Let's Encrypt Certificates on the Azure Application Gateway
The Security Principles
The Web’s trustworthiness has become critical to its success
Furthermore, confidentiality -- while arguably not always strictly necessary -- is often needed
The Web platform should be designed to actively prefer secure communication
Barriers to adopting "https://" should be removed where feasible
The end-to-end nature of TLS encryption must not be compromised on the Web
Educating and interacting with users regarding security is notoriously difficult. 🙄 (Emoticon mine)
Cryptography will not solve all security problems in the Web platform
https://www.w3.org/2001/tag/doc/web-https
There's a massive push in the industry to make all Websites on the Public Web secure. The latest Chrome version websites as non-secure if served over HTTP, see below:
[caption id="" align="aligncenter" width="1920"]
None other than the UN delivers content over HTTP, it also does HTTP(s). But still[/caption]
Let's encrypt to the Rescue
The service aims to provide certificates for FREE to anyone. It delivers close t0 600,000 certificates per day.
[caption id="" align="aligncenter" width="940"]
Lots of certs issued, daily[/caption]
Fantastic, my setup is as follows:
An IaaS scaleset of 2 VMs runing a website on IIS. These boxes are not publicly accesible
A Web Application Firewall tier (WAF) using the Azure Application Gateway
First
The not so good news: It's tricky and it is like this because only domain validated certificates are issued. This means that the host requesting the certificate must be publicly accesible. Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
How-To
Having Free Certificates in this configuration
The elements I used for this lab:
1 Windows ScaleSet in Azure with 2 VMs
- I installed the public certificates here on the IIS. Do not map the name on the IIS these can cause connection issues.
A public DNS service. Any service does the job
1 Linux Box
I ran the Let's Encrypt Bot from this box and the DNS A record was pointing to it.
Once the Certificate was issued, I exported the .cer and the .pfx
1 Azure Application Gateway
Firewall Enabled
Firewall mode set to Prevention
Configured as WAF
Listener configured over HTTPs
Rule Set OWASP 3.0
The public (.cer) for the back-end and private (.pfx) for the front-end certs
How does it look
Conclusion
It is possible and works perfectly.
Doing some googling there seems to be a less complicated way; which I haven't tried:
LeSslCertToAzure a Powershell module to create a TLS cert and apply it to the Azure App Gateway. Will test it, eventually.
Roberto