How to Install an SSL Certificate for Free Using Let’s Encrypt on Azure

The internet is a vast network of communication and information channels where personal data is continuously being transferred. Consider the number of times each day that you log in to a website, application or network; the number of times you purchase something online with debit, credit, or bank information; and more.

As the uncertainty in protection of personal privacy continues to rise, it’s important for online consumers to feel a sense of security when perusing your website. It's also important for the online community to be protected from data breaches, hackers, etc. These are just two of the numerous reasons why it's important that your website is secured – and that begins with an SSL (Secure Sockets Layer) certification.

In this post, we’ll dive further into the importance of the SSL certificate and how to install one on your Microsoft Azure app service using Let’s Encrypt for FREE!

What is an SSL? Why is it Necessary?

Controlling upwards of 57% of the internet browser market share, Google Chrome is far and away the most popular browser option. If you’re one of the majority of internet users on Chrome, you’ve probably noticed that on certain sites, there is a dark gray/black lock icon to the left of the URL on the address bar. The is how Chrome indicates to users that the website you are visiting is secured through an SSL certificate.

Conversely, sites that do not have an SSL certificate will be denoted as “Not secure.”

The SSL certificate acts as a security protocol for transferring information across the internet. The certificate essentially encrypts the data in a way that only the user computer and the secure end server can translate. SSL certificates are most prominently used on web pages containing login information, contact forms, payment & banking information, etc. This ultimately prevents potential hackers and bots from intercepting any personal or financial information.

The implementation of an SSL certificate is an important, if not necessary, measure that websites must take. In fact, one study found that 51% of users say they would immediately leave the site if it was unsecure.

With that being said, the installation of an SSL certificate has some SEO benefits. While it’s not a direct ranking factor, meaning the presence of an SSL certificate alone will not increase your rank, it does, at the very least, not reduce bounce rate; whereas not having an SSL – as shown above – has a very obvious and detrimental impact. Additionally, Google values sites that are deemed secure, so if all else is equal between two websites with the exception being the SSL certificate, the secure site will most likely rank higher than the other.

You are able purchase SSL certificates on Microsoft’s website or through hosting providers, such as GoDaddy, but you can also install the security measure for free while still benefiting from the same level of data encryption as paid certificates. eCommerce sites, government websites, and banks are all encouraged to purchase a more advanced certificate, but your website likely does not require such stringent measures.

Steps to Install an SSL Certificate on Azure using Let’s Encrypt

Microsoft Azure is a computer app used by software engineers and solutions architects who use Microsoft’s data centers to develop applications and services for clients. You can secure your own website on Azure by following these steps.

Step 1 - Adding Let's Encrypt Site Extension

  1. Navigate to portal.azure.com in your browser.
  2. Go to “App Services” on the far-left menu.
  3. Under the “Filter by name...” search bar, enter the name of the website you are adding SSL to and click on it.
  4. Under the App Service menu on the left, type “Advanced Tools” into the search bar. Open up Advanced Tools.
  5. Click the button labeled “Go” with the arrow next to it under advanced tools. This will open a new tab called Kudu where you can manage your sites extensions.
  6. Click on the “Site Extensions” button in the top right of the navbar.
  7. Click on the “Gallery” button on the Site Extensions page.
  8. Click the Plus icon under the “Azure Let’s Encrypt” extension on the search page. You may have to search for this extension specifically.
  9. When presented with an acknowledgment popup, press the install button.
  10. Wait until you get a popup next to the “Restart Site” button in the top right of the screen. Once this pop up appears, hit the “Restart Site” button and wait for it to complete.
  11. Navigate to the installed extensions portion of Kudu.
  12. Click the “Play” button icon on the Azure Let’s Encrypt extension. This will open a new tab where you can configure the extension. This may take a while to load.
  13. Scroll down on the newly opened page until you come to a section named “Automated Installation.” We will walk through the steps to fill out each of these fields one at a time.

Step 2 - Acquire Tenant

  1. Navigate to portal.azure.com in your browser.
  2. Click on the “App Services” button in the left menu bar.
  3. Search for your app service with the “Filter by name…” search bar at the top of the page and click on your app service.
  4. Click on the “Overview” button in the left submenu if it is not already selected.
  5. Click on the “Resource Group” link in the overview section. This will take you to the resource group page.
  6. Click on the “Subscription” link under the overview for the resource group you previously clicked on.
  7. Copy the value labeled “Directory” in the overview for the subscription. If applicable, only copy the URL. Not the part of the string that says “Default Directory”
  8. The tenant should look something like “username.onmicrosoft.com.”
  9. Navigate back to Kudu and paste this value in for the field labeled “Tenant.”

Step 3 - Acquire Subscription ID

  1. Navigate to portal.azure.com in your browser.
  2. Click on the App Services tab on the far left menu and search for the app service you are adding SSL to, just like in Step 1, task 3.
  3. Click on “Overview” in the App Service menu if it is not already selected.
  4. Copy the value under the “Subscription ID” section of the app overview.
  5. Navigate back to Kudu and paste this value into the field labeled “SubscriptionId.” Make sure to take out all the zeroes placed in the field by default.

Step 4 - Get Client ID & Client Secret

  1. Navigate to portal.azure.com in your browser.
  2. Once again, search for your App Service on the far-left menu.
  3. Click on overview and copy the field labeled “URL.” Keep this for the next step.
  4. Click on the “Azure Active Directory” button on the far-left menu:
  5. Click on the “App registrations” button on the submenu on the left.
  6. Click on the “New registration” button at the top of this page.
  7. You will be presented with a form to fill out to create this new app registration.
  8. For name, use the name of the website followed by “Let’s Encrypt SSL.” For example, adding SSL to Google would produce the name “Google Let’s Encrypt SSL.”
  9. For “Supported Account Types,” select the “Accounts in this organizational directory only” option.
  10. Finally, under redirect URI, paste the value that we acquired from the overview section in step 3c. Change “http” in the URL to “https.”
  11. A complete form may look something like this:
  12. Hit the submit button on the form to create the new App Registration.
  13. NOTE: You may have to use the owner account if you can’t create it with your personal account. Acquire this account from the current IT staff.
  14. Navigate to the newly created App Registration and click on the “Overview” section. Copy the value labeled “Application (client) ID”.
  15. Navigate back to Kudu and paste this value into the section labeled “ClientId.”
  16. Next, you are going to get the value for the ClientSecret field. Navigate back to the overview section for the new App Registration you just created. Click on the “Certificates and Secrets” button in the left submenu.
  17. Under the “Client Secrets” section, click on “New client secret” to create a new key:
  18. In the popup, fill in the same name you used for the App Registration for the “Description” field on this new key.
  19. Set the “Expires” field to Never.
  20. Finally, hit the add button at the bottom of the screen. Your configuration should look something like this:
  21. Copy the newly created key into a notepad file or somewhere where it is safe. Make sure to keep track of this key. It can NEVER be viewed again after you see it this one time.
  22. Navigate back to Kudu and paste this value into the field labeled “ClientSecret.”
  23. Kudu should now have the first four values in the field filled in and look something like this: DO NOT COPY THE VALUES FROM THIS IMAGE.

Step 5 - Add Role Assignment to Resource Group

  1. Navigate to portal.azure.com in your browser.
  2. Click on the “Storage Accounts” button on the far left menu.
  3. If the client has an existing storage account, these steps can be ignored.
    • Click the add button at the top of the screen:
    • You will be presented with a form to create this new storage account.
    • Under storage account name, enter the name of the website, all lowercase with no spaces. Eg. defaultstorageaccount for Default Storage Account.
    • To find the location for this storage account, navigate back to the overview for the App Service you are adding. Use the same location that is under this overview:
    • Performance: Leave default.
    • Account kind: Leave default.
    • Replication: Leave default.
    • Access tier: Hot.
    • Your form should look something like this when you are done:
    • Click on the “Review + create” at the bottom of the screen. This will take you to the review page. If there is a popup saying “Validation Passed” at the top of the screen, go ahead and hit the “create” button at the bottom of the screen.
    • Wait until the title “Your deployment is underway” changes to “Your deployment is complete” or you receive a popup telling you the deployment was complete. Then, click on the “Go to resource” button.
  4. Next, acquire the resource group that the App Service runs in by navigating to the overview for the App Service and finding the field called “Resource Group.” Copy this value.
  5. Next, click on the link in the App Service overview titled Resource Group that you just viewed. This will take you to that Resource Group’s page.
  6. Click on the IAM submenu under this resource group:
  7. Click on the Add button at the top of the screen to and click the “Add role assignment” button in the dropdown:
  8. In the newly presented form, select Contributor for the role.
  9. Under “Assign Access To,” choose “Azure AD user, group, or service principal.”
  10. Finally, under the select menu, type in the name of the App Registration that you created in step 1f. It should be named something like “CompanyName Let’s Encrypt SSL.”
  11. Your form should look something like this after it has been filled out:
  12. Click the save button at the bottom of the form.
  13. Next, we need to Get the Storage Account Connection String from the storage account we created earlier. Navigate to portal.azure.com in your browser.
  14. Click on the storage accounts button on the left main menu.
  15. Click on the new storage account that we created in Step 3, task 3, or the name of the storage account that already existed for this client:
  16. Click on the “Access Keys” button on the Storage Account submenu on the left:
  17. Copy the key labeled “Connection string” under the “Key1” section of the “Access Keys” screen.
  18. Copy this key down; you will need it in multiple places later on.
  19. Navigate back to your App Service that you are adding SSL onto and click on the “Configuration” button on the left submenu.
  20. Under the “Application Settings” section, click the button titled “New application setting.” You will be doing this twice.
    • You will be presented with a form:
      1. In the presented form, put “AzureWebJobsDashboard” for the “Name” field.
      2. For the “Value” field, put the connection string that we found in step 4, task 17.
      3. Do not check the box labeled “deployment slot setting.”
      4. It should look something like this:
      5. Click on the ”Update” button at the bottom of the screen.
    • Click the “New application setting” button one more time to bring up the form again:
      1. In the presented form, put “AzureWebJobsStorage” for the “Name” field. This is a different value than the first one!
      2. For the “Value” field, put the connection string that we found in step 4, task 17.
      3. Do not check the box labeled “deployment slot setting.”
      4. It should look something like this:
      5. Click on the ”Update” button at the bottom of the screen.
  21. Click the “Save” button at the top of the Configuration screen.
  22. Finally, you are ready to fill in the last values on Kudu.
  23. Navigate back to your App Service you are adding SSL to and copy the field labeled “Resource Group.”
  24. Navigate back to Kudu and paste these values into both fields titled “ResourceGroupName” and “ServicePlanResourceGroupName.” Kudu should look something like this:

Step 6 - Final Steps

  1. Under the “UseIPBasedSSL” checkbox, leave this unchecked.
  2. Leave the “WebAppName” as it comes prefilled.
  3. Leave “Site SlotName” blank.
  4. Check the box marked “Update Application Settings and Virtual Directory.” This may bring up a warning about restarting the site. This is normal and can be ignored. At this point, Kudu should look something like this:
  5. When ready, click the blue “Next” button in the bottom right corner of the screen to continue with installing SSL. This may take a while to load so be patient while it processes.
  6. NOTE: If you receive any kind of errors, they will show up on the page after it completes processing. Often, your account may not have permissions to process the changes. In that case, try logging in using the owner account which can be acquired from IT and submitting the form again.
  7. NOTE: If you receive an error along the lines of “Microsoft.Rest.Azure.CloudException: The client '3401a0b9-11fe-4752-b2da-543ed1e3ab93' with object id '3401a0b9-11fe-4752-b2da-543ed1e3ab93' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/279e6f78-377c-47cb-b467-04613a96c81a/resourceGroups/Default-Web-SouthCentralUS/providers/Microsoft.Web/sites/xxxxxxxxxxxx'” it’s most likely that IAM was not set correctly for the resource group. Go back to step 4, task 5 and ensure the directions were followed correctly.
  8. If everything goes correctly, there should be a loading screen that lets you know that the configuration is processing. Then you should be redirected to a page titles “Custom Domains and SSL.” Click on the next button at the bottom right of the screen.
  9. Then you will be sent to a page called “Request and Install Certificate.”
  10. Under the hostnames section, select all the hosts. This can be done by clicking the first host name, scrolling down to the bottom of the list, and shift clicking the last hostname.
  11. Enter your email or the email for a developer that will be sent an email if the certificate is about to expire.
  12. Leave the “UseStaging” checkbox blank.
  13. Finally, click the button in the bottom right labeled “Request and Install Certificate.”
  14. The page will automatically redirect to next screen which will show you that the certificates have been successfully installed:
  15. Congrats! You’ve successfully installed SSL on your website!

Final Configuration

Set HTTPS Only
  1. Navigate to portal.azure.com in your browser.
  2. Navigate to your App Service that is running your website.
  3. Click on the “Custom Domains” menu button in the left submenu.
  4. Turn the “HTTPS Only” option to on.
Set Always On
  1. Navigate to portal.azure.com in your browser.
  2. Navigate to your App Service that is running your website.
  3. Click on the “Configuration” option in the left submenu.
  4. Next, click on “General Settings” at the top of the configuration page:
  5. Finally, press “On” for the “Always On” setting in the general settings page.
  6. Hit save on the top of the general settings page.

Protect Your Information

Keep hackers from invading your business’ information, including your customers’. Our professional developers can secure your website and help you to continually gain approval of your target audience by installing an SSL certificate on the site. Entrust our team with your software solutions needs, and we’ll deliver quality results your employees and consumers will love. Visit us online today to schedule your free digital marketing consultation!