How to Overcome the Annoying Obstacles with Let’s Encrypt on Azure

by

Let’s Encrypt offers free SSL certificates to protect the traffic between your website and the visitors. They are as good as the expensive commercial ones, but they need to be renewed every three months – thanks to automation, this is not a problem.

I use Let’s Encrypt for all my sites and never had any problems. A few clicks on the management interface of Plesk and all the traffic went over HTTPS – and the renewal just worked out of the box. With that experience I thought that using Let’s Encrypt on Azure should be no challenge at all. How wrong I was.

 

The unofficial plugin

Azure offers no built-in way to use Let’s encrypt. There is an unofficial plugin from Simon J.K. Pedersen (sjkp) that can be installed into your site to fetch and renew certificates from Let’s Encrypt. There are install instruction in the Wiki but the screenshots don’t match the current user interface in Azure. Depending on how well you know your way around in Azure that may be a big problem or none at all.

Scott Hanselman wrote in Securing an Azure App Service Website under SSL in minutes with Let’s Encrypt how you can use this unofficial plugin to secure your website. The screenshots are more up-to-date, yet there are still some obstacles that can take a lot of time.

 

The little missing things that took us so long

Instead of a few minutes we spend nearly 3 hours with various problems. Before you follow Scott’s instructions you should check out this short list of important points:

  1. Azure changes its user interface quiet often. I therefore suggest you use the search box in the top navigation when you can’t spot the dialogue or menu point directly:
    Search box in Azure top menu
  2. Write down all the things you create, including the GUIDs and passwords. A simple text file is enough and when you are done you can put it somewhere save – just don’t put it into your code repository!
  3. The Service Principal Client you create in the step App Registrations needs login credentials. You set the password for this account (save it) and then Azure shows you the hash for a short time. Save this hash! You need this hash later to configure the plugin.
  4. The automated installation of the service on your http://YOURSITENAME.scm.azurewebsites.net/LetsEncrypt site needs a lot of values. You find them on the Overview tab of your site (of the type App Service) and in your file where you hopefully have pasted in the data from the previous steps:
    Values from various places are needed to configure the service
  5. The connection strings AzureWebJobsDashboard and AzureWebJobsStorage go into the Connection strings section of the Application settings and must have the type Custom:
    Connection strings need type Custom
  6. Unfortunately, that simple form of the connection string itself did not work for us. Go to your existing storage account or create a new one of type Storage or StorageV2. In the details you find two connection strings associated with this account. Copy one of them into both connection strings (AzureWebJobsDashboard and AzureWebJobsStorage) in the Application settings of your website.
  7. Create an entry in your calendar in 70 days to check if your certificate was successfully renewed. The certificate works for 90 days and in this way, you have some time left to fix problems should the renew fail. Let’s Encrypt will send you a reminder, but that email could be lost in transit.

With that additional information you should be able to save a lot of time to configure the plugin and get your first Let’s Encrypt SSL certificate.

 

Alternatives

Using a certificate from another CA may be a simpler and faster approach. You need to pay for it, but when you only need to replace it every one or two years it may still be cheaper. You just need to upload your certificate and select it in the SSL settings.

Another approach that sounds much simpler is to use CloudFlare as described in this blog post by Troy Hunt. I haven’t tried this one yet, but the additional CDN you get may make this an interesting option.

 

Conclusion

The experience with this beta plugin and all the hoops we had to jump through was all but pleasant. Considering the many comments to the closed user voice entries (here and here) for a proper support of Let’s Encrypt shows that we are not the only ones struggling. Maybe one day Microsoft comes back on their decision and integrates Let’s Encrypt in the style of Plesk.

2 thoughts on “How to Overcome the Annoying Obstacles with Let’s Encrypt on Azure”

  1. Pingback: Creating Let’s Encrypt Certificates on Windows with Win-Acme – Improve & Repeat
  2. Pingback: Free App Service Managed Certificates in Azure – Improve & Repeat

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.