Skip to content

Easy automation of Let's Encrypt for Azure App Service (Web Apps / Functions / Containers)

License

Notifications You must be signed in to change notification settings

kbdavis07/azure-appservice-letsencrypt

 
 

Repository files navigation

Azure App Service Let's Encrypt

Build status

This function provide easy automation of Let's Encrypt for Azure App Service. This project started to solve some problems.

  • Support multiple app services
  • Simple deployment and configuration
  • Robustness of implementation
  • Easy monitoring (Application Insights)

They can manage multiple App Service certificates with simple one Functions.

Table Of Contents

Feature Support

  • Azure Web Apps and Azure Functions (Windows)
  • Azure Web Apps (Linux) / Web App for Containers (required Azure DNS)
  • Certificate issued to Deployment slot
  • Subject Alternative Names certificates (multi domains)
  • Wildcard certificates (required Azure DNS)
  • Multiple App Service with one Functions

Requirements

  • Azure Subscription
  • App Service with added hostnames
  • Email address (for Let's Encrypt account)

Getting Started

1. Deploy to Azure Functions

2. Add application settings key

  • LetsEncrypt:SubscriptionId
    • Azure Subscription Id
  • LetsEncrypt:Contacts
    • Email address for Let's Encrypt account

3. Enable App Service Authentication (EasyAuth) with AAD

Open Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select Log in with Azure Active Directory as an action when not logging in.

Enable App Service Authentication with AAD

Set up Azure Active Directory provider by selecting Express.

Create New Azure AD App

4. Assign roles to target resource group

Using Access control (IAM), assign a role to Function App. Require "Website Contributor" and "Web Plan Contributor" role.

Assign a role

IAM settings

Remarks

If the Web App refers to a Service Plan in a different resource group, Please assign "Website Contributor" role for Resource Group with Web App and "Web Plan Contributor" role for Resource Group with Service Plan.

Usage

Adding new certificate

Go to https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate. Since the Web UI is displayed, if you select the target App Service and domain and execute it, a certificate will be issued.

Add certificate

If nothing is displayed in the dropdown, the IAM setting is incorrect.

Renew certificates

This function will check the expiration date once a day for the certificate issuer is "Let's Encrypt Authority X3" or "Let's Encrypt Authority X4".

The default time is UTC 00:00, so if necessary they can set any time zone with WEBSITE_TIME_ZONE.

Deploy new version

This function use Run From Package. To deploy the latest version, just restart Azure Functions.

Wildcard and Linux Container support

If they need a Wildcard certificate, additional assign "DNS Zone Contributor" role to Azure DNS or Resource group.

IAM settings

Certificates for "App Service on Linux" and "Web App for Container" is required Azure DNS.

Known Issues

Causes Azure REST API error at GetSite or Dns01Precondition

Make sure that the required role is assign for the resource group. Azure IAM may take up to 30 minutes to be reflected.

Thanks

License

This project is licensed under the Apache License 2.0

About

Easy automation of Let's Encrypt for Azure App Service (Web Apps / Functions / Containers)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C# 100.0%