Add Wildcard SSL Certificate to Azure Gateway for free with LetsEncrypt

In this article, we are going to setup a free let’s encrypt wildcard certificate, attached to an Azure Gateway v2.

For this exemple we are going to use the best domain name ever : *.toto.com

Prerequisites

• Certbot

Certbot is only working on unix system. If you are using a Windows machine, like me 😃, it’s not a problem, you can use wsl from Windows. I will explain you at the end, how to move your certificate from wsl to your windows file sytem.

• An Azure Gateway V2

• An email to received communication and notification from Let’s Encrypt

• Be the owner of the domain name and have access to the DNS configuration during setup

1 — Setup Certbot

sudo apt update
sudo apt-get install letsencrypt

2 — Generate the certificate

sudo certbot certonly --manual
--preferred-challenges=dns --email contact@toto.com 
--server https://acme-v02.api.letsencrypt.org/directory 
--agree-tos -d toto.com -d *.toto.com

Details of the command options :

• certonly : Obtain or renew a certificate, but do not install it

• --manual : Obtain certificates interactively, or using shell script hooks

• --preferred-challenges=dns : give preference to DNS validation

• --email : Email used for registration and recovery contact

• --server : ACME Directory Resource URI. (default: https://acme-v02.api.letsencrypt.org/directory))

• --agree-tos : Agree to the ACME server’s Subscriber Agreement

• -d : Domain names to include. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter

📄 Full documentation can be found here.

The script ask you to share your email adress with Electronic Frontier Foundation, say Yes.

The script then ask you if you are ok with your IP being logged, say Yes.

3- Deploy DNS TXT record

Now, the script ask you to deploy a DNS record.

Go to your domain name provider portal and setup a new record :

• Dns Name : should be like _acme-challenge.toto.com

• Record Type : TXT

• Txt Data (or content) : the key given by the script

Depending on your provider, it may take time to update changes. It’s time for a coffee ☕ ! For me, with OVH, changes were immediate.

You can use DigDns to check if your key has been registered https://toolbox.googleapps.com/apps/dig/#TXT/

4 — Congratulation

One it’s done, you will receive a message telling you that the certificate has been saved at path : /etc/letsencrypt/live/toto.com/

You can check your certificate details with the folowing command :

sudo certbot certificates

Let’s encrypt certificates are valid only for three months.

Certbot provide you a nice command to renew your certificate :

sudo certbot renew

If you have multiple domains registered on your machine, you can specify the domain name to renew :

certbot certonly --force-renew -d toto.com

ℹ️ You are free to develop an automatic renewal script that runs every 3 months

5 — Add your certificate to Azure

You certificate is now generated on your machine, it’s time to upload your certificate to your Azure Gateway !

• Convert your certificate to a pfx file

Setup OpenSsl :

sudo apt-get update
sudo apt-get install openssl

Export the certificate :

sudo openssl pkcs12 -export -out live/toto.com/cert.pfx -inkey live/toto.com/privkey.pem -in live/toto.com/cert.pem

If you are using a Windows machine, you can’t access the Let’s encrypt folder from your explorer, this folder is protected.

My tip is to Zip the folder, give write rights to the archive, and you can now move the archive to a Windows folder.

sudo tar -chvzf certificates.tar.gz /live

That’s all ! You can now upload your certificate to your Key Vault, or directly to your Azure Gateway listener