Open in app

Sign in

Write

Sign in

Adding Let’s Encrypt FREE SSL Certificate to Azure Web Role

tor
apptiviz
Published in
5 min readOct 14, 2017

Let’s Encrypt, is a non-profit Certificate Authority (CA), provides free SSL certificates which enable you to use HTTPS for your own websites. There are many methods to get the free SSL certificates from Let’s Encrypt vary among your platform and hosting provider.

For Microsoft Azure, if you are using Azure App Service, good for you! There is a Let’s Encrypt Site Extension that enables you to get certificates and install on your App Services as well as automatically renew the certificates without too much hassle.

Note: The certificates issued by Let’s Encrypt has 90-day lifetimes.

However, if you are using Azure Cloud Service (Classic), AFAIK, there is no built-in support or extension that allows you to configure and install the certificates from Let’s Encrypt easily.

This post will walk you through the steps on getting certificates from Get HTTPS for free! website on Windows machine to install on your Azure Web Role.

Using the Get HTTPS for free! allows you to have more control over some other methods, e.g. you can keep your private key secret because you generate the key yourself and it never asks for the private key and you can also get Multi-Domain Certificate using Subject Alternative Names (SAN).

Note: There are other methods such as ZeroSSL that can generate Certificate Signing Request (CSR) for you with the option to verify your domain ownership by DNS verification which is more convenient than what you will see in this post.

Prerequisites

1 Git Bash with OpenSSL (install Git for Windows)

2 Azure Cloud Service to deploy your Web Role

3 Azure Blob Storage to store file used for domain ownership verification

4 Custom domain with configurable DNS for CNAME record

Setup your website

  1. Prepare your website by adding the following rewrite rule into web.config.
<rule name="acme-challenge" stopProcessing="true">
  <match url="^\.well-known/acme-challenge/(.*)" />
  <action type="Redirect" url="https://apptivizdatastore.blob.core.windows.net/acme-challenge/{R:1}" />
</rule>

Note: Replace the apptivizdatastore with your Azure Storage account name, in later step you have to put files into the storage account specified here.

2. Deploy your ASP.NET Web Role into your Azure Cloud Service.

3. Configure the CNAME records of your domains pointing to your Cloud Service DNS for example: http://apptiviz.cloudapp.net

Get SSL certificates for your domains

1. Go to https://gethttpsforfree.com/ and enter an email address in Account Email textbox.

2. Open Git Bash to generate an account private key. This key must be kept secret, don’t share it to anyone.

openssl genrsa 4096 > account.key

3. Print out the account public key using command then copy-and-paste it in Account Public Key box and click the Validate Account Info button.

openssl rsa -in account.key -pubout

4. Generate a TLS private key, you also have to keep this private key secret.

openssl genrsa 4096 > domain.key

5. Copy openssl.cnf to a new file and add SAN configuration section.

cat /c/Program\ Files/Git/usr/ssl/openssl.cnf <(printf "[ SAN ]\nsubjectAltName=DNS:apptiviz.com,DNS:www.apptiviz.com")) > new-openssl.cnf

Note: Replace apptiviz.com with your domain, you can add more domains you want to use for this single certificate request.

6. Generate CSR using the TLS private key and the new OpenSSL configuration file from earlier steps. Then copy-and-paste the generated CSR into Certificate Signing Request box and click the Validate CSR button.

openssl req -new -sha256 -key domain.key -subj "//" -reqexts SAN -config new-openssl.cnf

Note: Notice “//” value for -subj parameter, it needs to be double slashes on Windows system for escaping.

7. Follow the instructions of Step 3: Sign API Requests on the page by running the commands in Git Bash and copy-and-paste the outputs into the corresponding boxes. Then click Validate Signatures button.

8. Verify ownership of the domains by running the commands then copy-and-paste the outputs into the boxes as instructed in Step 4: Verify Ownership on the page.

9. Select Option 2 — file-based as verification method, then you will be given the URL inside the Under this url box as the following example.

http://www.apptiviz.com/.well-known/acme-challenge/WadEUrNx_U8FEfxlBoFdR-JXX2z087QlWLHn4jePUo0

10. Create a plain text file and name it after the last segment of the given URL, for example, for the given URL from previous step the file name will be WadEUrNx_U8FEfxlBoFdR-JXX2z087QlWLHn4jePUo0 without any extension.

11. Copy the text from the Serve this content box and paste it as content of the file from previous step.

12. Upload the file into your Azure Storage account configured in the rewrite rule in the earlier step under container name acme-challenge

13. Click the I’m now serving this file on {your domain} button. If all your domains specified in the CSR are successfully verified, you will be given the Signed Certificate and Intermediate Certificate from Let’s Encrypt.

Install certificates on Azure Cloud Service

1. Copy Signed Certificate and Intermediate Certificate into one single file separated them by a blank line and save it with .crt extension e.g. apptiviz.com.crt.

2. To use the certificates with Azure Cloud Service, you have to convert the certificate format to PFX certificate format by running the following command and supply the Export Password when prompted. You have to remember the Export Password to be used later.

C:\Program Files\Git\usr\bin\openssl pkcs12 -export -out apptiviz.com.pfx -inkey domain.key -in apptiviz.com.crt

Note: Running this command within Git Bash, somehow, doesn’t work. So you have to run it using Windows Command Prompt in Administrator mode

3. Go to Certificates section of your Azure Cloud Service in Azure Portal, then upload the PFX certificate file. This requires Export Password you supplied while converting the certificate format in previous step.

4. You will see 2 certificates appear under your Cloud Service. One for Let’s Encrypt Authority and another one for your domains. Copy the thumbprint of the certificate for your domains. We will use it to configure the Azure Cloud Service Configuration.

5. In your Cloud Service Definition (.csdef) file, add an InputEndpoint, a HTTPS Binding as well as a Certificates section as the following example.

<WebRole name="ApptivizWebsite" vmsize="Small">
  ...  
  <Sites>
    <Site name="Web">
      <Bindings>
        <Binding name="Endpoint1" endpointName="Endpoint1" />
        <Binding name="HttpsIn" endpointName="HttpsIn" />
      </Bindings>
    </Site>
  </Sites>
  <Certificates>
    <Certificate name="apptiviz.com" 
                storeLocation="LocalMachine" 
                storeName="My"
                permissionLevel="limitedOrElevated" />
  </Certificates>
  <Endpoints>
   <InputEndpoint name="Endpoint1" protocol="http" port="80" />
   <InputEndpoint name="HttpsIn" protocol="https" port="443" certificate="apptiviz.com" />
  </Endpoints>
  ...
</WebRole>

Note: See Configuring SSL for an application in Azure for more details

6. In your Cloud Service Configuration (. cscfg) file, add a Certificates section within the Role section using the thumbprint copied from step 4 as the following example.

<Role name="ApptivizWEbstie">
  ...
  <Certificates>
    <Certificate name="apptiviz.com" thumbprint="EA44091333E29CC2F2E723AF93A298562BF897DC" thumbprintAlgorithm="sha1" />
      <Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="F2447C995FFE237A5C025EC3D9B7D4AEAF16F10F" thumbprintAlgorithm="sha1" />
    </Certificates>
  ...
</Role>

7. Redeploy your Cloud Service, after your deployment is up and running again, you can now connect to it using HTTPS.

Ssl
Azure Cloud Service
Lets Encrypt
Https
Azure

--

--

tor
apptiviz

Written by tor

58 Followers
Editor for

be more like me

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams