App Service Acmebot
This function provide easy automation of Let's Encrypt for Azure App Service. This project started to solve some problems.
- Support multiple app services
- Simple deployment and configuration
- Robustness of implementation
- Easy monitoring (Application Insights, Webhook)
They can manage multiple App Service certificates with single Function App.
If you need fine-grained certificate management, I strongly recommend using Key Vault version.
The Key Vault version is available for services that support Key Vault certificates such as App Service / App Gateway / CDN / Front Door.
Table Of Contents
- Azure Web Apps and Azure Functions (Windows)
- Azure Web Apps (Linux) / Web App for Containers (required Azure DNS)
- Azure App Service Environment (Windows / Linux)
- Certificate issued to any deployment slot
- Subject Alternative Names certificates (multi-domains support)
- Wildcard certificates (required Azure DNS)
- Multiple App Services support with single Function App
- Azure Subscription
- App Service with added hostnames
- Email address (for Let's Encrypt account)
1. Deploy to Azure Functions
2. Add application settings key
- Azure Subscription Id
- Email address for Let's Encrypt account
- Webhook destination URL (optional, Slack recommend)
3. Enable App Service Authentication (EasyAuth) with AAD
Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select
Log in with Azure Active Directory as an action when not logging in.
Set up Azure Active Directory provider by selecting
4. Assign roles to target resource group
Access control (IAM), assign a role to Function App. Require
Website Contributor and
Web Plan Contributor roles.
If the Web App refers to a Service Plan in a different resource group, Please assign
Website Contributor role for Resource Group with Web App and
Web Plan Contributor role for Resource Group with Service Plan.
Adding new certificate
https://YOUR-FUNCTIONS.azurewebsites.net/add-certificate. Since the Web UI is displayed, if you select the target App Service and domain and execute it, a certificate will be issued.
If nothing is displayed in the dropdown, the IAM setting is incorrect.
Adding wildcard certificate or Linux Container support
If they need a Wildcard certificate, additional assign
DNS Zone Contributor role to Azure DNS or Resource group.
Certificates for "App Service on Linux" and "Web App for Container" is required Azure DNS.
This function will check the expiration date once a day for the certificate issuer is
Let's Encrypt Authority X3 or
Let's Encrypt Authority X4.
The default time is UTC 00:00, so if necessary they can set any time zone with
Deploy new version
This function use
Run From Package. To deploy the latest version, just restart Azure Functions.
Causes Azure REST API error at GetSite or Dns01Precondition
Make sure that the required role is assign for the resource group. Azure IAM may take up to 30 minutes to be reflected.
This project is licensed under the Apache License 2.0