March 21, 2018

My Lame Way to Get LetsEncrypt SSL for Azure Web Apps

SSL (and encryption in general) is critical for “healthy” internet. And it’s not only about securing payments and private mails. While having no secrets, this particular “home page” is protected from unexpected ads that can be added by internet providers by SSL. So, I need a way to enable SSL.

I have this website running on Azure as Azure App Service. I could use Azure’s SSL for domains like *.azurewebsites.net and then it’s nothing to do. But I have custom domains and need to manage SSL for them by myself.

Here comes Letsencrypt. While I found nothing about Windows like in first two minutes, I went to Azure and set up VM with Ubuntu 16.04. Then I SSHed to this machine, and grabbed certbot-auto:

azazeo@turkale:~$ wget https://dl.eff.org/certbot-auto

and made it executable:

azazeo@turkale:~$ chmod a+x ./certbot-auto

Looks like I should be able to go and get certificates for my domains. As I ran it not on actual web-server and wanted only to get certificate, I passed certonly parameter to certbot, also I selected DNS challenge to prove domains ownership.

sudo ./certbot-auto certonly --manual -d tabakerov.name -d maybe.ninja -d amionline.today --preferred-challenges dns 

…aaand it failed:

...
Creating virtual environment...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with   error code 1

I fixed it by declaring next two environment variables:

azazeo@turkale:~$ export LC_ALL="en_US.UTF-8"
azazeo@turkale:~$ export LC_CTYPE="en_US.UTF-8"

And it ran just fine. Asked me about email, something about IP and ToS… Then it asked me to add TXT records with given values to my domains to prove that I own them. I manage my domains with Amazon Route 53 and there was nothing tricky.

As result, there were two files in /etc/letsencrypt/live/tabakerov.name/ - fullchain.pem and privkey.pem. I copied them to home folder. As Azure requires certificate to be in *.pfx format I used next command to convert:

openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out cert.pfx

It asked for a password to make result certificate password protected and generate required *.pfx file. I copied it from remote Ubuntu VM with SCP and uploaded to Azure App Services that I wanted to protect with SSL. Added SSL binding using given certificate (in SSL certificates blade) and turn “HTTPS Only” (in Custom domains blade).

Thats it!

TODO: AUTOMATE IT!!!

© Dmitry Tabakerov, 2018

Powered by Hugo & Kiss.