loading...
Microsoft Azure

Configuring the free TLS/SSL certificates on Azure App Service

jdubois profile image Julien Dubois Updated on ・3 min read

Free TLS/SSL certificates for Azure App Service

Last month, it was announced at MS Ignite that users of Azure App Service would have free, managed TLS/SSL certificates:

Azure App Service is a very popular Platform-as-a-Service, which supports Docker images as well as many different languages and frameworks. For example, if you are using Java and Spring Boot, I believe it's the easiest way to go to production on Azure. And using TLS/SSL is of course mandatory when going to production!

Configuring those certificates isn't totally obvious, as you probably don't use Azure to manage your DNS: this short guide is here to help you!

Configure your DNS records

Configuring your DNS records is probably the trickiest part, as it will depend on your DNS provider.

Here we will setup a very generic configuration, which should work on most DNS providers. But as a concrete example, we are going to use Gandi, which is a French DNS provider, and which is the one I use for my julien-dubois.com personal website as well as the different JHipster websites.

What you need to do is add a "CNAME" record that will point from your production DNS name to your Azure App Service instance.

For example, here:

  • My production website will be https://petclinic.julien-dubois.com.
  • My App Service instance is called jdubois-petclinic, so it is hosted by default on https://jdubois-petclinic.azurewebsites.net.

DNS Record

WARNING: a hostname entry usually ends with a dot (.) unless you specifically want it to be suffixed by the current domain. This is what most DNS provider will require, and this is why in the screenshot we have jdubois-petclinic.azurewebsites.net. (notice the . at the end).

Your DNS provider probably also allow you to configure directly those DNS records, without using a Web control panel. In that case, your DNS entry would look like this:

petclinic 1800 IN CNAME jdubois-petclinic.azurewebsites.net.

Once this configuration is saved, remember that DNS records can take up to 48 hours to propagate, but it is usually much faster.

In order to check the propagation of your record, you can use a tool like https://dnschecker.org/. In our example, you can see on https://dnschecker.org/#CNAME/petclinic.julien-dubois.com that our CNAME record was correctly propagated.

Configure your Azure App Service instance

You can now go to the Azure portal, and select your Azure App Service instance.

"Custom domains" configuration

In the "Custom domains" menu on the left:

  • Check the "HTTPS Only" box, as there is no need to keep an unsecured HTTP option.
  • Click on "Add custom domain", and add the domain name you have configured with your DNS provider

Add custom domain

The "Validate" button here will check if your DNS record is correct: if you misconfigured your record, or if your record hasn't been propagated yet, this is where you get an error.

"TLS/SSL settings" configuration

In the "TLS/SSL settings" menu on the left, go to the "Private Key Certificates (.pfx)" tab.

Private Key Certificates

Click on "Create App Service Managed Certificate", this will show a specific screen where you can select the domain name you have previously configured:

Create App Service Managed Certificate

Click on "Create" and wait a few seconds for your certificate to be created:

Created certificate

Now, still in the "TLS/SSL settings" page, click on the "Bindings" tab:

SSL Bindings

Click on "Add TLS/SSL Binding", and select the previously generated certificate. You should use "SNI SSL" as it will work on all modern browsers:

Add SSL Binding

Click on "Add Binding", and you're all set up!

You can now enjoy your website using TLS/SSL:

HTTPS Website

Discussion

pic
Editor guide
Collapse
techcitysouth profile image
TechCitySouth

Julien,
Thanks for the clear step-by-step. I am deploying my first (Blazor) app to Azure. When I attempt to set up the custom domain I get:
"This subscription is not eligible to purchase App Service Domains"
When I attempt to create the certificate I get:
"Create App Service Managed Certificates (Preview) feature is enabled for sub-domain hostnames. Naked domains are not supported."
Is this simply Microsoft's way of forcing me to pay more?

Collapse
davidrousseau75 profile image
Benethor

Hello Julien.

I am looking at a way to automate the certificate creation in my release pipeline. Did you come across anything (CLI, Powershell, ARM) ?

Thank you
David

Collapse
felpel profile image
Félix Pelletier

I have a similar question, but it would be for the equivalent operation with the Azure SDK for Node.js.

I've created a managed certificate with those instructions and checked on resources.azure.com to understand what is actually generated by Azure's backend (placeholders such as {certificateName} are in place instead of the actual values):

{
  "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupId}/providers/Microsoft.Web/certificates/{certificateName}",
  "name": "{certificateName}",
  "type": "Microsoft.Web/certificates",
  "location": "East US",
  "properties": {
    "friendlyName": "",
    "subjectName": "{hostname}",
    "hostNames": [
      "{hostname}"
    ],
    "pfxBlob": null,
    "siteName": null,
    "selfLink": null,
    "issuer": "GeoTrust RSA CA 2018",
    "issueDate": "2020-03-25T00:00:00+00:00",
    "expirationDate": "2020-09-25T12:00:00+00:00",
    "password": null,
    "thumbprint": "{certificateThumbprint}",
    "valid": null,
    "toDelete": null,
    "cerBlob": null,
    "publicKeyHash": null,
    "hostingEnvironment": null,
    "hostingEnvironmentProfile": null,
    "keyVaultId": "",
    "keyVaultSecretName": "",
    "keyVaultSecretStatus": "Succeeded",
    "webSpace": "{resourceGroupId}-EastUSwebspace",
    "serverFarmId": null,
    "canonicalName": "{hostname}",
    "tags": null
  }
}

I'm not sure if we only have to fill the following properties:

  • name;
  • location;
  • subjectName;
  • hostNames;
  • canonicalName;
Collapse
jdubois profile image
Julien Dubois Author

Hi Félix: I would rather use the automatic set up I have above, which works with all languages, than try to set it up manually. It might work today, but it might break when there's a new release. Then, I don't expect this to be very complicated or change very often, so if you only need to change those 5 properties it's probably not too bad.

Collapse
jdubois profile image
Julien Dubois Author

Hi Benethor, and sorry for the late response (I never got the email from dev.to, I guess it want to my spam box). In this article I don't do it in the release pipeline: it's all automated by Azure App Service, so there's really nothing to do.
However, I do also run VMs where I need to handle that certificate myself: in that case, the easiest thing I found is to use Apache with the Let's Encrypt script. It's all done automatically and renewed with a CRON job, so it should work without much maintenance. I only remember that one time I had to upgrade the script manually because they had a major release. So that's a bit more work & maintenance, but that's still easy to set up.