App Service Managed Certificate is a great service, but are you frustrated that you can't issue a certificate for Zone apex or wildcard domain?
I was so frustrated that I created an application that uses Let's Encrypt to easily issue certificates for Zone apex and wildcard domains.
It's already available on my personal website (https://shibayan.jp).
For App Service
If you need a Let's Encrypt certificate for your App Service very easily, I recommend Acmebot for App Service.
In particular, the Windows App Service allows certificates to be issued without requiring any special configuration or resources.
shibayan
/
appservice-acmebot
Automated ACME SSL/TLS certificates issuer for Azure App Service (Web Apps / Functions / Containers)
App Service Acmebot
Automated ACME SSL/TLS certificates issuer for Azure App Service (Web Apps / Functions / Containers)
Motivation
We have started to address the following requirements:
- Support for multiple App Services
- Easy to deploy and configure
- Highly reliable implementation
- Ease of Monitoring (Application Insights, Webhook)
You can add multiple certificates to a single App Service.
Feature Support
- Azure Web Apps and Azure Functions (Windows)
- Azure Web Apps (Linux) / Web App for Containers (Windows and Linux, requires Azure DNS)
- Azure App Service Environment (Windows and Linux)
- Issuing a certificate to the Deployment Slot
- Issuing certificates for Zone Apex Domains
- Issuing certificates with SANs (subject alternative names) (one certificate for multiple domains)
- Wildcard certificate (requires Azure DNS)
- Support for multiple App Services in a single application
- ACME-compliant Certification Authorities
- Let's Encrypt
- Buypass Go SSL
- ZeroSSL (Requires EAB Credentials)
Deployment
Azure (Public)
Azure China
Azure Government
Learn more at https://github.com/shibayan/appservice-acmebot/wiki/Getting-Started
Thanks
…Getting started is not a complicated process.
Use the Deploy to Azure button and the necessary resources will be built automatically.
Setting up Access Control (IAM) can be a bit tricky, but don't worry.
Just add permissions to the resource group you want to use Let's Encrypt.
Congratulations! Once the IAM is configured, you can issue the certificate via the web UI.
For other services
If you need to use Let's Encrypt with an other Azure service than the App Service, I recommend using the Key Vault version of Acmebot.
You can issue certificates from Let's Encrypt freely by simply adding the settings of supported DNS providers.
shibayan
/
keyvault-acmebot
Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Key Vault Acmebot
Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Motivation
We have begun to address the following requirements:
- Securely store SSL/TLS certificates with Azure Key Vault
- Centralize management of large numbers of certificates with a single Key Vault
- Easy to deploy and configure solution
- Highly reliable implementation
- Easy to monitor (Application Insights, Webhook)
Key Vault Acmebot provides secure and centralized management of ACME certificates.
Feature Support
- Issue certificates for Zone Apex, Wildcard and SANs (multiple domains)
- Dedicated dashboard for easy certificate management
- Automated certificate renewal
- Support for ACME v2 compliant Certification Authorities
- Let's Encrypt
- Buypass Go SSL
- ZeroSSL (Requires EAB Credentials)
- Google Trust Services (Requires EAB Credentials)
- SSL.com (Requires EAB Credentials)
- Entrust (Requires EAB Credentials)
- Certificates can be used with many Azure services
- Azure App Services (Web Apps / Functions / Containers…
Integration with Key Vault makes it easy to use Let's Encrypt certificates with services such as Application Gateway and Azure Front Door.
You can create all the resources you need from the Deploy to Azure button just like the App Service version. It's easy.
You will need to set up an additional access policy for the Key Vault, but it's not difficult to do so as long as you follow the README.
Personally, I recommend you to use the Key Vault version. It can be used with various services such as App Service and Front Door.
Enjoy your Azure Serverless life!
Top comments (3)
Perfect solution!
The last time I looked into this, this was really hard/cumbersome to do. I'm glad that this got so easy even though it's still not implemented natively. (why Microsoft, why?)
Thank you!
Awesome solution, how about IIS servers maybe you can create one with the same function to store on keyvault and manage with azure function apps for monitoring as well