Do I need a new secure website to manage SSL renewal?

[CraigSheppardSoftware]

I have a website that I really should have SSL protection on. It is being hosted on Azure and is currently on a shared environment. I see that I need to upgrade this to the Basic environment to support SSL certificates. It seems ideal that I can use the extension to get and manage the certificates for me.

I'd like a little explanation of the environment I am supposed to use. As I understand it, I must create a new website to host the Lets Encrypt Site Extension. This must also be a secured application and requires it's own certificate. This means that this site must also be an azure Basic site. This costs an extra £45 per month. I can see that this would be viable if I were supporting lots of sites but currently I have only 1.

Can I just run this from my localhost IIS in debug in order to get the certificate and then rerun the tool every couple of months in order to save that ongoing money?

Finally, where do I get the ClientID? Is it part of the service principle just registered or something to do with the subscription or something else? Is there a screen that shows where this can be copied from?

Thanks Craig

[sjkp]

@CraigSheppardSoftware you dont need an extra site. I recommend that you read on of the many guides that exists e.g. https://github.com/sjkp/letsencrypt-siteextension/wiki/How-to-install https://codehollow.com/2017/10/lets-encrypt-azure-webapps/ https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/

[ohadschn]

Note that a basic Web App plan allows you to host an unlimited number of web apps (sites), so no extra cost per month: https://azure.microsoft.com/en-us/pricing/details/app-service/.

I would strongly recommend against running the tool locally, even if you somehow automate it. It's really easy to configure to run on the cloud, and like Simon mentioned you have many guides for it.

Note that if you WANT to use a dedicated, centralized web site for your renewals, you can do so using a WebJob I created based on Simon's core code: https://github.com/ohadschn/letsencrypt-webapp-renewer (you can read about the possible advantages of this approach in the link).

[CraigSheppardSoftware]

Hi Simon, Thanks for those really helpful references. Troy Hunt's article was particularly useful as it showed me how to use Kudu to install the extensions. I've followed the instructions and I think that I've now got the certificates working. I'm a little uncertain as my site does now respond to https calls when I use the domain name so that is good. I've used an add-in to transfer all call to using https even when types in as http. So far so good.

My problem is that it works for the myazuredomain.azurewebsites.net address, but not for the subdomain.domain.com site I am trying to serve and that is mapped to it. Does anything spring to mind that I might be doing wrong?

Thanks again for this great tool, Craig

[CraigSheppardSoftware]

Hi Ohad, I really appreciated your notes about the extra web sites on a single app plan. That was very helpful and will guide me in a future approach to adding more sites. I will also be looking at your link to a centralised tool once I get my current app fully working. Thanks Craig

[sjkp]

Did you use the site extension for the https redirect? Afaik, it doesn't work correctly for subdomains, you probably have to do the redirect your self in your web.config.

You can do it this way: https://blogs.msdn.microsoft.com/benjaminperkins/2014/01/07/https-only-on-windows-azure-web-sites/

But you should probably only add it to your release web.config as it can be quite annoying when you debug locally, unless you always run https.

[CraigSheppardSoftware]

Hi Simon, being a bit of a novice on this I followed the instructions from Troy Hunts article, with a little adaptation on creating the service principle. I then used the site extension called "Security Settings: HTTPS Redirect w/KeepAlive Support, Headers incl HSTS, CSP, and More. "Medium strength"" which seemed to do what the Https redirect did and more, for security. I'm not sure what I'm looking at with your link. Should I remove the Security extension and add an update to the config file? It looks to my untrained eye to be a copy paste job (with a few corrections identified in the comments) Thanks Craig

[sjkp]

@CraigSheppardSoftware hope you got this resolved. If not please reopen.