Add Wildcard SSL Certificate to Azure Gateway for free with LetsEncrypt
In this article, we are going to setup a free let’s encrypt wildcard certificate, attached to an Azure Gateway v2.
For this exemple we are going to use the best domain name ever : *.toto.com
Prerequisites
Certbot is only working on unix system. If you are using a Windows machine, like me :), it’s not a problem, you can use wsl from Windows. I will explain you at the end, how to move your certificate from wsl to your windows file sytem.
An Azure Gateway V2
An email to received communication and notification from Let’s Encrypt
Be the owner of the domain name and have access to the DNS configuration during setup
1 — Setup Certbot
sudo apt update
sudo apt-get install letsencrypt
2 — Generate the certificate
sudo certbot certonly --manual
--preferred-challenges=dns --email contact@toto.com
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos -d toto.com -d *.toto.com
Details of the command options :
certonly : Obtain or renew a certificate, but do not install it
--manual : Obtain certificates interactively, or using shell script hooks
--preferred-challenges=dns : give preference to DNS validation
--email : Email used for registration and recovery contact
--server : ACME Directory Resource URI. (default: https://acme-v02.api.letsencrypt.org/directory))
--agree-tos : Agree to the ACME server’s Subscriber Agreement
-d : Domain names to include. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter
📄 Full documentation can be found here.
The script ask you to share your email adress with Electronic Frontier Foundation, say Yes.
The script then ask you if you are ok with your IP being logged, say Yes.
3- Deploy DNS TXT record
Now, the script ask you to deploy a DNS record.
Go to your domain name provider portal and setup a new record :
Dns Name : should be like _acme-challenge.toto.com
Record Type : TXT
Txt Data (or content) : the key given by the script
Depending on your provider, it may take time to update changes. It’s time for a coffee ☕ ! For me, with OVH, changes were immediate.
You can use DigDns to check if your key has been registered https://toolbox.googleapps.com/apps/dig/#TXT/
4 — Congratulation
One it’s done, you will receive a message telling you that the certificate has been saved at path : /etc/letsencrypt/live/toto.com/
You can check your certificate details with the folowing command :
sudo certbot certificates
Let’s encrypt certificates are valid only for three months.
Certbot provide you a nice command to renew your certificate :
sudo certbot renew
If you have multiple domains registered on your machine, you can specify the domain name to renew :
certbot certonly --force-renew -d toto.com
ℹ️ You are free to develop an automatic renewal script that runs every 3 months
5 — Add your certificate to Azure
You certificate is now generated on your machine, it’s time to upload your certificate to your Azure Gateway !
- Convert your certificate to a pfx file
Setup OpenSsl :
sudo apt-get update
sudo apt-get install openssl
Export the certificate :
sudo openssl pkcs12 -export -out live/toto.com/cert.pfx -inkey live/toto.com/privkey.pem -in live/toto.com/cert.pem
If you are using a Windows machine, you can’t access the Let’s encrypt folder from your explorer, this folder is protected.
My tip is to Zip the folder, give write rights to the archive, and you can now move the archive to a Windows folder.
sudo tar -chvzf certificates.tar.gz /live
That’s all ! You can now upload your certificate to your Key Vault, or directly to your Azure Gateway listener