Introduction
Securing websites with HTTPS is very important these days for privacy, security, and even SEO. While Azure App Service allows you to deploy SSL certificates through the Azure portal, this can get expensive for wildcard certificates that secure multiple subdomains.
In this blog post, I will walk through how you can use the Let's Encrypt certificate authority and the Windows Subsystem for Linux (WSL) on your local machine to automate the creation and renewal of wildcard SSL certificates for your Azure App Service websites. This allows you to get free wildcard SSL certificates without any ongoing costs.
Prerequisites
To follow along with this tutorial, you will need.
- An Azure subscription with one or more App Service plans
- The Windows Subsystem for Linux (WSL) installed on your local machine
- A public domain name configured with a wildcard A record (e.g. *.example.com)
Installing Certbot on WSL
The first step is to install Certbot, the official client for Let's Encrypt, within your WSL environment. Certbot makes it easy to automate the certificate issuing and renewal process.
Open your WSL terminal and run the following commands.
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
This will install Certbot from the official PPA repository. Now Certbot is ready to use!
Obtaining a Wildcard Certificate
To obtain a wildcard SSL certificate for your domain, run the following Certbot command.
certbot certonly --manual -d *.example.com --preferred-challenges dns
Certbot will ask you to add a TXT record to your domain's DNS configuration to verify domain ownership. It will provide the record name and value.
Log into your domain registrar/DNS provider and add the indicated TXT record. Then return to the Certbot prompt and type "y" to continue.
Certbot will now request the certificate from Let's Encrypt. If the DNS verification is successful, it will be issued and saved to your system.
This certificate can now be used to secure multiple subdomains like api.example.com, admin.example.com, etc.
Configuring Azure Apps to Use the Certificate
Now that we have the wildcard certificate locally, we need to configure our Azure App Service apps to use it.
First, upload the certificate files (.pem, .key, etc) to your Azure Storage account. Then in the Azure Portal, navigate to your App Service app and go to TLS/SSL settings.
Click "Custom domain SSL (upload certificate)" and select the certificate files from storage. Make sure to also select the private key file.
Once uploaded, your app will be configured to use SSL and served over HTTPS using the new wildcard certificate. Repeat this process for any other apps under the same domain.
Automating Renewals
The Let's Encrypt certificates are only valid for 90 days, so we need to renew them automatically before expiry. Certbot makes this easy by having a renewed subcommand.
certbot renew --dry-run
Running this will perform a test renewal without modifying any files. To actually renew, remove the --dry-run.
We can schedule this renewal as a cron job to run automatically every month. On Ubuntu/Linux, edit the crontab.
crontab -e
Add the following line.
0 0 1 * * certbot renew >> /path/to/log/file 2>&1
This will run Certbot renew on the 1st of every month at midnight to keep the certificates always up to date without any manual intervention.
The renewed certificates will overwrite the existing files, so your Azure apps continue using the latest valid certificate without any configuration changes needed on your end.
Conclusion
By leveraging the power of Let's Encrypt and WSL, we can completely automate the issuance and renewal of free wildcard SSL certificates for multiple Azure App Service websites and subdomains. This saves a lot of money compared to purchasing/renewing individual certificates through the Azure Portal.
Be sure to regularly check the log files to ensure the cron jobs are running successfully each month. With this setup, your apps can always serve content over HTTPS securely without any ongoing costs.
Let me know if you have any other questions!