Skip to main content
HashnodeUnderstand. Build. Conquer the CloudUnderstand. Build. Conquer the Cloud

Command Palette

Search for a command to run...

Let's Encrypt Certificates on the Azure Application Gateway

Updated
3 min read
R
Roberto

I'm technologist in love with almost all things tech from my daily job in the Cloud to my Master's in Cybersecurity and the journey all along.

The Security Principles

  1. The Web’s trustworthiness has become critical to its success

  2. Furthermore, confidentiality -- while arguably not always strictly necessary -- is often needed

  3. The Web platform should be designed to actively prefer secure communication

  4. Barriers to adopting "https://" should be removed where feasible

  5. The end-to-end nature of TLS encryption must not be compromised on the Web

  6. Educating and interacting with users regarding security is notoriously difficult. 🙄 (Emoticon mine)

  7. Cryptography will not solve all security problems in the Web platform

https://www.w3.org/2001/tag/doc/web-https

There's a massive push in the industry to make all Websites on the Public Web secure. The latest Chrome version websites as non-secure if served over HTTP, see below:

[caption id="" align="aligncenter" width="1920"]

None other than the UN delivers content over HTTP, it also does HTTP(s). But still[/caption]

Let's encrypt to the Rescue

The service aims to provide certificates for FREE to anyone. It delivers close t0 600,000 certificates per day.

[caption id="" align="aligncenter" width="940"]

Lots of certs issued, daily[/caption]

Fantastic, my setup is as follows:

  • An IaaS scaleset of 2 VMs runing a website on IIS. These boxes are not publicly accesible

  • A Web Application Firewall tier (WAF) using the Azure Application Gateway

First

The not so good news: It's tricky and it is like this because only domain validated certificates are issued. This means that the host requesting the certificate must be publicly accesible. Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.

How-To

Having Free Certificates in this configuration

The elements I used for this lab:

  • 1 Windows ScaleSet in Azure with 2 VMs

    • I installed the public certificates here on the IIS. Do not map the name on the IIS these can cause connection issues.

  • A public DNS service. Any service does the job

  • 1 Linux Box

    • I ran the Let's Encrypt Bot from this box and the DNS A record was pointing to it.

    • Once the Certificate was issued, I exported the .cer and the .pfx

  • 1 Azure Application Gateway

    • Firewall Enabled

    • Firewall mode set to Prevention

    • Configured as WAF

    • Listener configured over HTTPs

    • Rule Set OWASP 3.0

    • The public (.cer) for the back-end and private (.pfx) for the front-end certs

How does it look

Conclusion

It is possible and works perfectly.

Doing some googling there seems to be a less complicated way; which I haven't tried:

LeSslCertToAzure a Powershell module to create a TLS cert and apply it to the Azure App Gateway. Will test it, eventually.

Roberto

#azure#letsencrypt

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

U

Understand. Build. Conquer the Cloud

72 posts

No time for a novel? Here are my my Cloud Architect field notes: Distilling my complex cloud adventures into digestible TL;DRs.