Providing secure access to all Internet content - not just that for banking and buying - is quickly becoming the norm. Although setting up a web site has been fairly easy for years, enabling HTTPS for that site was more challenging. The Let's Encrypt project is trying to improve things for everyone - by making certificates free and easier to use, they enable more sites to offer secure access.
Let's Encrypt is notable for (at least) two achievements. The first is lowering the cost for anyone to obtain a certificate - you can't beat free! The second is simplifying the steps to enable HTTPS on a server. Thus far, Let's Encrypt has focused their efforts on Linux systems, so the process for Windows servers hasn't changed much. Further complicating things, many sites nowadays are hosted by services like Azure or CloudFlare, which makes validating ownership more difficult.
As someone who is in the process of migrating content from a virtual machine with a custom domain to an Azure Web App, I've been looking for an easy way to make use of Let's Encrypt certificates. A bit of searching turned up some helpful resources:
- How to get a free SSL Cert for your Azure Web App with Let's Encrypt - In which a virtual machine and custom routing are used
- How to Validate a Let's Encrypt Certificate on a Site Already Active on CloudFlare - In which command-line steps are outlined
- Ssl certificate for your Azure website using Letsencrypt - In which a reverse proxy and Vagrant are used
- Azure Web App Site Extension for easy installation and configuration of Let's Encrypt issued SSL certificates for custom domain names - In which a site extension is written to handle things automatically (though without support)
- Add support for free SSL certs like those from Let's Encrypt - In which the Web Apps team endorses said extension
Nothing was exactly what I wanted, so I came up with the following approach based on tweaks to the first two articles above. The Let's Encrypt tool runs on Linux, so I use that platform exclusively. Everything can be done in a terminal window, so it's easily scripted. There is no need to open a firewall or use another machine; everything can be done in one place. And by taking advantage of the nifty ability to boot from a Live CD, the technique is easy to apply even if you don't have a Linux box handy.
- Boot an Ubuntu 16.04 Live CD
- Or a future version of Windows with the Ubuntu subsystem
- Run "Software & Updates" and enable the "universe" repository
sudo apt install letsencrypt
sudo apt install git
git config --global user.email "email@example.com"
git config --global user.name "User Name"
git clone https://example.scm.azurewebsites.net:443/Example.git
- Be sure
/.well-known/acme-challenge/web.configexits and is configured to allow extension-less files:
<configuration> <system.webServer> <staticContent> <mimeMap fileExtension="" mimeType="text/plain"/> </staticContent> </system.webServer> </configuration>
- Be sure
sudo letsencrypt certonly --manual --domain example.com --domain www.example.com --email firstname.lastname@example.org --agree-tos --text
- Note: Include the
--test-certoption when trying things out
- Note: Include the
- Repeat for each domain:
nano verification-fileand paste the provided content
git add verification-file
git commit -m "Add verification file."
- Allow Let's Encrypt to verify ownership by fetching the verification file
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/fullchain.pem -out fullchain.pfx -passout pass:your-password
- Follow the steps to Configure a custom domain name in Azure App Service using
- Enjoy browsing your site securely!