DEV Community

Cover image for The fastest way to use Let's Encrypt in Azure
Tatsuro Shibamura
Tatsuro Shibamura

Posted on • Updated on

The fastest way to use Let's Encrypt in Azure

App Service Managed Certificate is a great service, but are you frustrated that you can't issue a certificate for Zone apex or wildcard domain?

I was so frustrated that I created an application that uses Let's Encrypt to easily issue certificates for Zone apex and wildcard domains.

It's already available on my personal website (https://shibayan.jp).

For App Service

If you need a Let's Encrypt certificate for your App Service very easily, I recommend Acmebot for App Service.

In particular, the Windows App Service allows certificates to be issued without requiring any special configuration or resources.

GitHub logo shibayan / appservice-acmebot

Automated ACME issuer for Azure App Service (Web Apps / Functions / Containers)

App Service Acmebot

Build Release License Terraform Registry

This is an application that automates the issuance and renewal of ACME SSL/TLS certificates for Azure App Services.

  • Support for multiple App Services
  • Easy to deploy and configure
  • Highly reliable implementation
  • Ease of Monitoring (Application Insights, Webhook)

You can add multiple certificates to a single App Service.

Announcements

How to upgrade to Acmebot v3

https://github.com/shibayan/appservice-acmebot/issues/138

Integration with Key Vault

If you need to use the certificate for a variety of services, consider using the Key Vault version of Acmebot v3.

https://github.com/shibayan/keyvault-acmebot

The Key Vault version can be used with services that support Key Vault certificates, such as App Service / Application Gateway / CDN / Front Door.

Table Of Contents

Feature Support

  • Azure Web Apps and Azure Functions (Windows)
  • Azure Web Apps (Linux) / Web App for Containers (Windows and Linux, requires Azure DNS)
  • Azure App Service Environment…

Getting started is not a complicated process.

Use the Deploy to Azure button and the necessary resources will be built automatically.

Deploy to Azure

Setting up Access Control (IAM) can be a bit tricky, but don't worry.

Just add permissions to the resource group you want to use Let's Encrypt.

Access Control settings

Congratulations! Once the IAM is configured, you can issue the certificate via the web UI.

For other services

If you need to use Let's Encrypt with an other Azure service than the App Service, I recommend using the Key Vault version of Acmebot.

You can issue certificates from Let's Encrypt freely by simply adding the settings of supported DNS providers.

GitHub logo shibayan / keyvault-acmebot

Automated ACME issuer for Azure Key Vault (App Gateway / Front Door / CDN / others)

Key Vault Acmebot

Build Release License Terraform Registry

This application automates the issuance and renewal of ACME SSL/TLS certificates. The certificates are stored inside Azure Key Vault. Many Azure services such as Azure App Service, Application Gateway, CDN, etc. are able to import certificates directly from Key Vault.

We have started to address the following requirements:

  • Use the Azure Key Vault to store SSL/TLS certificates securely
  • Centralize management of a large number of certificates using a single Key Vault
  • Easy to deploy and configure solution
  • Highly reliable implementation
  • Ease of Monitoring (Application Insights, Webhook)

Key Vault allows for secure and centralized management of ACME certificates.

Announcements

Upgrade to Acmebot v3

Key Vault Acmebot v3 has been released since December 31, 2019. Users deploying earlier than this are encouraged to upgrade to v3 by following the ugprade process described here:

https://github.com/shibayan/keyvault-acmebot/issues/80

Automate Azure CDN / Front Door certificates deployment

As of August 2020, Azure CDN /…

Integration with Key Vault makes it easy to use Let's Encrypt certificates with services such as Application Gateway and Azure Front Door.

You can create all the resources you need from the Deploy to Azure button just like the App Service version. It's easy.

Deploy to Azure

You will need to set up an additional access policy for the Key Vault, but it's not difficult to do so as long as you follow the README.

Personally, I recommend you to use the Key Vault version. It can be used with various services such as App Service and Front Door.

Enjoy your Azure Serverless life!

Discussion (2)

Collapse
robincher profile image
Robin Cher

Perfect solution!

Collapse
maracujajuice profile image
Maurice

The last time I looked into this, this was really hard/cumbersome to do. I'm glad that this got so easy even though it's still not implemented natively. (why Microsoft, why?)
Thank you!