Let's encrypt it's a FREEOpen and automated certification authority offered by the non-profit organization Internet Security Research Group (ISRG) and with the support of large corporations like Google, Facebook, Microsoft and many others, to have a more secure and privacy-friendly website.
It is already used by many websites and services around the world. If you can get SSL certificates issued by a known CA for free, there is no excuse to use HTTPS on your website and be safe by default. The process of issuing a Let’s Encrypt certificate can be automated through the use of software that uses the Protocolo ACME, which normally runs on your web host. These certificates typically expire in no more than 3 months (something that increases system security), so it is necessary to automate renewals to avoid manual renewals.
A good example of this implementation is the Let’s Encrypt extension for Azure App Service, that automates renewals using a web job. You can read more about this in this Scott Hanselman's blog post.
Al usar Azure Application Gateway, one of the things you need to do is install the SSL certificate on the gateway. You probably want to implement SSL offload, so all the resources necessary to protect the communication channel are handled by the gateway and not the servers behind.
In this post, I will explain only this scenario, showing how you can automate Let's Encrypt SSL renewals on an Azure application gateway.
The idea behind this implementation is to avoid any modification in any infrastructure that is behind the Application Gateway, to complete the renewal verifications and validations performed by the Let’s Encrypt process. In summary:
- an Azure Automation runbook will run on a schedule (namely, once every two weeks) to renew and install the current Let’s Encrypt certificate. Let's Encrypt needs to validate domain ownership, so it returns a challenge code that the runbook stores in a storage account behind the application gateway;
- a special rule in Application Gateway redirects the validation check from Let’s Encrypt to the storage account, so the domain ownership verification is successful
- the Azure Automation runbook finally downloads the new certificate and installs it on the Application Gateway
Note that with this implementation, no need to manipulate any other infrastructure behind Application Gateway.
I wanted to issue and automate Let’s Encrypt certificate renewals for “api.davidjrh.com”. Note that I already had a Type A DNS record directed to my Application Gateway.
C: > nslookup api.davidjrh.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Unauthorized response:
Name: api.davidjrh.com
Address: 23.102.37.253
To implement the Let's Encrypt renewal process to issue new SSL certificates on Application Gateway, follow these steps:
Create a storage account
1. Create an Azure Storage account that will be used to host challenge requests for DNS domain ownership verification. Use the cheapest parameters, What “Standard performance” y LRS.
2. Once the storage account is ready, create a container “public” with permissions of “public blob”.
3. Create the virtual directory ” .well-known acme-challenge” with the Storage Explorer tool.
Modify Application Gateway to redirect ACME challenge requests to storage account.
4. When you created Azure Application Gateway, you probably specified an HTTP rule that was associated with an http listener. In this case, you need to delete that rule which will be replaced by a route based rule as shown in the next step
5. Create a new route-based rule that redirects the requests that Let’s Encrypt will make in the renewal process with the following configuration:
6. Set the parameters you had in the http rule and click “Add configuration”
7. Specify the configuration parameters with the path “/.well-known/acme-challenge/*” with a redirect (permanent), pointing to an external site with the storage account container URL you created earlier:
9. Test the rule by creating a file called “test.html” in the storage account and browsing the URL /.well-known/acme-challenge/test.html”>/.well-known/acme-challenge/test.html”>http:///.well-known/acme-challenge/test.html
If everything was configured correctly, when browsing the url, the application gateway should redirect your browser to the storage account as shown below. Please do not proceed until you have successfully configured the redirect rule.
Installation of the Let's Encrypt certificate for the first time on the gateway
To install the Let's Encrypt certificate on the gateway for the first time, you must first issue it. There are several ways to issue the certificate, but the simplest is to use Certbot, a tool available on GitHub and built in Python that allows you to get certificates from Let's Encrypt. There are other clients, so you can probably share better ideas in the comment area of this post.
I normally use a Windows PC 10 as a development environment, and the process to install the tool is described in this link, which basically shows how to install python and then run “pip install certbot”. But since I had Linux subsystem enabled on my Ubuntu Windows laptop, I followed this other approach:
- Opened a bash console on the Linux subsystem.
- Python installed with “sudo apt-get install certbot”
- I ran the following command to issue the certificate only locally in manual mode, registering an account with my email address in the Let's Encrypt service and issuing a certificate for the domain “api.davidjrh.com” accepting the Terms of Service:
sudo certbot certonly – email -d api.davidjrh.com –agree-tos –manual
- You followed the instructions on the screen and created the file in the storage account with the required content
- Successfully issued the certificate
davidjrh @ DESKTOP-JQL0N5G: ~ $ sudo ls /etc/letsencrypt/live/api.davidjrh.com
LÉAME cert.pem chain.pem fullchain.pem privkey.pem
The certificate, string and key are output in .pem format, so to upload the certificate in .pfx, i used OpenSSL to convert from PEM to PFX:
Finally, I modified my current HTTPS listener to use LetsEncrypt certificate. IMPORTANT: remember the name you are going to give to this certificate, since you will have to specify it as a parameter in the renewal process later
After applying the changes, you can verify that the LetsEncrypt SSL certificate is working properly just by browsing a resource via HTTPS
Now that the LetsEncrypt certificate is installed and working properly, the next step is to automate renewals. Let's do it with an Azure Automation runbook.
Create an automation account
1. In Azure Portal, create an Azure Automation account (or use an existing one) to host the runbook. Note that you can create this automation account and run until 500 minutes per month for free.
2. Inside the Automation resource, open Modules and browse the gallery to import the following modules: ‘AzureRM.profile’, ‘AzureRM.Network’ and 'ACMESharp'. Make sure to import the latest version of all of them and update the current ones already imported (for instance, AzureRM.profile is enabled by default, but we need the latest version available in the gallery).
3. In the Azure Automation account, create a PowerShell runbook called LetsEncryptCertificateRenewal
4. Edit the PowerShell runbook and paste the content of the script available in GitHub and click the button “To post” so that it is available for your programming.
You can test the runbook in the test panel and pass the necessary parameters (domain name, email address used in LetsEncrypt, resource group names, storage account name, application gateway name and certificate name you used when configuring https listener ). It takes a few 15 minutes to complete. When browsing the site again with https, you will notice that the certificate was updated successfully.
IMPORTANT: LetsEncrypt has its own weekly limits when issuing certificates for a specific domain in production (50 per week), so be careful when testing the powershell script.
5. Create an Azure automation program to renew the SSL certificate. In my case, I created a schedule to renew every 2 weeks.
6. Configure the parameters to schedule the runbook with the schedule you created earlier.
And that's it. You have now configured automatic renewals of your Application Gateway SSL certificate with Azure Automation.
I hope this helps!
