There are many automatic encryption tools for Azure, but I also wanted to see if I could use certbot in wsl to generate a wildcard certificate for the Azure Friday website and then upload the resulting certificates to the Azure App Service.
Ultimately, the Azure App Service needs a specific format called a PFX point that includes the full certificate path and all intermediates.
According to the docs, App Service private certificates must comply the following requirements:
- Exported as a password-protected PFX file, encrypted using triple DES.
- Contains a private key at least 2048 bits long.
- Contains all intermediate certificates and the root certificate of the certificate chain.
If you have a PFX that does not meet all of these requirements, you can have Windows re-encrypt the file.
I use WSL and certbot to create the certificate, then import/export on Windows and upload the resulting PFX.
Inside WSL, install certbot:
sudo apt update
sudo apt install python3 python3-venv libaugeas0
sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot
Then I generate the certificate. You will get a nice certbot text UI and it will update your DNS as a verification challenge. Change this to ensure it is two lines, and their domains and subdomains are correct and their paths are correct.
sudo certbot certonly --manual --preferred-challenges=dns --email [email protected]
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos --manual-public-ip-logging-ok -d "azurefriday.com" -d "*.azurefriday.com"
sudo openssl pkcs12 -export -out AzureFriday2023.pfx
-inkey /etc/letsencrypt/live/azurefriday.com/privkey.pem
-in /etc/letsencrypt/live/azurefriday.com/fullchain.pem
I then copy the resulting file to my desktop (check your desktop path) so that you are now in the Windows world.
sudo cp AzureFriday2023.pfx /mnt/c/Users/Scott/OneDrive/Desktop
Now from Windows, import the PFX, note the fingerprint, and export that certificate.
Import-PfxCertificate -FilePath "AzureFriday2023.pfx" -CertStoreLocation Cert:\LocalMachine\My
-Password (ConvertTo-SecureString -String 'PASSWORDHERE' -AsPlainText -Force) -ExportableExport-PfxCertificate -Cert Microsoft.PowerShell.Security\Certificate::LocalMachine\My\597THISISTHETHUMBNAILCF1157B8CEBB7CA1
-FilePath 'AzureFriday2023-fixed.pfx' -Password (ConvertTo-SecureString -String 'PASSWORDHERE' -AsPlainText -Force)
Then upload the certificate to the Certificates section of your App Service, under Bring your own certificate.
Then, under Custom Domains, click Update Link and select the new certificate (with the latest expiration date).
The next step is to make this even more automated or select a more automated solution, but for now, I’ll worry about this in September and it solved my expensive wildcard domain problem.
About Scott
Scott Hanselman is a former professor, former chief financial architect, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed comedian, a scrunchie, and a book author.
