Click here to Skip to main content
14,423,173 members

Installing a Free SSL Certificate on Azure

Rate this:
5.00 (4 votes)
Please Sign up or sign in to vote.
5.00 (4 votes)
14 Jan 2020CPOL
This article explains exactly how to setup an SSL certificate for FREE on your Azure account. The existing free SSL with Azure only works on 'non-naked' domains, making it pretty much worthless. This is a 100% free method which ensures your site will be 100% secure.

1. Microsoft Azure Account

Of course, you need an Azure account to get started. You can sign up for free at azure.com. You’ll receive $200 USD credit, which should probably last a few months depending on how many apps you are running. You’ll need to be familiar with Azure, and also be able to navigate your way around Azure web apps.

2. Domain Name

Of course, this should be obvious, but you need a domain name, otherwise there’s no point in installing the SSL in the first place. You can buy a domain for cheap at http://www.powhost.com. You’ll also need to be able to access your administration area of the domain name, specifically the DNS settings.

3. Storage Account

The Azure Let’s Encrypt site extension leverages a feature of Azure Web Apps called WebJobs. WebJobs persist various bits of state over time, which requires a Storage account to be created.

4. Application Settings

With Storage account in hand, go to Application Settings in the Portal and add two App Settings to the web app in question called AzureWebJobsStorage and AzureWebJobsDashboard. Set the value of these two settings to your storage account connection string, which looks something like this: DefaultEndpointsProtocol=https;AccountName={storage account name};AccountKey={storage account key}.

5. Register a Service Principal

First, you need to login to PowerShell in your azure portal. 

Next, store a unique URI and secure password into a couple variables:

$uri = 'http://{some random name}'
$password = '{some strong password}'

With those set, create a new application:

$app = New-AzureRmADApplication -DisplayName {some display name} 
       -HomePage $uri -IdentifierUris $uri -Password $password

Then a Service Principal for the new application:

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Finally, assign the Contributor role to the Service Pincipal:

New-AzureRmRoleAssignment -RoleDefinitionName Contributor 
   -ServicePrincipalName $app.ApplicationId

While you’re still in the PowerShell console, run $app.ApplicationId and save the GUID that is displayed. Later on, it will be referred to as your ClientId and the value of $password will be referred to as your ClientSecret.

With the Service Principal properly registered, Azure Let’s Encrypt will be able to use the Azure APIs on your behalf to configure certificates.

Setup

With the prerequisites out of the way, we can install and configure the site extension.

1. Install Site Extension

To install the Azure Let’s Encrypt site extension, open your site’s SCM page at the url https://{your site name}.scm.azurewebsites.net.

If authentication is required, log in with the same credentials you’d use to access the Azure Portal.

In the SCM site’s main navigation, click on Site extensions, then the Gallery tab and search for “Azure Let’s Encrypt”. Find it in the list and install it by clicking the + button.

 

Image 1

Once the site extension has finished installing, you’ll be required to restart the site. After the restart, click the triangle Launch button that replaced the extension’s install button.

Note: If you get a “No route registered for ‘/letsencrypt/'” error, go to the portal, Stop then Start your site (not Restart), and try again.

2. Configure Azure Let’s Encrypt

The Azure Let’s Encrypt site extension will greet you with this, slightly intimidating screen:

Authentiation Settings

It’s a tad confusing, but don’t fill in the boxes you see near the bottom of the screen. Instead, go back to the Portal’s Application Settings screen and input App Settings for letsencrypt:Tenant, letsencrypt:SubscriptionId, letsencrypt:ClientId, letsencrypt:ClientSecret and letsencrypt:ResourceGroupName

Some of the values can be found very easily in the portal:

  • letsencrypt:Tenant is actually in the ‘azure active directory’ page
  • letsencrypt:SubscriptionId is in the main page of your web app
  • letsencrypt:ResourceGroupName is just the name you used when you created your resource group

The other values come from the Service Principal that was registered in the prerequisites:

  • letsencrypt:ClientId is the GUID from $app.ApplicationId
  • letsencrypt:ClientSecret is the value from $password

Once the App Settings are saved, refresh the Azure Let’s Encrypt page and the form field boxes will be automatically filled in.

Click the Next button at the bottom of the screen. If everything is configured properly, you’ll be presented a page showing a list of the Hostnames, SSL bindings and Certificates form your site.

Click Next on this screen to finally get to the last step: requesting and installing a certificate.

3. Request and Install a Certificate

If you’ve made it this far, the good news is that this step is the easiest to complete.

Image 3

Select the Hostname you’d like a certificate for from the drop down menu, enter your email address and click the Request and Install certificate button.

(Don’t check the Use Staging option, it’s mostly useful for testing Let’s Encrypt without running into their rate limits.)

In the background, the site extension uses ACMESharp to obtain and verify a certificate from Let’s Encrypt. Once it has the certificate, it leverages Azure APIs to automate configuring the certificate in IIS using the provided Service Principal credentials. Let’s Encrypt never receives the Service Principal credentials.

4. Success!

Once complete, you can browse to the HTTPS version of the hostname you selected. As long as you don’t have any mixed content issues (HTTP resources on the HTTPS page), you’ll see the familiar “Secure Connection” padlock and notification.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Chris A. Johnson
CEO Kolaberate Software inc.
Canada Canada
Chris is a .NET Architect with over 17 years of experience working with various Microsoft technologies including most recently ASP.NET, SSRS, SSIS, SSAS and Sharepoint. Chris is now C.E.O. of Kolaberate Software, based in Vancouver, B.C.

Comments and Discussions

 
QuestionFirst article that actually gets it right on securing your azure site Pin
John Gelson13-Jan-20 20:44
MemberJohn Gelson13-Jan-20 20:44 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Technical Blog
Posted 11 Jan 2020

Stats

2.2K views
7 bookmarked