If you concern yourself with security, you probably have heard of Troy Hunt. Over the years, Troy has blogged about numerous free SSL services including Let’s Encrypt and Cloudflare. He’s also blogged a lot about why static websites need HTTPS. I’ve long been a fan of Let’s Encrypt and use Azure WebApps for many of my projects, especially those that are supporting non-profit organizations, such as TechBash, or those for personal use such as my own blog. So, while this post will specifically target those using Azure, you can and should use Let’s Encrypt or Cloudflare regardless of your hosting provider.
For purposes of this post, I’m going to use:
- Azure Active Directory and Service Principal Accounts*
- Azure Function app
- Azure Web app
- Let’s Encrypt
Note: It is recommended that to be a global administrator in Azure or other role with elevated privileges to properly create the service principal account and role.
In addition, you do not have to be a developer to complete this. The average Azure user will most likely complete these tasks in 20 minutes.
Step 1: Create a Service Principal Account in Azure
Rather than providing screen shots that will become outdated, I recommend following the procedure documented on the Docs.Microsoft.com website here.
When going through the process, I’d recommend choosing a display name should be something that’s easy to understand. I tend to use the name of the application along with letsencrypt so I can easily identify this service account. Also, the login/home page value doesn’t really matter for this purpose as this will only be used for the function. However, the important thing to note is that this URL will allow users to login against Azure AD. So, I typically use an endpoint that is still valid, but is not publicly accessible.
Step 2: Install and Auto-Renew Certificates
Simon J.K. Pederson is the primary author of an Azure site extension called the “Let’s Encrypt Site Extension.” Last year, he wrote a blog post explaining how to use an Azure function to create, install, and auto-renew your Let’s Encrypt certificate. While the post gets you 90% of the way there, I had discovered that some of the named parameters do not match the parameter in Azure very well. So, I’ve created a quick GitHub repository that contains the Azure function (run.csx file) available at https://github.com/jasongaylord/LetsEncryptFunctionDemo. I highly recommend copying the code in this file as opposed to what Simon has posted as this replaces the soon to be deprecated TraceWriter class. In addition, I’ve provided hints for 13 variables that are defined within the README.md file.