Use Free LetsEncrypt SSL Certificate with Azure Web Apps

25/12/2015

Let’s Encrypt is a new free to use Certificate Authority, in public beta, that is on a mission to provide free SSL certificates to all web sites. Obviously, that requires some rethinking of how certificates are issues, as it otherwise would be impossible to accomplish their goal of HTTPS to be the default.

28-02-2016: Please use my Site Extension instead that is a better approach, you can read more about it here.

The way letsencrypt isseues certificates are fully automated via the protocol ACME (Automated Certificate Management Environment) developed for the purpose. So in order to get at certificate from letsencrypt you must have an ACME client that can request a certificate and renew it. Note the renewal process is more important now, as letsencrypt only issues certificates that are valid for 3 months in order to encourage automation of the request and renewal process.

Lets encrypts main focus during development have been Linux environments, but a C# implementation of the protocol have been implemented ACMESharp. Letsencrypt-Win-Simple
is a simple console application built on top of that library that can be used to setup LetsEncrypt certificates on IIS servers.

Lone-Coder’s letsencrypt-win-simple, can be extended with plugins for issuing certificates for other hosting platforms. Since I learned about letsencrypt back in October I have been eagerly waiting to take advantage of it on my Azure Websites. I have been looking for someone to do a Azure friendly ACME client, unfortunately I haven’t seen one yet, and a twitter discussion with some fellow Danish Azure devs, encouraged me to see if I could do a plugin for letsencrypt-win-simple that will make it easy to use letsencrypt certificate on Azure Web Apps.

I succeeded! It created a plugin for letsencrypt-win-simple that will let you: request a certificate from letsencrypt, place the needed signature files on an azure web app and, install and setup the SSL certificate in your web app. Currently the plugin must be run manually, and does use the windows certificate store on the machine it is running from (so it is not ready to be run from Azure Web Sites in a fully automated manner) but hopefully, I can get those obstacles out of the way or someone else can. My code is placed on github, https://github.com/sjkp/letsencrypt-win-simple.

The process of installing a letsencrypt issued SSL certificate on an azure web app with the tool are as follows, in the example I generate SSL certificate for one of my websites, www.schdo.com

letsencrypt-step-1
Type w to generate a certificate for an Azure Web Sites

letsencrypt-step-2
A pop up will show up asking you to sign in, with a Work or School account (note you cannot use a Live Account, as it doesn’t work with Azure Resource Manager that the plugin uses).
If you pay attention you will see that the title is Microsoft Azure PowerShell, the reason for that is that I just used the Client Id for the Azure PowerShell client library because it exists in all Azure Tenants.

letsencrypt-step-3
Next you will have to select which subscription your web sites resides in. (Many people might only have one, but if you have more, this step is where you select the right subscription).

letsencrypt-step-4
Next up is the selection of resource group.

letsencrypt-step-5
When the resource group is selected select the site whinin it.

letsencrypt-step-6
Once the site is selected you have to type in the hostname you want the SSL certificate to be issued to. In my case www.schdo.com, note I have already setup the DNS and assigned the hostname to the web app (the tool will not do that for you). Read here how to setup a custom domain for Azure Web App.

letsencrypt-step-7
Next you enter a local temp folder that the ACME signature file will be written to, before it is uploaded to the web app.

letsencrypt-step-8
Now it just a matter of waiting while the tool does its work. Once it is done, you site should have a SSL certificate installed, and the certificate should be assigned to the hostname you specified.
letsencrypt-step-9
It should look like this in the azure portal.

Easy isn’t it?
letsencrypt-step-10