Let's Encrypt Certificates on the Azure Application Gateway

The Security Principles

  1. The Web’s trustworthiness has become critical to its success

  2. Furthermore, confidentiality -- while arguably not always strictly necessary -- is often needed

  3. The Web platform should be designed to actively prefer secure communication

  4. Barriers to adopting "https://" should be removed where feasible

  5. The end-to-end nature of TLS encryption must not be compromised on the Web

  6. Educating and interacting with users regarding security is notoriously difficult. 🙄 (Emoticon mine)

  7. Cryptography will not solve all security problems in the Web platform

https://www.w3.org/2001/tag/doc/web-https

There's a massive push in the industry to make all Websites on the Public Web secure. The latest Chrome version websites as non-secure if served over HTTP, see below:

[caption id="" align="aligncenter" width="1920"]

None other than the UN delivers content over HTTP, it also does HTTP(s). But still[/caption]

Let's encrypt to the Rescue

The service aims to provide certificates for FREE to anyone. It delivers close t0 600,000 certificates per day.

[caption id="" align="aligncenter" width="940"]

Lots of certs issued, daily[/caption]

Fantastic, my setup is as follows:

  • An IaaS scaleset of 2 VMs runing a website on IIS. These boxes are not publicly accesible

  • A Web Application Firewall tier (WAF) using the Azure Application Gateway

First

The not so good news: It's tricky and it is like this because only domain validated certificates are issued. This means that the host requesting the certificate must be publicly accesible. Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.

How-To

Having Free Certificates in this configuration

The elements I used for this lab:

  • 1 Windows ScaleSet in Azure with 2 VMs

    • I installed the public certificates here on the IIS. Do not map the name on the IIS these can cause connection issues.
  • A public DNS service. Any service does the job

  • 1 Linux Box

    • I ran the Let's Encrypt Bot from this box and the DNS A record was pointing to it.

    • Once the Certificate was issued, I exported the .cer and the .pfx

  • 1 Azure Application Gateway

    • Firewall Enabled

    • Firewall mode set to Prevention

    • Configured as WAF

    • Listener configured over HTTPs

    • Rule Set OWASP 3.0

    • The public (.cer) for the back-end and private (.pfx) for the front-end certs

How does it look

Conclusion

It is possible and works perfectly.

Doing some googling there seems to be a less complicated way; which I haven't tried:

LeSslCertToAzure a Powershell module to create a TLS cert and apply it to the Azure App Gateway. Will test it, eventually.

Roberto