The information you send on the Internet is passed from computer to computer to get to the destination server. The least you can do
to provide privacy, critical security and data integrity for both your websites and your users’ personal information is to have your application secured under an SSL certificate.

SSL providers need to set up a trusted infrastructure and validate your app’s identity, so there is cost involved. However, Let’s encrypt is a free, automated and open Certificate Authority that provides a certificate for your website’s domain; in this post we will describe all the necessary steps needed to add an SSL certificate to your Azure Web Application.

Set your Azure App Service Plan at least to Basic

In order to get Let’s Encrypt running on Azure Web Apps or have any other SSL/TLS certificates, your Azure App Service plan should be scaled up to at least Basic, which allows SNI (Server Name Indication) and Custom Domains / SSL.

Step 1. Register your Azure Web App

First of all you need to register your application in the Azure Active Directory. To do so from Azure Active Directory, click on the App Registrations menu, then on New application registration and after you fill in the form with:

  • Name: the name of our application, in our case “Let’s encrypt-picmin”
  • Application type: Web app / API
  • Sign-on URL: the URL that will be used by your users to sign in (http://picmin.com)

After clicking on the Create button, in a few seconds, an application is going to be registered; from the screen that is going to appear next, you need to keep the Application ID.

Keys & Passwords

Then, click on the Settings menu item and from the new blade select Keys and, in the Passwords table, add a new entry with “securelogin” as description, “1 year” as expiration date and a password as value. 

After clicking on Save at the toolbar above, you will find a hashed value in your entry. As you may see in the relevant notification, you need to copy that value as you won’t be able to retrieve it after leaving that blade.

Step 2. Add permissions to your Azure Web App

Next, you need to go to your web application and select from the sidebar the Access control (IAM), then the Role assignment from the Access Control panel, then click on Add menu item and, from Add permissions panel, select Contributor as Role, leave assign access to Azure AD user, group, or application and select the name of the application you have previously registered in the Azure Active Directory. In our case it is Let’s encrypt – picmin; after that click Save.

Step 3. Extensions

In this step you need to assign the Let’s Encrypt Extension to your Azure web app and, to do so, scroll down your options on the left sidebar and pick Extensions from that list.

and, after accepting the legal terms, the extension will be setup to your web app.

Step 4. Restart Azure Web App

If you click on the extension name, a new page will be launched with url https://picmin.scm.azurewebsites.net/letsencrypt/  and you may end up with the following error:

“No route registered for ‘/letsencrypt/'”

This is because the application needs to be restarted for Let’s encrypt extension to be enabled.

Restart site using KUDU services

Please note the scm between your app’s name and azurewebsites. This is the KUDU services that provide a set of troubleshooting and analysis tools for your Azure web application.

So to restart your application, you can go to https://{app_name}.scm.azurewebsites.net/SiteExtensions/#installed and click on the Restart Site button at the top right corner.

If you want to learn more about KUDU services you can read this post.

Step 4. Let’s Encrypt Authentication Settings

There are three ways to access Let’s Encrypt authentication settings, by navigating to url https://{app_name}.scm.azurewebsites.net/letsencrypt/, 

by clicking the “Play” button in the KUDU site extensions page

or by clicking the name in Extensions panel and then clicking on the Browse link.

Once you are at the Let’s Encrypt authentication settings,you will have to fill in some information; let us see where you can find this info.

You can get letsencrypt:Tenant by clicking on the Directory and Subscription filter at the top toolbar of the Azure portal:

letsencrypt:ClientId is the value of the clientid of the service principal and can be found in the registered application dashboard, as shown in Step 1

and  letsencrypt:ClientSecret is the secret for the service principal which is the value you copied earlier, when you created a new password for “securelogin” in thekeys section.

Finally, subscriptionId and resource groups can be found in the web app’s and the app service plan’s main dashboard:

So, Let’s Encrypt settings will look like this:

In the screen that will appear next you can see the custom domains that are associated with your Azure web app:

and in the final screen you will need to choose the domains to setup your certificate for

Step 5. Add SSL binding to your web app

Finally, you need to add an SSL binding for your domain and, to do so, you have to click on SSL Settings from the Azure web app options sidebar, set HTTPS Only to OnMinimum TLS Version to 1.2 and add the SSL binding as shown in the picture below:

Categorized in: