LetsEncrypt certificates automatic renewal in Azure Application Gateway

Letsencrypt-autorenewal-azure-app-gatewayI can bet almost any IT technician have heard of Letsencrypt certificates. They are completely free and fully supported by big corps such as Google, Facebook, Microsoft, and many others, to have a more secure and privacy-respecting Web. A lot of public websites are using those certificates. Of course, as for any free stuff, there are some limitations. For example how many certificates you can generate. Pay attention that Let’s Encrypt certificates are valid for 90 days. So setting up automatic renewal of Letsencrypt certificates is absolutely necessary.

When using an Azure Application Gateway, one of the things you need to do is to install the SSL certificate on the gateway to secure resources behind.

In this article I’ll show you how to set up Letsencrypt certificates automatic renewal in Azure Key Vault and Azure Application Gateway.

The renewal process explained

Letsencrypt-autorenewal-azure-app-gateway

The idea behind this implementation is to avoid any modification on whatever infrastructure is behind the Application Gateway, to complete the renewal checks and validations made by Let’s Encrypt process. In summary:

  1. an Azure Automation runbook will be executed in a schedule (i.e. once every two weeks) to renew and install the current Let’s Encrypt certificate.  Let’s Encrypt needs to validate the domain ownership, so it returns a challenge code which is stored by the runbook on a storage account behind the application gateway;
  2. a special rule on the Application Gateway redirects the validation check coming from Let’s Encrypt to the storage account, so the domain ownership check is successful
  3. the Azure Automation runbook finally downloads the new certificate and install it on the Application Gateway

Depending on your needs it’s possible:

  • Renew and install Letsencrypt cert directly on Azure Application Gateway or
  • Renew Letsencrypt certificates in the Azure Key Vault and bind to necessary certificates in properties of the respective App Gateway listener

Both options will be described below. I’ll mark the steps specific for a particular option with the respective images above.

Note that with this implementation, there is no need to manipulate any other infrastructure behind the Application Gateway.

Let’s go!

Creating container to process ACME challenges

I wanted to issue and automate the renewals of Let’s Encrypt certificates for “api.app.com”. Note that I had already a DNS record of Type A targeting my Application Gateway.

Step12

C:\>nslookup api.app.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Authoritative response:
Domain:  api.app.com
Address:  23.102.37.253

To implement the Let’s Encrypt renewal process to issue new SSL certificates on the Application Gateway, follow these steps:

Create a Storage Account

1. Create an Azure Storage account that will be used to host the challenge requests for the DNS domain ownership check. Use the cheapest parameters such as “Standard performance” and LRS.

Step3

2. Once the storage account is ready, create a “public” container with “public blob” permissions

Step4

3. Create the virtual directory “\.well-known\acme-challenge” using the Storage Explorer tool.

Step5

Modify the Application Gateway to redirect ACME challenge requests to the storage account

4. When you created the Azure Application Gateway, you probably specified a HTTP rule that was associated to an http listener. In this case, you need to delete that rule that will be replaced by a Path-based rule as shown in the next step

Step8

5. Create a new path-based rule that redirects the requests that will be made by Let’s Encrypt on the renewal process with the following configuration:

Step8

6. Set the parameters you had on the http rule, and click on “Add Configuration”

Step13

7. Specify the configuration parameters with the path “/.well-known/acme-challenge/*” with a redirection (Permanent), targeting an external site with the storage account container URL you created before:

Step14

Step16

9. Test the rule by creating a file called “test.html” on the storage account and browsing the URL http://<yourdomain>/.well-known/acme-challenge/test.html

Step17

If everything was setup correctly, when browsing the URL, the application gateway should redirect your browser to the storage account as shown below. Don’t continue until you have successfully setup the redirection rule.

Step18

This step is common for both options.

Issue Letsencrypt certificate for the first time

There are several ways to issue the certificate, but the easiest one is to use Certbot for Linux environment, a tool available on GitHub and built on Python that allows you to obtain certs from Let’s Encrypt and Win-ACME for Windows. There is also Powershell extension ACME-PS that you can use. There are other clients, so you can probably share better ideas on the comments area of this post.

I used the third option and the following cmdlet to get the certificate:

Now check your Key Vault. There should be the new certificate there.

At this step you have certificate.pfx ready for App Gateway or Key Vault .

If you need a Letsencrypt certificate with multiple domains (Subject Alternative Names) in Azure use the improved version of the script:

Here is the commands to convert .PEM to .PFX for Linux and Windows.

Linux:

Windows:

where “4F4135541B7CEB38F937A75EDB9CDE5333237885 ” is the certificate’s thumbprint.

Next , I’ll show how to install the certificate on App Gateway and configure automatic renewal.

If you need integration with Key Vault please skip this step .

Install Letsencrypt certificate on Azure App Gateway for the first time

This should be simple step : in listener’s properties upload the certificate.

IMPORTANT: remember the name you are going to give to this certificate, since you will need to specify it as a parameter on the renewal process later

Step22

After applying the changes, you can check that the LetsEncrypt SSL certificate is working properly just by browsing a resource via HTTPS.

 

Upload Letsencrypt certificate on Azure Key Vault for the first time

If you need automatic renewal of the certificate directly in Application Gateway please refer to the previous step and skip this one!
Forthis task, you need to have PFX files and appropriate certificate passwords.
Remember to name the certificate properly (e.g. to use some prefix to distinguish the certificate and selectively renew it in the automation runbook. All that of course depends on your requirements).
In my case, I have the “LetsEncrypt-” prefix in certificate names.

Enable Application Gateway to get certificates from Key vault

There are a couple of steps to be done in order to grant Application Gateway permissions to use certificates from Azure Key Vault. I’ll need to created User Managed Identity and allow it to read certificates and secrets from the Key Vault. There is documentation describing those steps.

Configure Application Gateway listener to use the certificate from Key Vault

Apply the settings and make sure you can open your URL and certificate is valid.
Now let’s automate renewals.

Setting up renewal process

Create an Automation Account

1. On the Azure Portal, create an Azure Automation account (or use an existing one) to host the runbook. Note that you can create this automation account and run up to 500 minutes per month for free.

Step1

2. Inside the Automation resource, open the Modules and browse the gallery to import the following modules: ‘Az.Accounts’, ‘Az.KeyVault’ , ‘Az.Network’, ‘Az.Storage’ and ‘ACME-PS’. .

3. On the Azure Automation account, create a PowerShell runbook called LetsEncryptCertificateRenewal

Step6

4. Edit the powershell runbook and paste the following contents for

   automatic certificate renewal directly on App Gateway:

 

For automatic certificates renewal in the Key Vault the script will be as following:

The syncronization between App Gateway and Key Vault occurs every 4 hours.

You can test the runbook on the Test pane, and passing the required parameters (domain name, email address used on LetsEncrypt,  resource group names, storage account name, application gateway name and the name of the certificate you used when setting up the https listener). It takes around a minute to complete. When browsing the site again with https, you will notice that the certificate was updated correctly.

IMPORTANT: LetsEncrypt has its own weekly limits when issuing certificates for a specific domain in production (50 per week), so be aware when testing the PowerShell script.

Step26

5. Create an Azure Automation Schedule to renew the SSL certificate. In my case, I created a schedule for renewing it every 2 weeks

Step24

6. Setup the parameters to schedule the runbook with the schedule you created before.

Step25

And that’s it. You have successfully configured autorenewal of Letsencrypt certificates for Azure Application Gateway!

Good luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com