Azure Web App with Let’s Encrypt Certificate – Powershell Automation

UPDATE Jan 28, 2018

Niiraj Kumar made me aware that there is actually a Web App site extension that gets a Let's Encrypt cert and renews it as needed with a Web Job. You can find the extension here. It is written by a fellow Dane Simon J. K. Pedersen, whom I will buy a beverage of choice if we ever meet. The Bing must have been weak with me because I didn't find that previously. In any case, it is much appreciated and while my little PowerShell script may not have all the bells and whistles of the site extension, it may serve as a starting point for somebody looking to understand the mechanics of getting a Let's Encrypt certificate on an Azure Web App.

Original Blog Post

Azure Web Apps provide a convenient scalable platform for deploying web sites and web applications. You should enable HTTPS (SSL/TLS) on your web sites and if you are using a custom domain name, you will need a certificate.

Certificates are obtained from a Certificate Authority (CA), which in many cases will charge for their services. There is a new CA called Let's Encrypt and it will provide the certificate for free. I am a fan. This service is great. I highly recommend it.

Like all CAs, you will need to provide some sort of challenge response to document that you control the domain you are trying to generate a certificate for. Typically a challenge involves generating specific DNS records or uploading files with specific content to a Web Server hosted at the domain name location. Let's Encrypt enables you to complete this process through a REST API and there are numerous clients that can automate large parts of the process for you. These clients are often intended to run directly on the Web Server hosting the domain, but if you are hosting your web site on an Azure Web App, there is no client that will automate the entire process for you.

I have written a script, which will a) create an Azure Web App, b) generate a certificate from Let's Encrypt, and c) bind the certificate to the Web App with a custom domain name. You can find the script and some instructions in this GitHub repository. The script uses the ACMESharp PowerShell module to interact with the Let's Encrypt CA.

To use the script, clone the GitHub repository and use a command like:

.\CreateLetsEncryptWebApp.ps1 -ResourceGroupName "RESOURCE-GROUP-NAME" `
-WebAppName "WEB-APP-NAME" -Fqdn "DOMAIN NAME" -Location "LOCATION" `

The script fill first create a Resource Group and Web App, if they don't exist already. It will then pause to give you a chance to point a CNAME to the Web App. You should make sure this is completed before continuing or the script will be unable to add the custom domain name to the Web App. After adding the domain name, it will create an ACME vault (if it doesn't exist) and start the challenge/response process. It will complete the challenge by uploading appropriate files to the web app and notify Let's Encrypt to check the challenge response. Once the challenge has been validated, a certificate will be generated and the script will bind it to the Web App.

The code for the entire workflow is contained in the CreateLetsEncryptWebApp.ps1 file, which contains comments throughout. You can use it "as is" if you simply need to stand up a web app with a custom domain name and HTTPS, or you can use it as inspiration for more elaborate workflows. Feel free to use bits and pieces of it as you see fit.

If you run the script on a Web App that already exists, it will simply generate a new certificate, effectively renewing the certificate. Also note that the certificate is stored in C:\temp after the script is complete. You can save it and upload it again. The certificate is valid for 3 months; if you use this workflow in production, you should set up a scheduled job to renew the certificate on a regular basis.

That is it. Let me know if you have questions/comments/suggestions.


Comments (12)

  1. I’ve used this myself with and it was EXTREMELY helpful, thank you!

  2. Adam Modlin says:

    Awesome script, thanks for sharing. One issue – the script doesn’t work if there’s no C:\temp directory (at least it didn’t on my machine until I created it).

    1. Hi Adam. Thanks for the comment. I have added a few lines in the script to create c:\temp if it doesn’t exist. Thanks for catching that.

      1. Adam Modlin says:

        Great thanks Michael. Have you experimented with running this as a WebJob?

        1. Hi Adam, yeah, my next step was to set up a WebJob for a renewing the cert. I will get around to at some point, but just haven’t had time yet. I think most of the pieces are there. The other thing was to have multiple aliases to make sure the *.scm.* endpoint also gets a cert, but again, have not had time. If you want to dig in, just clone the repo and we can work on it together.

  3. Niiraj Kumar says:

    There is already a webapp plugin extension which does all the work automatically! I use it for my own personal website

    Configure the extension once, it will request certificate, install and renews it every 3 months. No script, no scheduling is required.

    1. Hey Niiraj, thanks for posting this. I was (obviously) not aware of this extension, which is a great way to go as well. It is based on the same ACMESharp module as I used as best as I can tell, but clearly nice that you can do it all in the portal and the webjob automation is nice. I will update this page with a reference to the extension at the top, so people know that is an option. The single PowerShell script is also a good starting point if somebody wants to walk through the steps without installing an extension. Either way, good to have several ways of doing it.

      1. Niiraj Kumar says:

        Thank you! Nonetheless script looks great if somebody doesn’t want to use extension. 👍

  4. Thanks you so much michael followed your article and implemented free SSL on my site.

  5. Thanks for doing this, very helpful for us all! I’m struggling to get it working for me but is not displaying an error. I think perhaps I haven’t set the CNAME entry properly. I don’t suppose there’s any chance of a clarification as to how to do this step?

    1. The CNAME is something you have to set with wherever your DNS is hosted, so it is not something I can give general instructions on. It sort of depends on where your DNS server is.

      1. I see, that’s fair enough. I accidentally took down a second site on the same azure app service so I think I’m going to go back to the old fashioned way of gaining a cert for now for avoidance of risk and buy myself some time to practice this. Many thanks for script and the help though, I will use it in the future

Skip to main content