Requesting SSL certificate from Let's Encrypt using manual verification for Azure WebSite

18 Jun 2020

openssl powershell ssl

Summary of commands needed to quickly generate new SSL certificate for the Azure Website. We will request the certificate from the Let's Encrypt using manual HTTP-01 challenge and use Kudu to pass the validation.

We will be using certbot to request certificate using command line. Although it is possible to install it on windows (explained in this article Running Certbot on Windows - Phase 1) it is much easier to run it from linux. In this article we will use both Windows Subsystem for Linux 2 and azure vm.

Prepare Azure Website for the manual challenge

You need to configure you website tb be able to host the extensionless files under the url http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>

In order to do that open the kudu console for you azure app (if your website azure url is https://<websitename>.azurewebsites.net/, Kudu is accessible under https://<websitename>.scm.azurewebsites.net/)

Open Debug Console > PowersShell

Navigate to site\wwwroot\

Create .well-known folder, and then inside it acme-challenge folder. Inside it create web.config file with following content to enable extensionless file support.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="*" mimeType="text/json" />
        </staticContent>
        <handlers>
            <clear />
            <add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="File" requireAccess="Read" />
        </handlers>
    </system.webServer>
</configuration>

You can create some dummy test file to validate that the new configuration works as expected and the file content is displayed when you navigate to http://<YOUR_DOMAIN>/.well-known/acme-challenge/test.

Install WSL2 on your machine

You need have run Windows 10, version 2004 that supports Hyper-V Virtualization as explained here

Enable Hyper-V

Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform

Enable WSL

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

You might see this message after running that command: WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel please follow the link and install the MSI from that page.

Got to Microsoft Store and install Debian

Get Certbot

Install certbot (for other systems you may follow guides from official docs)

sudo apt-get update
sudo apt-get install certbot

Request new certificate

sudo certbot certonly --email <your-email> -d <your-domain> --agree-tos --manual

You will see (you might also see the question if you want to pass your email to some 3rd party - you can say No to it)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <your-domain>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

Say Y (you can't say No here)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

_cZlHtcA4U80CB66f3TH78132ee5cYrJJi7Lk3FXJAU.Oww5lwNSS9WD5-PnXEyKJn3oGjcivmy6z-shKDZPsj4

And make it available on your web server at this URL:

http://<your-domain>/.well-known/acme-challenge/_cZlHtcA4U80CB66f3TH78132ee5cYrJJi7Lk3FXJAU

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Before you press Enter you should create the required file using Kudu and verify it is accessible under the link displayed in console.

Once you pass the validation you will be able to see the files in the /etc/letsencrypt/ folder. Use following commands to open that folder in windows explorer

cd /etc/letsencrypt/
explorer.exe .

You can copy the files from that folder to some windows location.

To generate the final .pfx certificate for the website open the \letsencrypt\live\<your-domain> and run

openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out cert.pfx

List of commands to use when running from Azure vm (debian 10.4)

In local powershell

ssh mateusz@52.230.31.107 # ssh <username>@<vm-ip>

In remote vm

sudo apt-get install certbot
sudo certbot certonly --email <your-email> -d <your-domain> --agree-tos --manual
sudo apt-get install zip
zip -r letsencrypt.zip /etc/letsencrypt/
ls -l letsencrypt.zip # file is owned by root
sudo chown mateusz:mateusz letsencrypt.zip # chown <username>:<username> changes the ownership to you
ls -l letsencrypt.zip # file should be owned by you
exit

In local powershell

scp mateusz@52.230.31.107:letsencrypt.zip . # scp <username>@<vm-ip>:<filepath> <local-filepath>

This should download the zip with all relevant file to your machine.

Links

Install WSL 2 on Windows 10
How to Access Linux Files in a Windows Subsystem for Linux (WSL) Distro from Windows 10
Let’s Encrypt - How It Works
Get Certbot
Running Certbot on Windows - Phase 1
Azure Web App - Extension-less URL issues
Extensionless Static Files are Very Painful to Configure Under IIS - final fix
Encrypt https domain server with Azure Application Gateway
Automating Azure Application Gateway SSL certificate renewals with Let’s Encrypt and Azure Automation
How To Zip Folder on Linux - pretty cool blog btw
Chown Command in Linux (File Ownership)
DigiCert - How to convert .pfx file to .pem format including private key
Free certificates using Certes CLI - another cli client that can be used to manage the acme account based on .net. Thanks to Adrian Clark for recommending that one.
GitHub - Certes


Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.