C#, .Net and Azure

Let's encrypt with Azure functions

2019/09/07

The code of the function can be found on my github.


Let's encrypt provides free SSL certificates for your domain.

Since they are only valid for 90 days the renewal process should be automated and there are plenty existing client implementations.

For Azure web apps there have also been solutions to fully automate the renewal for a long time (particularly letsencrypt-siteextension and letsencrypt-webapp-renewer) however they don't work with Azure CDN.

Since I wasn't a big fan of their permission system (grant us contributor permissions to all webapps and resourcegroups) I decided to build my own solution around Azure functions (it was also a good learning experience).

The code has been finished for a while now, I just wanted to test it thoroughly on my own websites before declaring it finished.

Since beginning of July all my websites use it and I even set up some integration tests that have been happily renewing certificates every 5 days.

How it works

My solution is an Azure function that runs once a day to evaluate which certificates need to be renewed.

If any, it will trigger the ACME challenge and automatically renew the certificate on success.

All the renewal validation happen via storage accounts. After the Let's Encrypt challenge file is provided the azure function uploads the challenge file to the respective storage account and triggers the Let's Encrypt validation.

The Let's Encrypt certificate is then stored securely in an Azure Keyvaults and attached to the Azure CDN/App Service.

Since Azure CDN is served from a storage account by default this works out of the box. For App Services there is some setup required to redirect the /.well-known/acme-challenge/* endpoint to a storage account.

Setup

A detailed guide on how to setup the function can be found on github.

Features

Why should I use this?

Use it if

Check out the source code on my github.

tagged as .Net Core, Azure, Azure Functions and Let's Encrypt