Azure Web Apps is a great place to host web creations. Apps even come with a free SSL cert for users without a custom domain.

That said, it is highly recommend anyone serious about building a web app for their business create a custom domain (and obtain an SSL Cert).

This blog post will show you step by step how to obtain a free SSL cert using Let’s Encrypt and upload it to the Azure Web App (Since you are reading this post I assume you already have a custom domain name configured and the website is deployed to an Azure Web app).

 

Let’s Encrypt

Let’s Encrypt is a new Certificate Authority enabling users to create free SSL Certificates to secure web applications. While it’s possible to get SSL certs from other CA authorities relatively cheap, you can pay up to $100-$200 a year. This could be a significant expense for a new startup.

Let’s encrypt is still in beta and only has tooling available for Apache/NGINX running on Linux. This makes it a little more difficult to get an SSL Cert for IIS that will run inside the Azure Web App.

But, not impossible 🙂

Follow the steps shown below and you will have an SSL Cert up and running in no time.

 

Creating a Temporary Linux VM

Let’s Encrypt allows users to generate a certificate on any box and quickly transfer it to a Azure Web App.

So, we are going to do just that and create a Linux VM inside of Microsoft Azure that we can use to generate a certificate and then when we are all done we will destroy the machine so that we are only charged for the few minutes that we actually used the machine. NOTE: If you already have a Linux box you can skip this step.

1. Inside of the Azure Portal Press the ‘New’ button
2. Select ‘Compute’
3. Select ‘Ubuntu Server 14.04 LTS’
4. Select  the ‘Classic’ deployment model
5. Click ‘Create’
6. Type in a unique VM host name
7. Type a username
8. Enter a password
9. Create a new resource group only this VM lives in so it’s easy to delete.
10. Hit ‘Create’

lets_encrypt_azure_web_app_00

After several minutes a new Linux VM will be live. You’ll ssh into the VM to generate the SSL Cert.

Once you have SSH’d into the Linux VM, type the following commands to generate the certificate:

sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --manual

Some blue screens will pop up. Enter the required information:

lets_encrypt_azure_web_app_01

lets_encrypt_azure_web_app_02

lets_encrypt_azure_web_app_03

lets_encrypt_azure_web_app_04

Next, a URL will be generated which you will create a route for in the Azure Web App. It will look something like this:

lets_encrypt_azure_web_app_05

 

Adding a route to the web app

Inside Visual Studio,, create a new controller called LetsEncryptController.cs with the following code:

using System.Net.Http;
using System.Net.Http.Headers;
using System.Web.Http;

namespace LetsEncrypt.Controllers
{
    public class LetsEncryptController : ApiController
    {
        [HttpGet]
        [Route(".well-known/acme-challenge/6GZFVo5tG95Y6GuishY6DJbJYhfB0Ewoidn3RI-RjWU")]
        public HttpResponseMessage Verify()
        {
            var response = Request.CreateResponse();
            response.Content = new StringContent("6GZFVo5tG95Y6GuishY6DJbJYhfB0Ewoidn3RI-RjWU.j18Zi5KS23B3SjQjqg_LDLwt5YVRG8Pz77rja8P90rQ");
            response.Content.Headers.ContentType = new MediaTypeHeaderValue("text/plain");

            return response;
        }
    }
}

This will generate a new route and return a plain text response.

Change the ‘url’ and ‘response’ to the values provided by your Linux shell.

After the route has been created, re-deploy the app to Azure.

Once the deployment is complete, go back to the Linux terminal and press enter. This will trigger a verification message that you own the domain and are authorized to create an SSL cert for it.

The confirmation should look like this:

lets_encrypt_azure_web_app_06

 

Converting the cert to a .pfx file

The next step is to convert the certificate file into a .pfx file to upload into Azure.

Inside the Linux shell type the following commands:

sudo -s
cd /etc/letsencrypt/live/yourdomain.com/
ls
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem
cp cert.pfx /home/rj

 

Uploading to Azure

The next step is to upload the file to Azure. There is probably a way to upload it with xplat-cli, but for this example we are going to copy it to the local machine and use the Azure Portal to upload it.

From the windows box open up a cmd prompt and type:

pscp.exe rj@rj20160121.cloudapp.net:/home/rj/cert.pfx d:\downloads\cert.pfx

This will copy the file from the Linux VM to your local computer. You may need to install PSCP first.

Head back over to the Azure Portal and browse to your web app:

1. Click on ‘Custom domains and SSL’
2. Select ‘Upload Certificate’
3. Find the certificate on your local machine
4. Enter in the certificate password
5. Click ‘Save’

lets_encrypt_azure_web_app_07

Back on the ‘Custom Domains and SSL’ page, the Certificate should show up in the certificates list.

The next step is to create a binding for it by following these steps:

1. Choose the host name from the dropdown
2. Select the certificate
3. Press ‘Save’
4. Press ‘Ok’ on the Pricing Impact confirmation

lets_encrypt_azure_web_app_08

Browse to the new https domain and confirm that it is secure:

lets_encrypt_azure_web_app_09

Delete the Linux VM by browsing to the Resource Groups section inside the Azure Portal and remove the Resource Group you created for the VM:

lets_encrypt_azure_web_app_10

Let’s Encrypt is still young and this process for generating an SSL Certificate on Windows for IIS will improve. Here are some additional links showing progress toward this goal:

ACME client for Windows/IIS
ACMESharp
Let’s Encrypt for Windows IIS
How To: Get LetsEncrypt working with IIS manually