SSL certification of an Azure website, via Let's Encrypt
More and more sites are accessible via https (SSL) and recent browsers recommend accessing websites using this protocol.
For some time, the Certificate Authorities (CA) have been increasingly reducing their prices and some even offer to certify for free. This is the case of Let’s Encrypt which validates your certificate for a maximum of 90 days. Other authorities such as Gandi offer you annual certificates at a low price (14.52 € per year).
For Let’s Encrypt, the detailed procedure is at https://zerossl.com/usage.html.
To create and validate certificates, it is necessary to use two tools:
- OpenSSL allows you to generate and manipulate SSL certificates. OpenSSL only provides the source code but you can download an executable from the SLProWeb site. After installing it on your PC, add the installation folder in the Windows PATH environment variable to simplify access to commands. In Azure, OpenSSL is already installed.
- ZeroSSL sends your certificate to Let's Encrypt to validate it. In Azure, transfer LE.EXE to the ". well-known" folder of your website (we will use this same folder later). Use an FTP client or the App Service Editor accessible from Azure's Development Tools section.
The steps to create a SSL certificate and validate it with the Let’s Encrypt Certificate Authority are:
1. Create a private key to encrypt your data.
openssl genrsa -out mydomain.key 2048
2. Create a Let’s Encrypt account identification key, to simplify later updating of the certificate.
openssl genrsa -out account.key 4096
3. Create a Certificate Request for the website.
Send this request to the Certificate Authority (CA) which will verify that you are the owner of the website. Let’s Encrypt checks the content of a specific file (without extension) in the sub-site http://mydomain.com/.well-known/acme-challenge.
By default, Azure does not recognize files without extension; it is therefore necessary to modify the Web.Config and add the staticContent/mimeMap tag.
The following command uses the account key (account. key), private key (mydomain. key) and certificate request (CSR) and generates the validated certificate (CRT). With the –live parameter, this command saves a file in the D:\home... folder that is checked via the URL of the domain.
le.exe --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "www.dvoituron.com,dvoituron.com" --path D:\home\site\wwwroot\.well-known\acme-challenge\ --generate-missing --unlink --live
The –domains argument is very important and specifies the domain names validated by the certificate. The –path argument must be adapted according to the location where your website is hosted.
4. Convert the private key (KEY) and validated certificate (CRT) to the PFX format recognized by Microsoft (IIS and Azure).
openssl pkcs12 -export -out mydomain.pfx -inkey mydomain.key -in mydomain.crt -passout pass:MyPassword
Adapt the MyPassword with your personal password.
5. Install the certificate validated by the CA, in your web server.
Download the previously generated PFX file: http://mydomain.com/.well-known/acme-challenge/mydomain.pfx
And, import it into the Azure portal and bind it to your hosts (SSL Type = SNI).
The renewal procedure is similar. Just add the parameters –renew 10 –issue-code 100 to the command LE.EXE; and export the certificate in a PFX format to re-import it into Azure (see https://zerossl.com/usage.html).
This procedure can be automated. See the article by Benoît Sautière.