Let’s Encrypt Certificates on the Azure Application Gateway

The Security Principles

Quoting from the World Wide Web Consortium (W3) :

  1. The Web’s trustworthiness has become critical to its success
  2. Furthermore, confidentiality — while arguably not always strictly necessary — is often needed
  3. The Web platform should be designed to actively prefer secure communication
  4. Barriers to adopting “https://” should be removed where feasible
  5. The end-to-end nature of TLS encryption must not be compromised on the Web
  6. Educating and interacting with users regarding security is notoriously difficult. 🙄 (Emoticon mine)
  7. Cryptography will not solve all security problems in the Web platform

Source: https://www.w3.org/2001/tag/doc/web-https

There’s a massive push in the industry to make all Websites on the Public Web secure. The latest Chrome version websites as non-secure if served over HTTP, see below:

None other than the UN delivers content over HTTP, it also does HTTP(s). But still

Let’s encrypt to the Rescue

The service aims to provide certificates for FREE to anyone. It delivers close t0 600,000 certificates per day.

Lots of certs issued, daily

Fantastic, my setup is as follows:

  • An IaaS scaleset of 2 VMs runing a website on IIS. These boxes are not publicly accesible
  • A Web Application Firewall tier (WAF) using the Azure Application Gateway

First, the good news: It is possible to get a Let’s encrypt TLS certificate an install it in the Azure WAF

The not so good news: It’s tricky and it is like this because only domain validated certificates are issued. This means that the host requesting the certificate must be publicly accesible. Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.

How-To

I set it up not precisely in the most seamless way for a production environment. The intention was to prove the point: Having Free Certificates in this configuration.

The elements I used for this lab:

  • 1 Windows ScaleSet in Azure with 2 VMs
    • I installed the public certificates here on the IIS. Do not map the name on the IIS these can cause connection issues.
  • A public DNS service. Any service does the job
  • 1 Linux Box
    • I ran the Let’s Encrypt Bot from this box and the DNS A record was pointing to it.
    • Once the Certificate was issued, I exported the .cer and the .pfx
  • 1 Azure Application Gateway
    • Firewall Enabled
    • Firewall mode set to Prevention
    • Configured as WAF
    • Listener configured over HTTPs
    • Rule Set OWASP 3.0
    • The public (.cer) for the back-end and private (.pfx) for the front-end certs

How does it look

 

Conclusion

The Published website:

It is possible and works perfectly.

Doing some googling there seems to be a less complicated way; which I haven’t tried:

LeSslCertToAzure a Powershell module to create a TLS cert and apply it to the Azure App Gateway. Will test it, eventually.

Roberto