This function provide easy automation of Let's Encrypt for Azure App Service. This project started to solve some problems.
- Support multiple app services
- Simple deployment and configuration
- Robustness of implementation
- Easy monitoring (Application Insights)
They can manage multiple App Service certificates with simple one Functions.
- Azure Web Apps and Azure Functions (Windows)
- Azure Web Apps (Linux) / Web App for Containers (required Azure DNS)
- Certificate issued to Deployment slot
- Subject Alternative Names certificates (multi domains)
- Wildcard certificates (required Azure DNS)
- Multiple App Service with one Functions
- Azure Subscription
- App Service with added hostnames
- Email address (for Let's Encrypt account)
- LetsEncrypt:SubscriptionId
- Azure Subscription Id
- LetsEncrypt:Contacts
- Email address for Let's Encrypt account
Open Authentication / Authorization
from Azure Portal and turn on App Service Authentication. Then select Log in with Azure Active Directory
as an action when not logging in.
Set up Azure Active Directory provider by selecting Express
.
Using Access control (IAM)
, assign a role to Function App. Require "Website Contributor" and "Web Plan Contributor" role.
Remarks
If the Web App refers to a Service Plan in a different resource group, Please assign "Website Contributor" role for Resource Group with Web App and "Web Plan Contributor" role for Resource Group with Service Plan.
Go to https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate
. Since the Web UI is displayed, if you select the target App Service and domain and execute it, a certificate will be issued.
If nothing is displayed in the dropdown, the IAM setting is incorrect.
This function will check the expiration date once a day for the certificate issuer is "Let's Encrypt Authority X3" or "Let's Encrypt Authority X4".
The default time is UTC 00:00, so if necessary they can set any time zone with WEBSITE_TIME_ZONE
.
This function use Run From Package
. To deploy the latest version, just restart Azure Functions.
If they need a Wildcard certificate, additional assign "DNS Zone Contributor" role to Azure DNS or Resource group.
Certificates for "App Service on Linux" and "Web App for Container" is required Azure DNS.
Causes Azure REST API error at GetSite or Dns01Precondition
Make sure that the required role is assign for the resource group. Azure IAM may take up to 30 minutes to be reflected.
- ACMESharp Core by @ebekker
- Durable Functions by @cgillum and contributors
This project is licensed under the Apache License 2.0