Setup Azure Let’s Encrypt for your Azure App Website

Hi Guys,

Last but not least post, on the Azure Let’s Encrypt setup.

On previous posts we found out how to setup the Azure AD applications and permissions and how to install the Let’s Encrypt extension in an Azure App Website.
We now needs to finish the Azure Let’s Encrypt setup to provide and install a publicly trusted SSL Certificate on our Azure App Website.

Pervious blog post ended with you being able to browse the Let’s Encrypt extension webpage. As you might have noticed there is some field available for Extension setup directly on the webpage. I strictly do not recommand to change those settings directly on the webpage.

Instead, I recommend using PowerShell module AzureRM.Websites to setup the Azure Website extension. Here is how you would process.

Gather the Azure App Website informations:

[ps]$ResourceGroup = ‘Default-Web-NorthCentralUS’
$Name = ‘Blog’
$Slot = ‘Production’
$WebApp = Get-AzureRMWebAppSlot -ResourceGroupName $ResourceGroup -Name $Name -Slot $Slot[/ps]

Agregate the applications’ old settings and new settings that are required for Azure Let’s Encrypt, you need to fill the values of course:

[ps]$AppSettingList = $WebApp.SiteConfig.AppSettings

$AppSettingHash = @{}
ForEach ($existingSetting in $appSettingList) {
$AppSettingHash[$existingSetting.Name] = $existingSetting.Value

$AppSettingHash[‘letsencrypt:Tenant’]?????????????????????? = ‘<Your tenant GUID>’
$AppSettingHash[‘letsencrypt:SubscriptionId’]?????? = ‘<The Azure App Subscription GUID>’
$AppSettingHash[‘letsencrypt:ClientId’]?????????????????? = ‘<Previously created Azure AD Application ID>’
$AppSettingHash[‘letsencrypt:ClientSecret’]?????????? = ‘<Previously created Azure AD Application Password>’
$AppSettingHash[‘letsencrypt:ResourceGroupName’] = ‘<Your Azure App ResourceGroup Name>’

Set-AzureRMWebAppSlot -ResourceGroupName $ResourceGroup -Name $Name -AppSettings $AppSettingHash -Slot $Slot[/ps]

When you refresh the Azure Let’s Encrypt extension page all the required field should be completed with the information you specified using AzureRM.

Next step is simply to click on the “Next” button, in the next page, select the domains you want your certificate for, specify an email address and the last action: click on “Request and Install certificate”.

Your Azure Website is now all set with a Let’s Encrypt SSL Certificate.

As a reminder here is the entire PowerShell lines that we use:

[ps]$uri = ‘’
$password = New-RandomPassword
$ResourceGroup = ‘Default-Web-NorthCentralUS’
$Name = ‘abcloud’
$Slot = ‘Production’

#Azure App Website
$WebApp = Get-AzureRMWebAppSlot -ResourceGroupName $ResourceGroup -Name $Name -Slot $Slot

#Azure AD Application
$app = New-AzureRmADApplication -DisplayName ‘LetsEncrypt’ -HomePage $uri -IdentifierUris $uri -Password $password
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

#Azure App Website Settings
$AppSettingHash = @{}
ForEach ($existingSetting in ($WebApp.SiteConfig.AppSettings)) {
?????? $AppSettingHash[$existingSetting.Name] = $existingSetting.Value

$AppSettingHash[‘letsencrypt:Tenant’]?????????????????????? = (Get-AzureRmContext | Select-Object -ExpandProperty Tenant).TenantId
$AppSettingHash[‘letsencrypt:SubscriptionId’]?????? = $WebApp.SiteConfig.Id.Split(‘/’)[2]
$AppSettingHash[‘letsencrypt:ClientId’]?????????????????? = $app.ApplicationId
$AppSettingHash[‘letsencrypt:ClientSecret’]?????????? = $password
$AppSettingHash[‘letsencrypt:ResourceGroupName’] = $ResourceGroup

Set-AzureRMWebAppSlot -ResourceGroupName $ResourceGroup -Name $Name -AppSettings $AppSettingHash -Slot $Slot[/ps]