53 Comments

• Looks great, very thorough!
  
  Some comments:
  1. I highly recommend against running the renewal WebJob on the same web app to be renewed, as there are various scenarios that will get your WebJob (silently) deleted. For example, turning on "Delete Existing Files" when publishing (which I personally do all the time). I basically created this WebJob for the express purpose of NOT installing it on the same web app - otherwise I would have just used the original https://github.com/sjkp/letsencrypt-siteextension. For example see: https://github.com/sjkp/letsencrypt-siteextension/issues/34 (there are several others),
  2. You should have "Always On" enabled, otherwise your CRON expression won't be reliable and you could miss the renewal window. Note that in order to have "Always On" you'll need a plan where you own the VM (Basic and up), in which case you won't be paying for extra web apps anyway (as they will all share your dedicated VM).
  3. Note that my WebJob is mostly a wrapper for the logic performed by https://github.com/sjkp/letsencrypt-siteextension which deserves most of the credit :)
  

• Ohad, thanks for pointing out these. I agree with you the WebJob should be running on a separate Web App. I run it on the same Web App because I only have one Web App on Azure, and I do not want to pay for another Web App ($384 per year for another B1 Web App, which support “Always on” for WebJob). I have updated the contents for these 3 issues. Thank you!
  

• Hi Dixin, thank you for updating the content with my comments.
  There is still one point though that one of us might be missing.
  Your tutorial shows that you have "Always on" enabled, meaning you are on the Basic App Service Plan or above (BTW, you don't have to have it on for WebJobs to fire per se as the article suggests, it just won't be reliable as your app could be unloaded at the time the CRON job should be triggered, see: https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings)
  This mean you have your own VM and you can open an *unlimited* number of Web Apps on that App Service Plan, for free. Of course you are only constrained by the resources of your VM, but I think I read that light it can hosts hundreds if not thousands of sites (depending on the load, VM SKU and instance count, whether Always On is enabled, etc).
  Anywa, creating a new dedicated cert renewal Web App on the same App Service Plan will not cost you 384$ - it will cost you 0$
  For more information see: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
  

• Hi Ohad, Thanks for the discussion. For years I mistakenly thought App Service plan defines the resources for EACH app, and Azure charges customer for each app. Now I realized App Service plan defines resources for ALL apps, and Azure charges customer for each App Service plan. Thank you for the correction! I always had the wrong impression of charging per app, because I worked for Azure SQL Database, and we charge customers per database. I have updated the contents to use a separate Web App for automation. Thank you. -Dixin
  

• Glad I could help!
  I'll add your guide to the letsencrypt-webapp-renewer README soon.
  

• does this software can run on Linux based azure web app?
  

• I'm trying to do this but I get this error when running the script:
  **************************************************************************************
  C:\users\rayna\desktop\Set-LetsEncryptConfiguration.ps1 : The term 'Login-AzureRmAccount' is not recognized as the
  name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
  included, verify that the path is correct and try again.
  At line:1 char:1
  + .\Set-LetsEncryptConfiguration.ps1 -LetsEncryptSubscriptionId e0a11e6 ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : ObjectNotFound: (Login-AzureRmAccount:String) [Set-LetsEncryptConfiguration.ps1], Comman
  dNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException,Set-LetsEncryptConfiguration.ps1
  ********************************************************************************************************************
  I've searched everything I could find but no help. I've setup my certificates so far using “letsencrypt-siteextension” and would love to put them all under yours.
  
  Any ideas?
  
  Thanks, Ray
  

• This is a really useful and thorough walkthrough, and by far the best means I've found of accomplishing this goal anywhere to date. Thank you for simplifying what should be a much smoother process.
  
  I'm working on a Blazor app with ASP.NET Core 3.0, and I'm wondering, based on the contents of the rest of your blog, if you might know what would be necessary to enable this on the preview of the new version of ASP..NET core.. In particular, it looks like it handles the Configure() and ConfigureServices() methods in the Startup class differently. I'm trying to dig through the differences now, but was hoping you might be able to provide some insight.
  
  Thanks!
  
  Ryan
  

• My query was about free and i have found my answer. Get SSL certification in one hour. https://www.fiverr.com/share/0z7zr
  

• do i have to create the .wellknown folder and how do i generate the {longid} do i just make one up?
  

• great idea
  

• Thanks for sharing this information with us.
  The web app is an application program that is stored on a remote server and delivered over the Internet through a browser interface. Web services are Web apps by definition and many, although not all, websites contain Web apps.
  

• Thanks - great instructions, very helpful!
  Just a note - SSL doesn't seem active on this site :-p
  

• This is so chock full of useful information I can't wait to dig deep and start utilize the resource you have given me. Your exuberance is refreshing.
  

• Thanks for writing this article.
  
  I had some issues deploying this to a .NET Core 3 app via Azure DevOps - I believe it was to do with the "WEBSITE_RUN_FROM_PACKAGE" being set as on which essentially makes the wwwroot folder readonly, meaning the acme-challenge files can't be written and served to Let's Encrypt.
  
  I managed to resolve this by changing the configured webRootPath to "./site/letsencrypt" and then In App Service > Settings > Configuration > Path mappings created a virtual application "/.well-known" to "site\letsencrypt\.well-known".
  

• tanx for this EDU
  

• Many Thanks for your emais.
  

• Aw, this was a very nice post. Taking the time and actual effort to create a good article… but what can I say… I put things off a whole lot and never manage to get anything done.
  

• Thank you so much for this post -- it is a huge help! I did have some questions as I was attempting this though. According to the webapp-renewer documentation, the letsencrypt:webAppName-clientSecret is supposed to be a connection string. In this walkthrough, you created a client secret in the App Registration - is that what is supposed to go here? Are we filling in the actual secret or the key to the secret? (unfortunately, the script doesn't work for me as it doesn't like one of my existing connection strings)
  

• I am very thankful that you are my teacher.
  

• Thanks for the instructions! The link to `Set-LetsEncryptConfiguration.ps1` powershell script is broken. It looks like it's been moved to:
  
  https://github.com/ohadschn/letsencrypt-webapp-renewer/blob/master/src/Scripts/Set-LetsEncryptConfiguration.ps1
  

• For those running into the "The term 'Login-AzureRmAccount' is not recognized as the
  name of a cmdlet" problem, here's what I discovered.
  
  The script here uses AzureRM, but that's been replaced by Az. You can't have them both installed at the same time. So I did the following:
  
  1. Install Azure Az (you might need to uninstall AzureRM first).
  
  if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
  Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
  'Az modules installed at the same time is not supported.')
  } else {
  Install-Module -Name Az -AllowClobber -Scope CurrentUser
  }
  
  2. Set up the compatibility aliases
  
  Enable-AzureRmAlias -Scope CurrentUser
  
  And then run the script. Hope that helps.
  

• Thank you for this write up it has saved me some $.
  The only thing I'm having an issue with is generating multiple certs.
  
  For example I need:
  acme.com
  and
  www.acme.com
  
  I have tried changing the hosts configuration parameter to a comma separated list of the FQDNs but that does not seem to work.
  
  Any help much appreciated.
  

• Update: I read the documentation at: https://github.com/sjkp/letsencrypt-siteextension
  
  ;)
  
  And I see that the config parameter letsencrypt:Hostnames should have a _semi-colon_ list of domains.
  
  Does anyone know which parameters to change in Set-LetsEncryptConfiguration.ps1.
  
  Snipped the parameter list.
  
  This works:
  .\Set-LetsEncryptConfiguration.ps1 -WebApp acme-com-web-site -Hosts acme.com
  
  This does not work:
  .\Set-LetsEncryptConfiguration.ps1 -WebApp acme-com-web-site -Hosts acme.com;www.acme.com
  
  The error is:
  The term 'www.acme.com' is not recognized as the name of a cmdlet...
  

• good article , enjoyed reading
  

• Kullanmış olduğunuz mekanların daha kullanışlı ve ferah bir hale getirilmesi için <a href="https://www.vamimarlik.com">beylikdüzü mimarlık ofisleri</a> olarak tasarım projeleri hazırlanmaktadır.
  
  Ofis, mağaza, kafe, iç mekan ya da showroom tasarımı konusunda dekorasyoncu farklı fikirler oluşturarak kullandığınız alanın daha etkileyici görünmesini sağlamaktadır. Yıllardır bu alanda çalışmalarını sürdürmekte olan firma 2016 yılından itibaren aralıksız şekilde çalışmalarına devam etmektedir. Elde edilen deneyimler doğrultusunda tamamen profesyonel şekilde hizmet sunulmaktadır. Bu sayede mimarlık firmaları arasında özellikle adını duyurmayı başararak kalitesi ile farkını ortaya koymaktadır. Hazırlanacak olan projeler son sistem teknolojiye sahip cihazlar üzerinden gerçekleştirilmektedir. Detaylı şekilde gerçekleştirilen çalışmalar sayesinde tamamen müşteri beklentilerini karşılayacak şekilde hizmet sunulmaktadır.
  
  

• Thanks for the good content you wrote, I always read your blog
  

• I followed all steps, but failed to create the certificate. Not sure what went wrong.
  
  [04/27/2021 06:00:48 > c45fb1: INFO] Authorization Result: Invalid, more info at https://acme-v02.api.letsencrypt.org/acme/chall-v3/12653933375/0cdRYQ
  [04/27/2021 06:00:48 > c45fb1: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Auth Result Invalid, more info at https://acme-v02.api.letsencrypt.org/acme/chall-v3/12653933375/0cdRYQ
  [04/27/2021 06:00:48 > c45fb1: INFO] Error during Request or install certificate System.Exception: Unable to complete challenge with Lets Encrypt servers error was: {"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/12653933375/0cdRYQ","status":"Invalid","validated":"2021-04-27T06:00:42+00:00","error":{"Type":"urn:ietf:params:acme:error:unauthorized","Detail":"Invalid response from https://abaitc.org/.well-known/acme-challenge/ZfAWYDYBkO4tOCfhq28FaFmTwiZ6M_6oQZa9O3SK8wk [104.43.140.101]: \"<!doctype html><html lang=\\\"en\\\"><head><meta charset=\\\"utf-8\\\"/><link rel=\\\"icon\\\" href=\\\"/favicon.ico\\\"/><meta name=\\\"viewport\\\" content=\"","Identifier":null,"Subproblems":null,"Status":403},"errors":null,"token":"ZfAWYDYBkO4tOCfhq28FaFmTwiZ6M_6oQZa9O3SK8wk","keyAuthorization":null}
  

• درآموزش تعمیرات برد های الکترونیکی به شما نحوه تعمیرات انواع بردهای لوازم خانگی، تعمیرات بردهای صنعتی، تعمیرات برد پکیج، تعمیرات برد کولر گازی، تعمیرات برد اینورتر و ... آموزش داده خواهد شد.
  https://fannipuyan.com/electronic-boards-repair-training/
  

• کلینیک لیزر شفا به عنوان بهترین مرکز درمان بیماری های گوارشی و نشیمن گاهی با مدیریت دکتر داود تاج بخش در رابطه با بیماریهای ناحیه مقعد خدماتی از جمله درمان بیماری هایی مثل هموروئید، فیستول، شقاق ارائه می دهد. کلینیک لیزر شفا فقط و فقط بر روی بیماری های مقعدی تمرکز داشته و تمامی متخصصین در این رابطه دور هم گرد آورده است.
  https://laser-doc.com/
  

• در آموزش تعمیرات موبایل به شما نحوه تعمیر انواع موبایل اندرویدی و آیوس آموزش داده خواهد شد.
  

• آموزش نصب کولر گازی تماما بصورت عملی بوده و مخصوص ورود کارآموزان به بازار کار است.
  

• در این آموزش نحوه نصب و تعمیر انواع مختلف پکیج از قبیل بوتان و ... را آموزش خواهید دید.
  

• https://ma-study.blogspot.com/
  

• Your article has answered the question I was wondering about! I would like to write a thesis on this subject, but I would like you to give your opinion once :D Keo nha cai
  

• Of course, your article is good enough, but I thought it would be much better to see professional photos and videos together. There are articles and photos on these topics on my homepage, so please visit and share your opinions.
  

• I have been looking for articles on these topics for a long time. I don't know how grateful you are for posting on this topic. Thank you for the numerous articles on this site, I will subscribe to those links in my bookmarks and visit them often. Have a nice day
  

• Good article, I really like the content of this article.I have received your news. i will follow you And hope to continue to receive interesting stories like this.
  

• I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people.
  

• I’ve been using this site for a long time, thanks for everything.
  

• Please visit my web site too and let me know what you think.
  

• You have a good point here! I totally agree with what you have said!!
  

• Thanks for sharing your views. hope more people will read this article!!
  

• فلاور باکس مدل مربعی و فلاور باکس مدل مستطیلی و فلاور باکس مدل استند ایستاده تیک هوم کالا از بهترین ها در تهران
  

• I want you to see my message I really like your article, everything. I really like your article, everything, from start to finish, I read them all.
  

• Securit: The platform employs advanced security technologies to safeguard user funds and data. Registration and Logi: The initial step is to create an account on Cryptorobotics and log in to the platform: <a href="http://cryptorobotics.co/how-to-trade-long/">http://cryptorobotics.co/how-to-trade-long/</a>
  

• I came to this site with the introduction of a friend around me and I was very impressed when I found your writing. I'll come back often after bookmarking! <a href="https://images.google.co.ug/url?sa=t&url=https%3A%2F%2Fwww.mtclean.blog/">baccarat online</a>
  

• It's really great. Thank you for providing a quality article. There is something you might be interested in. Do you know <a href="https://images.google.co.tz/url?sa=t&url=https%3A%2F%2Fwww.mtclean.blog/">casinosite</a> ? If you have more questions, please come to my site and check it out!
  

• From some point on, I am preparing to build my site while browsing various sites. It is now somewhat completed. If you are interested, please come to play with <a href="https://images.google.co.th/url?sa=t&url=https%3A%2F%2Fwww.mtclean.blog/">baccaratsite</a> !!
  

• I saw your article well. You seem to enjoy <a href="https://images.google.co.nz/url?sa=t&url=https%3A%2F%2Fwww.mtclean.blog/">slotsite</a> for some reason. We can help you enjoy more fun. Welcome anytime :-)
  

• no matter what Topics in all your articles. I'm always interested and reading. Keep supporting you, keep writing.
  

• I liked your article and I hope you will have many entries or more.
  

• Today we get the best article where i get free ssl certificate how to create.. You did a lot of work. Now you can also get seriale turcesti freely on my blog. thanks