Skip to content

Automated ACME issuer for Azure App Service (Web Apps / Functions / Containers)

License

Notifications You must be signed in to change notification settings

odegroot/appservice-acmebot

 
 

Repository files navigation

App Service Acmebot

Build Release License Terraform Registry

This is an application that automates the issuance and renewal of ACME SSL/TLS certificates for the Azure App Service. We have started to solve the following issues

  • Support for multiple App Services
  • Easy to deploy and configure
  • Highly reliable implementation
  • Ease of Monitoring (Application Insights, Webhook)

You can manage multiple App Service certificates in a single application.

Announcements

Upgrading to Acmebot v3

shibayan#138

Integration with Key Vault

If you need to use the certificate for a variety of services, consider using the Key Vault version of Acmebot v3.

https://github.com/shibayan/keyvault-acmebot

The Key Vault version can be used with services that support Key Vault certificates such as App Service / Application Gateway / CDN / Front Door.

Table Of Contents

Feature Support

  • Azure Web Apps and Azure Functions (Windows)
  • Azure Web Apps (Linux) / Web App for Containers (Windows and Linux, requires Azure DNS)
  • Azure App Service Environment (Windows and Linux)
  • Issuing a certificate to the Deployment Slot
  • Issuing Certificates for Zone Apex Domains
  • Issuing certificates with SANs (subject alternative names) (one certificate for multiple domains)
  • Wildcard certificate (requires Azure DNS)
  • Support for multiple App Services in a single application
  • ACME-compliant Certification Authorities

Requirements

  • Azure Subscription
  • App Service with a registered custom domain
  • Email address (required to register with Let's Encrypt)

Getting Started

1. Deploy Acmebot

For Azure Cloud

For Azure China

For Azure Government

2. Enabling App Service Authentication

Open the Authentication / Authorization menu in Azure Portal and enable App Service authentication. Select the Login with Azure Active Directory as the action to perform if the request is not authenticated. We recommend using Azure Active Directory as your authentication provider, but it works with other providers as well, although it's not supported.

Enable App Service Authentication with AAD

Select Azure Active Directory as the authentication provider, select Express as the management mode, and select OK.

Create New Azure AD App

Finally, you can save your previous settings to enable App Service authentication.

3. Add access control (IAM) to the target resource group

Open the Access control (IAM) of the target resource group and assign the roles Website Contributor and Web Plan Contributor to the deployed application.

Assign a role

IAM settings

Remarks

If the App Service Plan associated with the App Service exists in a separate resource group, you should assign a Website Contributor to the resource group where the App Service exists, and a Web Plan Contributor to the resource group where the App Service Plan exists.

Usage

Issuing a new certificate

Access https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate with a browser and authenticate with Azure Active Directory and the Web UI will be displayed. Select the target App Service and domain from that screen and run it, and after a few tens of seconds, the certificate will be issued.

Add certificate

If the Access control (IAM) setting is not correct, nothing will be shown in the drop-down list.

Issuing a wildcard certificate or a certificate for Linux

Because Azure DNS is required to issue wildcard certificates or certificates for Linux, assign the role of DNS Zone Contributor in the resource group containing the target DNS zone.

IAM settings

To issue certificates for "App Service on Linux" and "Web App for Container", Azure DNS is always required.

Renewing certificates

All existing ACME certificates are automatically renewed 30 days before their expiration.

The default check timing is 00:00 UTC. If you need to change the time zone, use WEBSITE_TIME_ZONE to set the time zone.

Deploying a new version

The application is automatically updated so that you are always up to date with the latest version. If you explicitly need to deploy the latest version, restart the Azure Function.

The case where you want to use your own web.config

You can prevent Acmebot from creating web.config by creating your own web.config and configured files in the site/.well-known directory.

Troubleshooting

Causes Azure REST API error at GetSite or Dns01Precondition error occurs

The role assignment to the target resource group may be incorrect or not yet reflected, and it may take up to 30 minutes for the IAM settings to take effect.

CheckDnsChallenge failed: _acme-challenge.{domain}.com value is not correct error occurs

In order for the certificate to be created, the Acmebot needs to create a TXT DNS record for _acme-challenge in Azure DNS. This error occurs when the TXT record isn't being served. One cause of this may be that the nameservers for your domain may be pointing to the domain registrar, rather than Azure DNS. Make sure that you have properly delegated the domain to Azure DNS: Host your domain in Azure DNS

CheckHttpChallenge failed: http://{domain}/.well-known/acme-challenge/{challenge} is InternalServerError status code error occurs

It seems like URL rewrite error, so please try inheritInChildApplications="false" settings for web.config under wwwroot.

https://www.hanselman.com/blog/ChangingASPNETWebconfigInheritanceWhenMixingVersionsOfChildApplications.aspx

Thanks

License

This project is licensed under the Apache License 2.0

About

Automated ACME issuer for Azure App Service (Web Apps / Functions / Containers)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C# 90.7%
  • HTML 9.3%