the portal, Stop for a few seconds then Start your website (do not “Restart” again please), .

2. Configure Azure Let’s Encrypt

The Azure Let’s Encrypt site extension will welcome you with this, lightly menacing screen:

Authentiation Settings

It’s a little bit bemusing, but don’t try filling in the boxes you see near the bottom of the screen. Rather, navigate to the Portal’s Application Settings screen and type App Settings for letsencrypt:Tenantletsencrypt:SubscriptionIdletsencrypt:ClientIdletsencrypt:ClientSecret and letsencrypt:ResourceGroupName

Some of the values are not hard to discover in the portal:

  • letsencrypt:Tenant is literally in the ‘azure active directory’ page
  • letsencrypt:SubscriptionId is in the main page of your website app
  • letsencrypt:ResourceGroupName is just that name you used when you generated your resource group

The other values originates from the Service Principal that was already registered in the prerequisites:

  • letsencrypt:ClientId is the GUID from $app.ApplicationId
  • letsencrypt:ClientSecret is the value from $password

Once the App Settings are saved, reload the Azure Let’s Encrypt page and the form field boxes will be filled automatically.

Press the Next button at the bottom of the screen. You’ll be presented a page showing a list of the SSL bindings, hostnames and Certificates form your site, that is if you configured properly.

Press Next on this screen to finally get to the final step: That is requesting and installing a certificate.

3. Request and Install a Certificate

If you’ve made it to this extent, the good news is that this final step is the easiest to complete.

Choose the Hostname you’d find appealing for a certificate from the drop down menu shown, Type your email address and press the Request and Install certificate button.

(Avoiding checking the Use Staging option, its usefulness is mostly restricted for staging Let’s Encrypt without running into their rate limits.)

In the background, the site extension make use of ACMESharp to get and verify a certificate from Let’s Encrypt. The moment it has the certificate, it forces Azure API’s to automate setting-up the certificate in IIS utilizing the allocated Service Principal credentials. Let’s Encrypt never obtains the Service Principal credentials.

4. Success!

Once that is complete, you can then browse to the HTTPS version of the hostname you selected. As long as you don’t have any mixed content issues which arise from linking to http contents (HTTP resources on the HTTPS page), you should see the familiar “Secure Connection” padlock and notification.

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *