How can we improve Azure Web Apps (formerly Websites)?

Add support for Let's Encrypt in the Azure Portal

Please make it one-button easy to add a "Let's Encrypt" SSL cert to a WebApp.

The request was previously opened here: https://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/6737285-add-support-for-free-ssl-certs-like-those-from-let#{toggle_previous_statuses} but was closed with a community solution. The solution works, but isnt as seamless or easy as direct integration to the Azure portal.

The ideal solution was presented by Troy Hunt in a blog post: https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TroyHunt+%28Troy+Hunt%29

Thanks!

1,948 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Shane CastleShane Castle shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    declined  ·  Azure App Service TeamAdminAzure App Service Team (Admin, Microsoft Azure) responded  · 

    Azure App Service provides an ability to use certificates that are being held in Azure Key Vault. We do not want the individual resource providers to separately integrate with CA systems. We are instead trying to build around Azure Key Vault and that is where this integration request should go.
    Instead of moving this item to being under Key Vault, it is instead being closed and left here as a reference. If you do wish to vote up the request to add integration with Let’s Encrypt, please do so with the Key Vault related item: https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt

    Christina

    18 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • MikeBMikeB commented  ·   ·  Flag as inappropriate

        This is an awful decision. I think most of us were feeling optimistic about the future of Microsoft, but this is a huge step backwards.

      • zmorriszmorris commented  ·   ·  Flag as inappropriate

        Really, really, really bad idea. Goes against the fundamental principle of the entire Azure tool suite: "Use what you want how you want, we're not the old MS, forcing people into a specific tool stack."

        We've been using KeyVault in other areas for a couple years. It mostly blows.

        Has Scott Hanselman heard about this?

      • Steffen GammelgårdSteffen Gammelgård commented  ·   ·  Flag as inappropriate

        I actually bought one of those insanely overpriced App Service Certificates...

        It doesnt work, I get a "Guest User Error" when i go to import it to a KeyVault. - their support person wasted my time (3 remote sessions where he just wanted me to run the same Powershell commands and email him the output.. 3 times... I didnt bother to keep entertaining that idiot.)

        Just make them obsolete already and support a great service that will eventually make the internet a more secure place!

      • FabrizioFabrizio commented  ·   ·  Flag as inappropriate

        One of the worst decision by Microsoft I ever saw. Let's Encrypt is a free service able to push up the security level of the whole Internet and Microsoft don't understand the value and importance of being part of it.
        Dear Microsoft, take a look at the sponsors page https://letsencrypt.org/sponsors/ and you'll understand that you're making the wrong decision.

      • jamesjames commented  ·   ·  Flag as inappropriate

        Terrible decision Microsoft. You make enough money, stop trying to push your certs and give us this feature. How is this even going to work on Key Vault? I'll be quite happy if it does, but I don't see this happening.

        Seems as if this was closed without understanding both the necessity, and the reasons why it would be incredibly difficult to implement it on Key Vault, since you need access directly to the web server or the traffic router that sits in front of it.

      • Christian WeissChristian Weiss commented  ·   ·  Flag as inappropriate

        Is it even possible to integrate Let's Encrypt with Key Vault, if it doesn't have access to the DNS or the Webserver? How will the validation take place?

        With Let's Encrypt integrated into App Service AND Application Gateway (see related issue https://feedback.azure.com/forums/217313-networking/suggestions/15728205-let-s-encrypt-integration-for-https-certificates ) you would have the "epic" opportunity to make almost every public endpoint of Azure secure by default - this would be a huuuge selling point for Azure.

        It feels like you're clearly missing out on a great opportunity here. :-(

      • Nicolas CadilhacNicolas Cadilhac commented  ·   ·  Flag as inappropriate

        This kind of decision makes me seriously think about 1. moving my sites out of azure, 2. creating new sites out of azure.

      • Mike CousinsMike Cousins commented  ·   ·  Flag as inappropriate

        They're obviously just trying to push their own super expensive SSL certs....

        Horrible decision Microsoft. This would be so much better if it was built into App Service instead of Key Vault.

      • PatrickPatrick commented  ·   ·  Flag as inappropriate

        This got closed twice now with both time a huge amount of votes.

        We need to vote again on a third User Voice to have this feature considered?

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is becoming more important all the time. I am reluctant to move a lot of sites over to Azure because of the lack of support for Let's Encrypt.

      • zmorriszmorris commented  ·   ·  Flag as inappropriate

        I would give all ten of my votes for this if I could. My whole team would pool all of our votes and put them toward this if we could.

      • Mark AllanMark Allan commented  ·   ·  Flag as inappropriate

        NB for clarity - the "ideal solution" referred to is the request for a button in the Azure Portal, not all the manual fiddling around that takes up the rest of the post ;)

      • PhilPhil commented  ·   ·  Flag as inappropriate

        The other question would have to be why free SSL certs like Let's Encrypt would only be made available to the more costly Basic plans and higher instead of offering for Shared pricing tiers. But that's probably a separate request.

      • Elias ProbstElias Probst commented  ·   ·  Flag as inappropriate

        Take a look at Caddy (https://caddyserver.com) as a perfect example how absolutely painless ACME/TLS support can be done…
        Also make sure to implement generic ACME support, not only ACME tied to Let'sEncrypt.

      • Nick RandellNick Randell commented  ·   ·  Flag as inappropriate

        I followed Troy's post, it worked, seemed to be quite a few steps to do, but only took 10 minutes which for a first time through is good. Making it easy to use will be really important.

        How about an azure version of lets encrypt so that it is built into to azure automatically. Maybe through in HTTP/2 at the same time - ie roll on Server 2016!

      • PatrickPatrick commented  ·   ·  Flag as inappropriate

        The steps don't look solid. It took me 1 hour, was successful, but I do not trust it (not sure the job will renew...). The number of votes in 2 weeks is+467 votes. I think it's clear that this would be a very favorable solution. Please, do not close it as Community Solution. Lot of people are coming to the cloud to have a part of the setup handled as a service. This would be a great feature and something that everyone doing web will embrace to use.

      • Shane CastleShane Castle commented  ·   ·  Flag as inappropriate

        To be clear, I'm requesting the implementation of a new icon in the portal, like the one in the screenshot at the end of Troy's post.

        The body of the post shows all the steps currently required, including setting up the comminity extension, a webjob and service principal.

        At the end of the post, Troy shows what and ideal state would look like. I'd like to see that implemented.

      • Muhammad Rehan SaeedMuhammad Rehan Saeed commented  ·   ·  Flag as inappropriate

        The solution highlighted by Troy and other only has 1800 downloads in total and is a mess of several bits put together. Not to be trusted for anything serious.

      Feedback and Knowledge Base