Requesting SSL certificate from Let's Encrypt using manual verification for Azure WebSite
18 Jun 2020
openssl powershell sslSummary of commands needed to quickly generate new SSL certificate for the Azure Website. We will request the certificate from the Let's Encrypt using manual HTTP-01 challenge and use Kudu to pass the validation.
We will be using certbot to request certificate using command line. Although it is possible to install it on windows (explained in this article Running Certbot on Windows - Phase 1) it is much easier to run it from linux. In this article we will use both Windows Subsystem for Linux 2 and azure vm.
Prepare Azure Website for the manual challenge
You need to configure you website tb be able to host the extensionless files under the url http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
In order to do that open the kudu console for you azure app (if your website azure url is https://<websitename>.azurewebsites.net/
, Kudu is accessible under https://<websitename>.scm.azurewebsites.net/
)
Open Debug Console > PowersShell
Navigate to site\wwwroot\
Create .well-known
folder, and then inside it acme-challenge
folder. Inside it create web.config
file with following content to enable extensionless file support.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension="*" mimeType="text/json" />
</staticContent>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
</handlers>
</system.webServer>
</configuration>
You can create some dummy test
file to validate that the new configuration works as expected and the file content is displayed when you navigate to http://<YOUR_DOMAIN>/.well-known/acme-challenge/test
.
Install WSL2 on your machine
You need have run Windows 10, version 2004 that supports Hyper-V Virtualization as explained here
Enable Hyper-V
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform
Enable WSL
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
You might see this message after running that command: WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel please follow the link and install the MSI from that page.
Got to Microsoft Store and install Debian
Get Certbot
Install certbot (for other systems you may follow guides from official docs)
sudo apt-get update
sudo apt-get install certbot
Request new certificate
sudo certbot certonly --email <your-email> -d <your-domain> --agree-tos --manual
You will see (you might also see the question if you want to pass your email to some 3rd party - you can say No
to it)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <your-domain>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Say Y (you can't say No
here)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
_cZlHtcA4U80CB66f3TH78132ee5cYrJJi7Lk3FXJAU.Oww5lwNSS9WD5-PnXEyKJn3oGjcivmy6z-shKDZPsj4
And make it available on your web server at this URL:
http://<your-domain>/.well-known/acme-challenge/_cZlHtcA4U80CB66f3TH78132ee5cYrJJi7Lk3FXJAU
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Before you press Enter
you should create the required file using Kudu
and verify it is accessible under the link displayed in console.
Once you pass the validation you will be able to see the files in the /etc/letsencrypt/
folder. Use following commands to open that folder in windows explorer
cd /etc/letsencrypt/
explorer.exe .
You can copy the files from that folder to some windows location.
To generate the final .pfx
certificate for the website open the \letsencrypt\live\<your-domain>
and run
openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out cert.pfx
List of commands to use when running from Azure vm (debian 10.4)
In local powershell
ssh mateusz@52.230.31.107 # ssh <username>@<vm-ip>
In remote vm
sudo apt-get install certbot
sudo certbot certonly --email <your-email> -d <your-domain> --agree-tos --manual
sudo apt-get install zip
zip -r letsencrypt.zip /etc/letsencrypt/
ls -l letsencrypt.zip # file is owned by root
sudo chown mateusz:mateusz letsencrypt.zip # chown <username>:<username> changes the ownership to you
ls -l letsencrypt.zip # file should be owned by you
exit
In local powershell
scp mateusz@52.230.31.107:letsencrypt.zip . # scp <username>@<vm-ip>:<filepath> <local-filepath>
This should download the zip with all relevant file to your machine.
Links
Install WSL 2 on Windows 10
How to Access Linux Files in a Windows Subsystem for Linux (WSL) Distro from Windows 10
Let’s Encrypt - How It Works
Get Certbot
Running Certbot on Windows - Phase 1
Azure Web App - Extension-less URL issues
Extensionless Static Files are Very Painful to Configure Under IIS - final fix
Encrypt https domain server with Azure Application Gateway
Automating Azure Application Gateway SSL certificate renewals with Let’s Encrypt and Azure Automation
How To Zip Folder on Linux - pretty cool blog btw
Chown Command in Linux (File Ownership)
DigiCert - How to convert .pfx file to .pem format including private key
Free certificates using Certes CLI - another cli client that can be used to manage the acme account based on .net. Thanks to Adrian Clark for recommending that one.
GitHub - Certes
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.