Automating Let's Encrypt SSL Certificate Renewal for Azure Application Gateway

Introduction to Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates, enabling secure communication between websites and their users. It simplifies the process of obtaining and managing certificates, making HTTPS more accessible to everyone.

Key Features of Let's Encrypt

1. Free of Charge Let's Encrypt certificates are provided at no cost, helping small businesses, developers, and individuals secure their websites without financial barriers.
2. Automated The process of obtaining, renewing, and managing certificates is automated through tools like Certbot. This reduces the need for manual intervention and makes SSL/TLS implementation faster and easier.
3. Open It is an open CA supported by a large community of developers, organizations, and companies. Its tools and processes are transparent and free to use and modify.
4. Secure Let's Encrypt ensures high standards of encryption and trust by issuing domain-validated (DV) certificates. It continuously evolves to support modern security standards.
5. Widely Trusted Certificates issued by Let's Encrypt are recognized and trusted by most modern browsers and operating systems.

How Let's Encrypt Works

1. Domain Validation (DV) Let's Encrypt performs domain validation to verify that the requester controls the domain for which the certificate is being issued.
2. ACME Protocol The Automatic Certificate Management Environment (ACME) protocol is used for automated interactions between clients (like Certbot) and the Let's Encrypt servers.
3. Short-Lived Certificates Let's Encrypt issues certificates with a validity of 90 days, encouraging automation of the renewal process to maintain security.

Setting Up Let's Encrypt for Azure Application Gateway

1. Create an Azure App Service (Web App)

• Deploy an Azure Web App.
• Add a custom domain to the Web App.

2. Create an Azure Storage Account

• Create a storage account to store ACME challenge files.
• Create a container named "Public".
• Set the public access level to Blob (anonymous read access for blobs only).
• Create a virtual directory /.well-known/acme-challenge/.

3. Configure Azure Application Gateway

• Set up a backend pool.
• Configure backend settings.
• Add a path-based routing rule for /.well-known/acme-challenge/.

Automating SSL Certificate Renewal with Azure Automation

1. Create an Azure Automation Account

• Navigate to Azure Automation and create a new Automation Account.
• Import the following modules from the gallery:

1. AzureRM.profile
2. AzureRM.Network
3. ACME-PS
4. ACMESharp

2. Create a PowerShell Runbook

• Open Azure Automation and create a new PowerShell Runbook.
• Add the script to automate SSL certificate renewal.

->

#######################################################################

# Script that renews a Let's Encrypt certificate for an Azure Application Gateway

# Pre-requirements:

#????? - Have a storage account in which the folder path has been created:

#??????? '/.well-known/acme-challenge/', to put here the Let's Encrypt DNS check files

?

#????? - Add "Path-based" rule in the Application Gateway with this configuration:

#?????? ????- Path: '/.well-known/acme-challenge/*'

#?????????? - Check the configure redirection option

#?????????? - Choose redirection type: permanent

#?????????? - Choose redirection target: External site

#?????????? - Target URL: <Blob public path of the previously created storage account>

#??????????????? - Example: 'https://test.blob.core.windows.net/public'

#????? - For execution on Azure Automation: Import 'AzureRM.profile', 'AzureRM.Network'

#??????? and 'ACMESharp' modules in Azure

######################################################################

?

Param(

??? [string]$domain,

??? [string]$EmailAddress,

??? [string]$STResourceGroupName,

??? [string]$storageName,

??? [string]$AGResourceGroupName,

??? [string]$AGName,

??? [string]$AGOldCertName

)

if (-not (Get-Module -Name Az.Accounts -ListAvailable)) {

??? Install-Module -Name Az.Accounts -Force

}

if (-not (Get-Module -Name Az.Storage -ListAvailable)) {

??? Install-Module -Name Az.Storage -Force

}

if (-not (Get-Module -Name ACME-PS -ListAvailable)) {

??? Install-Module -Name ACME-PS -Force -Scope CurrentUser

}

if (-not (Get-Module -Name Az.Network -ListAvailable)) {

??? Install-Module -Name Az.Network -Force

}

?

Import-Module ACME-PS;

Import-Module Az.Accounts;

Import-Module Az.Storage;

Import-Module Az.Network

?

Disable-AzContextAutosave

Connect-AzAccount -Identity

$state = New-ACMEState -Path $env:TEMP

$serviceName = 'LetsEncrypt'

Get-ACMEServiceDirectory $state -ServiceName $serviceName -PassThru;

New-ACMENonce $state;

New-ACMEAccountKey $state -PassThru;

New-ACMEAccount $state -EmailAddresses $EmailAddress -AcceptTOS;

$state = Get-ACMEState -Path $env:TEMP;

New-ACMENonce $state -PassThru;

$identifier = New-ACMEIdentifier $domain;

$order = New-ACMEOrder -State $state -Identifiers $identifier;

if ($null -eq $order) { # Will fetch the order

??? $order = Find-ACMEOrder -State $state -Identifiers $identifier;

}

$authZ = Get-ACMEAuthorization -State $state -Order $order;

$challenge = Get-ACMEChallenge -State $state -Authorization $authZ -Type "http-01";

$fileName = $env:TMP + '\' + $challenge.Token;

Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewline;

$blobName = ".well-known/acme-challenge/" + $challenge.Token

$storageAccount = Get-AzStorageAccount -ResourceGroupName $STResourceGroupName -Name $storageName

$ctx = $storageAccount.Context

Get-AzStorageContainerAcl -Name "public" -Context $ctx

Set-AzStorageBlobContent -File $fileName -Container "public" -Context $ctx -Blob $blobName

Get-AzStorageBlob -Container "public" -Context $ctx -Blob $blobName

$challenge | Complete-ACMEChallenge -State $state;

while($order.Status -notin ("ready","invalid")) {

??? Start-Sleep -Seconds 10;

??? $order | Update-ACMEOrder -State $state -PassThru;

}

if($order.Status -ieq ("invalid")) {

??? $order | Get-ACMEAuthorizationError -State $state;

??? throw "Order was invalid";

}

$certKey = New-ACMECertificateKey -Path "$env:TEMP\$domain.key.xml";

?

Complete-ACMEOrder -State $state -Order $order -CertificateKey $certKey;

while(-not $order.CertificateUrl) {

??? Start-Sleep -Seconds 15

??? $order | Update-ACMEOrder -State $state -PassThru

}

$password = ConvertTo-SecureString -String "**********" -Force -AsPlainText

Export-ACMECertificate $state -Order $order -CertificateKey $certKey -Path "$env:TEMP\$domain.pfx" -Password $password;

?

# Delete blob to check DNS

Remove-AzStorageBlob -Container "public" -Context $ctx -Blob $blobName

?

### RENEW APPLICATION GATEWAY CERTIFICATE ###

$appgw = Get-AzApplicationGateway -ResourceGroupName $AGResourceGroupName -Name $AGName

Set-AzApplicationGatewaySSLCertificate -Name $AGOldCertName -ApplicationGateway $appgw -CertificateFile "$env:TEMP\$domain.pfx" -Password $password

Set-AzApplicationGateway -ApplicationGateway $appgw

->

• Ensure that the runbook:
• Connects to Azure.
• Retrieves a new SSL certificate from Let's Encrypt.
• Uploads the certificate to Azure Storage.
• Updates the SSL certificate in Azure Application Gateway.

3. Test and Deploy the Runbook

• Run the PowerShell script with required parameters:
• Domain name
• Email address
• Resource group names
• Storage account name
• Application Gateway name
• Certificate name
• The process takes approximately 15 minutes.
• Validate the certificate renewal by accessing the site via HTTPS.

4. Schedule Automated Renewals

• Create an Azure Automation Schedule to renew the SSL certificate every two weeks

Diagram Flow

Conclusion

Automating the renewal of Let's Encrypt SSL certificates in Azure using Azure Automation and PowerShell Runbooks significantly reduces manual effort and enhances security. By implementing this solution, organizations can ensure uninterrupted HTTPS availability, comply with security best practices, and simplify certificate management.