Skip to content
Automated Let's Encrypt issuer for Azure App Service (Web Apps / Functions / Containers)
Branch: master
Clone or download

App Service Acmebot

Build Status Release License

This function provide easy automation of Let's Encrypt for Azure App Service. This project started to solve some problems.

  • Support multiple app services
  • Simple deployment and configuration
  • Robustness of implementation
  • Easy monitoring (Application Insights, Webhook)

They can manage multiple App Service certificates with single Function App.


If you need fine-grained certificate management, I strongly recommend using Key Vault version.

The Key Vault version is available for services that support Key Vault certificates such as App Service / App Gateway / CDN / Front Door.

Table Of Contents

Feature Support

  • Azure Web Apps and Azure Functions (Windows)
  • Azure Web Apps (Linux) / Web App for Containers (required Azure DNS)
  • Azure App Service Environment (Windows / Linux)
  • Certificate issued to any deployment slot
  • Subject Alternative Names certificates (multi-domains support)
  • Wildcard certificates (required Azure DNS)
  • Multiple App Services support with single Function App


  • Azure Subscription
  • App Service with added hostnames
  • Email address (for Let's Encrypt account)

Getting Started

1. Deploy to Azure Functions

2. Add application settings key

  • LetsEncrypt:SubscriptionId
    • Azure Subscription Id
  • LetsEncrypt:Contacts
    • Email address for Let's Encrypt account
  • LetsEncrypt:Webhook
    • Webhook destination URL (optional, Slack recommend)

3. Enable App Service Authentication (EasyAuth) with AAD

Open Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select Log in with Azure Active Directory as an action when not logging in.

Enable App Service Authentication with AAD

Set up Azure Active Directory provider by selecting Express.

Create New Azure AD App

4. Assign roles to target resource group

Using Access control (IAM), assign a role to Function App. Require Website Contributor and Web Plan Contributor roles.

Assign a role

IAM settings


If the Web App refers to a Service Plan in a different resource group, Please assign Website Contributor role for Resource Group with Web App and Web Plan Contributor role for Resource Group with Service Plan.


Adding new certificate

Go to Since the Web UI is displayed, if you select the target App Service and domain and execute it, a certificate will be issued.

Add certificate

If nothing is displayed in the dropdown, the IAM setting is incorrect.

Adding wildcard certificate or Linux Container support

If they need a Wildcard certificate, additional assign DNS Zone Contributor role to Azure DNS or Resource group.

IAM settings

Certificates for "App Service on Linux" and "Web App for Container" is required Azure DNS.

Renew certificates

This function will check the expiration date once a day for the certificate issuer is Let's Encrypt Authority X3 or Let's Encrypt Authority X4.

The default time is UTC 00:00, so if necessary they can set any time zone with WEBSITE_TIME_ZONE.

Deploy new version

This function use Run From Package. To deploy the latest version, just restart Azure Functions.


Causes Azure REST API error at GetSite or Dns01Precondition

Make sure that the required role is assign for the resource group. Azure IAM may take up to 30 minutes to be reflected.



This project is licensed under the Apache License 2.0

You can’t perform that action at this time.