How To Add SSL Certificates To Azure App Service

Photo by Dayne Topkin on Unsplash

Blog Post #008

Duncan Faulkner – February 2020

Back in 2018, Scott Hanselman wrote this post on adding Let’s Encrypt SSL certificates to Azure App Services, click here to see Scott’s original post.

I’ve used Scott’s post to apply SSL certificates to my websites for a while now, but the Azure interface keeps changing and Scott’s post is difficult to follow because it has so changed so much. So while I was adding another SSL certificate, I thought I would write an update post as a reminder to myself but also to help others who find themselves trying to add an SSL certificate to Azure using the Lets Encrypt extension.

This post assumes you have a website setup and running and a domain name, this post just walks you through adding a Lets Encrypt certificate to the website.

Checklist

Azure Storage connection string – You’ll need one for the extension to store state. If you haven’t got one setup configure this before you start.

App Service Hosting Plan and App Service Resource Group Name – your Azure plan (the VM your site runs on) and your site must be in the same resource group.

There are a number of ID’s and connection strings to copy and paste that will be required at the end, I suggest opening a text editor to copy these into as we go.

So open Azure and Login.

App Registration

From the Azure home page, select the App registrations menu item.

From the App Registrations page, select New Registration.

For the Name, my convention is to use: Let’s Encrypt – <website name>, where website name is the name of my website I’m adding the SSL to. Select your supported account type, for me this was the default and for the Redirect URI, select web and enter the full URL to your website.

Open the newly created resource, and copy to your text editor the Application (client) ID, Directory (tenant) ID, Object ID as you will need these later in the process.

In Certificates and Secrets, create a New Client Secret, set the Description to Login and set it to Never Expire. Before closing this page copy the value to your text editor for later.

Now go to the Resource Group, this is the same resource group that your website belongs to, I’ve tried having a different resource group and couldn’t get it to work.

Once in the Resource Group, select Access Control (IAM) from the menu, click Add a new Role Assignment, in the Role drop down select Contributor, in the Assign access to drop down select Azure AD User, group, or service Principal (the default) and in the Select drop down type in Let’s Encrypt – website name this refers to the App Registration from earlier. The Selected Members should now show the Let’s Encrypt website name, now click Save.

Now head over to your actual App Service (your website) and click Extensions, Click Add Extension, then Select Choose Extension. In the list of extensions, scroll down until you find Azure Let’s Encrypt SKJP, there are two versions select the first one (see image below).

Then accept the Terms and Conditions and click OK that to return to the App Service. The extension should now be installed.

Scroll back up to Configuration and in the Application Settings section add two Connection strings. These are AzureWebJobsDashboard and AzureWebJobsStorage – Don’t forget this step or it will work once but won’t renew in three months during the renewal.

Both of these should be set to your Azure Storage Account connection string, e.g. DefaultEndpointsProtocol=https;AccountName=[myaccount];AccountKey=[mykey];

Replace value with your Azure Storage Account connection string details.

Save the changes.

And that’s pretty much it for the Azure side of things, now we need to configure the Extension.

In a new browser tab enter: http://YOURSITENAME.scm.azurewebsites.net/LetsEncrypt into the address bar, replacing YOURSITENAME with your actual website name.

This can take a while to resolve, so be patient. Once resolved you should see this.

Scroll down to the Automated Installation section.

Starting from the top.

Tenant – this is your Azure Active Directory URL, its the one ending xxxxx.onmicrosoft.com

Subscription ID – this can be found in the Overview page of your website.

Client ID – this is the application (client) ID from the App Registration section.

Client Secret – this is the value of the Login from the Certificates and Secrets section.

Resource Group Name – is the name of the Resource group

Service Plan Resource Group Name – this is the resource group your service plan is in.

Note: Resource Group Name and Service Plan Resource Group Name are usually the same.
I tried to have a different resource group and service plan resource group, but I couldn’t get it to work. As soon as I moved them into the same resource group it all worked. I missed this when reading Scott’s blog post the first time, (it’s in the checklist section if you are wondering).

Use IP Based SSL – I’ve left this unchecked.

Web App Name – this will be pre-populated with your website name.

Site Slot name – I’ve left this blank.

Dashboard Connection String – this will be pre-populated from your connection string set earlier.

Storage Connection String – this will be pre-populated from your Azure Account Storage connection string.

Update Application Settings and Virtual Directory (if needed) – I’ve checked this box, this will update your site in Azure.


With all that information in place apply the settings, this will take a while to complete, so please be patient.

When this (eventually) returns it will list your website domain and any previous SSL certificates you may have. Click Next.

Select all the hostnames you want an SSL for (you can of course just select one domain as a test), enter a valid email address, as this is the first time creating an SSL for this website, I would recommend checking the staging check box. By using staging it allows you to generate unlimited test SSL certificates, when unchecked the limit is five and you will have to wait a whole month before you can generate any more (only made that mistake once). Just in case you have an issue when generating the certificate.

If the certificate generation is successful, then the certificates will be installed, as we ticked staging these won’t be valid in the browser, so click next again and repeat the steps, this time with staging unchecked.

You may need to refresh/restart your browser for the certificate to appear, especially if you have your site open.

And that’s all there is to it, in three months time this will auto renew your SSL certificates.

Check back into Azure and the websites TLS/SSL settings section you should see a TLS/SSL binding.

Leave a Reply

Your email address will not be published. Required fields are marked *