Creating Wildcard SSL Certificates with Let’s Encrypt


One of my favorite services is Let's Encrypt. They issue free SSL certificates. I have written about how to generate a certificate for a Web App using their service. They have just started issuing wildcard certificates, and in this blog post I will show you how to make one for an Azure App Service Environment (ASE).

I have been writing about Azure App Service Environment (ASE) and it is now available in Azure Government. For the Internal Load Balancer (ILB) configuration of the ASE, it is recommended that you provide a wildcard certificate covering *.ILBAseDomainName and *.scm.ILBAseDomainName to support creation of new sites and their Kudu consoles with valid certificates. While it is not strictly necessary to have a wildcard certificate, it is a lot easier to manage an ASE if you do. Now that Let's Encrypt will issue a wildcard certificate, let's try to do that for an ASE.

Let's Encrypt publishes an API you can use for requesting certificates and completing challenges to verify domain ownership. There are multiple clients for interacting with this API, but I will be using certbot in this blog.

First, a few notes on my setup and versions of certbot. Please read this carefully to save yourself some time. Certbot runs on most flavors of Linux and in this demo, I have used an Ubuntu 16.04 VM to run the required commands. In order to request wildcard certificates, your certbot client must be version 0.22.0 or above, and because the standard Ubuntu packages currently include version 0.21.0, you should not install certbot using apt-get install. Also note that the method for installing certbot that I am using here will not work in Bash in Windows, so you can save yourself some time by starting a small Linux VM to complete the steps.

In order to install certbot:

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ sudo ./certbot-auto

In my case, I own the domain cloudynerd.us and I would like to get a certificate for an ILB ASE:

sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
-d *.cloudynerd.us -d *.scm.cloudynerd.us

An important parameter to notice is --server https://acme-v02.api.letsencrypt.org/directory, which will instruct the certbot client to use v2 of the Let's Encrypt API (we need that for wildcard certs). Also notice the two wildcard domains.

The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.scm.cloudynerd.us with the following value:

5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

How you deploy this TXT record will depend on where your domain is registered. Once you have completed the TXT record, you should verify that it is working using nslookup:

$ nslookup -type=TXT _acme-challenge.scm.cloudynerd.us

Server:         192.XXX.XXX.XXX
Address:        192.XXX.XXX.XXX#XX

Non-authoritative answer:
_acme-challenge.scm.cloudynerd.us       text = "5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX"

When you have verified that the TXT record is properly deployed, proceed to the next challenge. Eventually, the certificate will be issued and you should see something like:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cloudynerd.us/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cloudynerd.us/privkey.pem
   Your cert will expire on 2018-06-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The last step of the process is to export the certificate as a *.pfx file:

$ sudo openssl pkcs12 \
-inkey /etc/letsencrypt/live/cloudynerd.us/privkey.pem \
-in /etc/letsencrypt/live/cloudynerd.us/cert.pem \
-export -out ./cloudy-ase.pfx

You will be prompted for a password for the certificate. Make a note of it, you will be needing it when you use the certificate with a Web App or an ASE. To deploy an ASE using this certificate, you can use this template.

And that is it. You now have a wildcard certificate for your ASE. Please go donate some money to Let's Encrypt. It is an awesome service. Let me know if you have questions/comments/suggestions.

Comments (5)

  1. hbcondo says:

    Hi, Michael. I successfully executed these steps to get a PFX file into the SSL settings section of my Azure App Service but when I attempt to apply it, the message “Supported wildcard domains are any subdomain whose leftmost DNS label is *. Multilevel wildcard domains cannot be used” is displayed along with the message “No certificates match the selected hostname”. Due to this, the wildcard SSL cert is not listed is the “Private Certificate Thumbprint” select list so I cannot use it on my website. Can you please review and confirm? Thanks.

    1. It is not really easy for me to confirm and review without actually seeing it. It is not clear at all where and how you are trying to apply this certificate.

      1. hbcondo says:

        Thank you for your reply. There is no mechanism to attach a screenshot to this reply so I’ve uploaded a redacted screenshot of my Azure Portal Web App Service that shows the issue of not being able to use the wildcard SSL cert with a website: https://imgur.com/a/F5pw5bz

        1. Please email me at mihansen AT Microsoft.com and we can take it offline. It looks like you cert doesn’t cover the domain you are using.

          1. hbcondo says:

            Thanks, I just sent you an email with the full domain.

Skip to main content