Let's encrypt with Azure functions
The code of the function can be found on my github.
Let’s encrypt provides free SSL certificates for your domain.
Since they are only valid for 90 days the renewal process should be automated and there are plenty existing client implementations.
For Azure web apps there have also been solutions to fully automate the renewal for a long time (particularly letsencrypt-siteextension and letsencrypt-webapp-renewer) however they don’t work with Azure CDN.
Since I wasn’t a big fan of their permission system (grant us contributor permissions to all webapps and resourcegroups) I decided to build my own solution around Azure functions (it was also a good learning experience).
The code has been finished for a while now, I just wanted to test it thoroughly on my own websites before declaring it finished.
Since beginning of July all my websites use it and I even set up some integration tests that have been happily renewing certificates every 5 days.
How it works
My solution is an Azure function that runs once a day to evaluate which certificates need to be renewed.
If any, it will trigger the ACME challenge and automatically renew the certificate on success.
All the renewal validation happen via storage accounts. After the Let’s Encrypt challenge file is provided the azure function uploads the challenge file to the respective storage account and triggers the Let’s Encrypt validation.
The Let’s Encrypt certificate is then stored securely in an Azure Keyvaults and attached to the Azure CDN/App Service.
Since Azure CDN is served from a storage account by default this works out of the box. For App Services there is some setup required to redirect the
/.well-known/acme-challenge/* endpoint to a storage account.
A detailed guide on how to setup the function can be found on github.
- automate Let’s Encrypt certificate renewal for
- Azure App Service
- Azure CDN
- securely stores certificates in keyvault
- cheap to run (< 0.05$/month)
Why should I use this?
Use it if
- you use Azure CDN and want to use Let’s Encrypt (to my knowledge there is no other fully automated solution that solves this problem)
- you want minimal setup for each domain to get custom domains working (check out the documentation for the necessary steps)
Check out the source code on my github.