This tutorial shows you how to setup Let’s Encrypt certificates for your web apps in Azure with App Service Acmebot. This service enables you to secure your Azure websites with SSL for free, certificates is added and renewed by a function app.
App Service Acmebot was created to support multiple app services, have simple deployment, have simple configuration, a robust implementation and easy monitoring. Key Vault Acmebot (same developer) is a more advanced version, but it requires Azure DNS and Azure Key Vault. I have an external DNS-provider and do not use Azure DNS.
Install App Service Acmebot
Go to the offical website for App Service Acmebot and click on the Deploy to Azure button under the Getting Started heading. This will open Azure Portal and a custom template deployment.
I created a new resource group (Acmebot-NorthEurope) to gather all newly created resources in one group. This makes it easier to organize resources and to delete them all together if we want. This operation created 4 resources in a new resource group: Application Insights, App Functions Service Plan, Functions App and a Storage account.
Application settings for the Function App is created automatically. The documentation states that you need to set LetsEncrypt:SubscriptionId and LetsEncrypt:Contacts in application settings. You can verify that these settings has been added by clicking on the function app and go to Configuration.
Secure your function app
You need to restrict access to your function app if you do not want anyone to be able to add certificates for your websites. Actually, it is not possible to add a certificate without authentication (you will get an error if you ignore this step). Access will be restricted to a Active Directory App. Click on the function app and browse to Platform features -> Authentication / Authorization. Turn on authentication, select Log in with Azure Directory and click on Azure Active Directory among Authentication Providers. Select Express and create a new AD App (you can use an existing app to). Click on OK and don’t forget to save. You can go to Azure Active Directory -> App registrations to verify that a new AD App has been created.
Allow access to resource groups
Your function app needs access to resource groups that is containers for Web Apps and Web App Service Plans. I have one resource group for app service plans and one resource group for each website. You need to add a Web Plan Contributor role for the resource group that contains your app service plan and a Website Contributor role for each resource group that contains a web app. One resource group can have both roles. Roles is added under Access Control (IAM) for resoure groups.
Add a new certificate
You may need to restart your function app if this don’t work directly. Browse to https://YOUR-FUNCTION-NAME.azurewebsites.net/add-certificate, you can find the url for your function by clicking on it in Azure Portal. Select all the domains that you want to include in the certificate and click on Submit.
Verify that you can browse to your website with https and do not forget to redirect requests from your unsecure http address to your secure https address.
Update App Service Acmebot
The Azure Function application runs from the latest package, the url to the package can be found in the WEBSITE_RUN_FROM_PACKAGE
setting under configuration. You may need to update/upgrade the function app at some points in the future (change the package url and update the extension version). Visit the App Service Acmebot repository for information about updates and upgrades.
Hi. I followed your steps and I got the message after clicking Submit at add-certificate page. Did the error happen because my Azure web app has pricing tier D1 (no support for custom SSL)?
The message is “An error has occurred. No certificate was issued.”
Hi, thank you for your comment. I think that it is a problem if D1 does not support SSL.
https://feedback.azure.com/forums/169385-web-apps/suggestions/17531527-make-ssl-support-for-d1-shared-app-services
No longer works as this implementation uses the old graph API which is now deprecated