Using SSL certificates with LetsEncrypt

On the following post we are going to explain how quickly and easy is to assign an SSL certificate to your Azure WebApp I have a WordPress WebApp already running and the first thing we want to do is to create a custom hostname for my site

At this point I only have the default domain name assigned when created the WebApp

image of custom-domain

We will go and add a hostname, in my case using an A record (you could use a CNAME record instead)

image of add-hostname

To validate the hostname we need to create a TXT record in our DNS registrar.

image of txt-record-add

We will add a new A record in our DNS registrar to resolve the hostname to the public IP address assigned to the WebApp. If you used a CNAME record then you would just resolve to the default domain used when creating the WebApp (

image of a-record-add-new

Once this has been processed in the registrar we will see the custom domain name successfully added in the azure portal

image of custom-domain-added

Doing a dig query to find the NS records to my custom domain name will answer with the original records from my DNS registrar

image of

Once TTL propagates we will be able to resolve the custom domain to the WebApp hosted in Azure

image of wordpress-installation

To install SSL certificates we will go to the Advanced Tools section of the WebApp, and Site Extensions

image of advanded-tools

image of site-extensions

We will go the gallery and search for Lets Encrypt

image of lets-encrypt-gallery

Install the module and go click play

image of install-and-play-letsencrypt

If we get the following message the workaround is to stop and start the WebApp

image of no-route-registered-letsencrypt

If this is successful we will see the Lets Encrypt Authentication Settings

image of Lets-encrypt-authentication-settings

We will need to create a service principal for my subscription, so LetsEncrypt can access the WebApp application settings and bind the certificate

image of create-sp

We can see the service principal on the Azure portal, on the WebApp go to Access Control and select the name of the service principal. Then under properties you will see the same values we got using the Powershell command

image of sp-azure-portal

Now back to the authentication settings of Lets Encrypt, we will need the TenantID, SubscriptionID, ClientID, ClientSecret and RG name ClientID is the value you get as appID when created the service principal, ClientSecret is the password

TenantID can be easily seen here:

image of tenant-id

ClientID can be seen here on the portal:

image of client-id

Once we pass this checks we are almost done

image of letsencrypt-result

We will hit next and create our SSL certificate, assigned to the custom domain

image of certificate-installed

Finally, we just check on the WebApp SSL bindings section that the certificate is being assigned to my custom domain

image of sslbindings

And the final check is to go to the site check you use HTTPS

image of https-working

Now that we can have secure connections to the site, it’s worth running an SSL Test with Qualys SSL labs

Categories: azuresecurity


Leave a Reply

Your email address will not be published. Required fields are marked *