Documentation > Securing MSPControl and WebDAV on Azure with Let's Encrypt
No votes yet.
Please wait...

 

You should have note pad open for this or another application to take notes with.

The first few things we will put on this note pad is the following:

  1. Subscription ID               (you can find this in Cost Management + Billing – Overview)
  2. Tenant ID (you can find this in Azure Active Directory under Properties “Directory ID)
  3. Resource group Name: ( You can find this under resource groups if you have more than one make sure you choose the one that you have installed your MSPControl app in.
  4. App Service Plan Name:                (This can be found by entering one of the apps and selection App Service Plan, it will be in bold letters top left of the page.)

 

You want to make sure you App Service Plan allows for Custom Domains and SSL, I would normally select and tier S1 or above.

ADD CUSTOM DOMAIN

If you haven’t done so already, you’ll want to head into the Custom Domains menu for your App Service and add your custom domain (hostname) to both the Portal and Web-Dav. You’ll need to create some DNS records to verify each, and those instructions will vary depending on where you manage your DNS records.

ADD STORAGE ACCOUNT

If you want to take advantage of the automatic renewal in the Let’s Encrypt Site Extension we’ll be using, you’ll need to have a Storage Account created within your Resource Group. In your Resource Group, click Add and search for storage account and select Storage Account – Blob, File, Table, Queue then click Create. Give it a unique name and you can keep all of the other settings as their defaults. For Resource Group, you’ll want to click Use Existing and select the same Resource Group as your App Service.

LINK STORAGE TO APP SERVICE

  • In your new Storage Account, click on Access Keys and you’ll want to copy the Connection String for key1. should look something like this:
    DefaultEndpointsProtocol=https;AccountName={storage account name};AccountKey={storage account key}
  • Now go to your App Service and go to Application Settings. Scroll down to Application Settings and click Add New Setting
  • You’ll need to add two. The names will be AzureWebJobsStorage and AzureWebJobsDashboard
  • The Value for both will be the Connection String you copied from your Storage account.
  • Click Save at the top when done.

CREATE A SERVICE PRINCIPAL

For this step, you’ll need to go into the Azure Active Directory menu in your Azure Portal.

You must do this for each App Service you would like to secure with Let’s Encrypt.

  1. Click on App Registrations and New Application Registration.

  2. Give it a name and use your Custom Domain you used as the Sign-On URL and click create.
  3. Once you Create the App Registration you will need to copy to your note pad the Application ID as shown below, once you have done that click on settings.
  4. In settings click on Keys and create a new key with the description of login and an Expires Duration of Never. Click Save then copy the Key Value to our note pad because you’ll never see that key again and we’ll need it later.

ASSIGN OUR APP REGISTRATION ROLES

go to Resource Groups and click into the Resource Group you’re using for your App Service. Click Access Control (IAM) and click Add. Change the Role to Contributor and in Select type in the name of your App Registration, click on it and Save shown below.

ADD LET’S ENCRYPT APP EXTENSION

Note: (You will need to perform the following steps for any app you want to add SSL to.)

  1. Now browse to your App Services, and click on your Portal App, Scroll down to Extensions under Development Tools. Click Add to Add Extension, then look for Azure Let’s Encrypt. Do not select the No Web Jobs options if you want it to automatically renew your cert. select the one that just says Azure Let’s Encrypt.
  1. Now head over to your Overview section of your Portal App and you’ll need to click the Restart button at the top to restart your web app. The web app needs to be restarted before you can browse to the Let’s Encrypt Site Extension in the next step.
  1. Once the app has restarted, we need to configure the Site Extension. Go back to your App and click on extensions, then click on Azure Let’s Encrypt Extension then click Browse on top left and it’ll open an Authentication Settings page with some boxes to fill in.
  • Tenant: From our Note pad.
  • SubscriptionID: From our note pad
  • ClientID – This is the Application ID from our note pad
  • ClientSecret – This is the App Registration login key you created and copied to note pad
  • ResourceGroupName: From Note Pad
  • ServicePlanResourceGroup: resource Group Name From Note pad
  • UseIPBasedSSL – Leave unchecked
  • WebAppName – Filled in by default
  • SiteSlotName – Leave blank
  • Update Application Settings – Check this box
  1. Click Next, then select all of the hostnames you want to get a certificate for and click Request and Install Certificate (you can hold down CTRL if you need to select multiple hostnames).

Bind the SSL Certificate To Your Web App Service

  1. Head back to the App Service your working with and select SSL Settings from the menu.
  2. You can turn on HTTPS Only and set the minimum TLS version (1.2 is recommended but will be incompatible with older browsers).
  3. Under SSL Bindings:
    • Click Add SSL Binding
    • Select your hostname from the dropdown
    • Select the Private Certificate Thumbprint from the dropdown (if it doesn’t show up, then the hostname isn’t matching your Let’s Encrypt certificate from one of the steps above)
    • Select the SSL Type to SNI SSL
      *If you need a static IP address for your Azure Web App, you must be on a Production App Service Plan and you can select IP Based SSL instead of SNI SSL. Then Azure will assign your web app a static IP.
    • Click Add Binding

You should now have a secure site with Let’s Encrypt, once you get the Let’s Encrypt certificate configured correctly, you shouldn’t have to go through these steps again unless you change your hostname or domain.

©2024 MSPControl | Privacy Policy

Log in with your credentials

or    

Forgot your details?

Create Account