It was at the end of 2019 when I decided I wanted to play with Azure DevOps and create a custom extension we could use in our deployment pipeline to make things easier!
Our team had already been using Let's Encrypt for some time to generate SSL certificates for our development and UAT environments, but the idea was to automate it instead of using manual certificate binding.
Using our fortnightly dedicated side-project day, Freedom Friday, I was able to implement an extension which lets you generate a Let's Encrypt SSL certificate and bind it to the domain on your Azure WebApp automatically (and for free!).
This mini tutorial is for those who have multiple Azure Web Apps with custom domains and would like to automatically bind SSL certificates to their Web Apps domains (for free).
What you will need.
- Azure WebApp Service
- Azure DevOps
How to get started.
Add SSL Azure WebApp Certificate Generator task to your agent job on pipeline configuration. To set this up, you will need to ensure you have an Azure subscription attached to your DevOps instance.
Next, fill in this form using the steps below:
Filling in the form.
1. Select attached Azure subscription
2. Select your websites App Service name
3. Select resource group name
4. Select domain name you'd like to attach certificate to
5. Insert issuer email - use [Let's Encrypt](https://letsencrypt.org/) to identify user creating certificate
6. Set public files root path on Web App. For regular .NET application with standard configuration it's root folder -> */*
7. Add certificate password - this will be used to generate pfx file
The extension is using an internally HTTP certificate validation method which means the Let's Encrypt certificate issuer will try to request a specific path on your website to validate if you own it and have access to it.
This path is /.well-known/acme-challenge/ and you need to make sure that your application will let Let's Encrypt access files in this path. For instance, the URL for domain.example hostname might look something like this...
For .NET, depending on our setup (of your application configuration) you have to create .well-know directory in root of your public path add create following web.config file there to give access to generated files:
<!-- Make directory public. Allow anonymous users access to everything in this directory. -->
<!-- Directory only contains plain text files. -->
<mimeMap fileExtension=".*" mimeType="text/plain" />
<!-- Only static files are allowed, so remove everything but the StaticFile handler. This also solves the issue with extensionless files returning a 404 Page Not Found. -->
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
With this feature, there are however a couple of things to consider:
- The certificates are only valid for three months
- In Azure DevOps, it's not possible to schedule certificate generation for a specific timeframe.
Nevertheless, this approach has helped us to focus on the things that are important to us such as time, and quality of work.
As always, our team is continuously working on ways to automate as many processes as possible, including building and publishing packages, deployments and managing GIT responses! We hope you found this tutorial useful! :)