We welcome user feedback and feature requests!

Add support for Let's Encrypt in the Azure Portal

Please make it one-button easy to add a "Let's Encrypt" SSL cert to a WebApp.

The request was previously opened here: https://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/6737285-add-support-for-free-ssl-certs-like-those-from-let#{toggle_previous_statuses} but was closed with a community solution. The solution works, but isnt as seamless or easy as direct integration to the Azure portal.

The ideal solution was presented by Troy Hunt in a blog post: https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TroyHunt+%28Troy+Hunt%29


1,947 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Shane Castle shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Azure App Service provides an ability to use certificates that are being held in Azure Key Vault. We do not want the individual resource providers to separately integrate with CA systems. We are instead trying to build around Azure Key Vault and that is where this integration request should go.
    Instead of moving this item to being under Key Vault, it is instead being closed and left here as a reference. If you do wish to vote up the request to add integration with Let’s Encrypt, please do so with the Key Vault related item: https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt



    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • John commented  ·   ·  Flag as inappropriate

        Let's be blunt. Microsoft, you ARE losing business because Azure doesn't support letsencrypt.org.

        It removes the renewal, and the cost of SSL certificates. so it is easier and costs less, developers and end users both are going to always want this. Unless you come up with your own flavor of free auto renewing SSL certs, this request isn't going away.

        I just finished an email for a current Azure client that needs to move their website to SSL, describing the official option, and workaround using the community "solution", and porting the website to a LAMP stack and using something that does support letsencrypt.

        Who knows what they will pick, but if I'm sending that email you know tons of other web development companies are as well.

        I'm not sure if you are contractually prevented this from happening, but you need to fix it somehow.

        I'm a Microsoft Fanboy and always have been, but if we don't get something implemented, people are going to be looking elsewhere for cloud website hosting.

      • Rajasekharan Vengalil commented  ·   ·  Flag as inappropriate

        Azure App Service is a high-level PaaS solution for hosting sites (among other things). The whole point is that one is able to get things done without having to fret about low level details. Let's Encrypt integration fits perfectly into this idea. The request here I believe is to make the integration easy to use (perhaps the way Troy proposes in his blog). Whether it is accomplished with Key Vault or not appears to be implementation detail that your customers should not have to worry about. Do please re-consider. Thanks.

      • MikeB commented  ·   ·  Flag as inappropriate

        This is an awful decision. I think most of us were feeling optimistic about the future of Microsoft, but this is a huge step backwards.

      • zmorris commented  ·   ·  Flag as inappropriate

        Really, really, really bad idea. Goes against the fundamental principle of the entire Azure tool suite: "Use what you want how you want, we're not the old MS, forcing people into a specific tool stack."

        We've been using KeyVault in other areas for a couple years. It mostly blows.

        Has Scott Hanselman heard about this?

      • Steffen Gammelgård commented  ·   ·  Flag as inappropriate

        I actually bought one of those insanely overpriced App Service Certificates...

        It doesnt work, I get a "Guest User Error" when i go to import it to a KeyVault. - their support person wasted my time (3 remote sessions where he just wanted me to run the same Powershell commands and email him the output.. 3 times... I didnt bother to keep entertaining that idiot.)

        Just make them obsolete already and support a great service that will eventually make the internet a more secure place!

      • Fabrizio commented  ·   ·  Flag as inappropriate

        One of the worst decision by Microsoft I ever saw. Let's Encrypt is a free service able to push up the security level of the whole Internet and Microsoft don't understand the value and importance of being part of it.
        Dear Microsoft, take a look at the sponsors page https://letsencrypt.org/sponsors/ and you'll understand that you're making the wrong decision.

      • james commented  ·   ·  Flag as inappropriate

        Terrible decision Microsoft. You make enough money, stop trying to push your certs and give us this feature. How is this even going to work on Key Vault? I'll be quite happy if it does, but I don't see this happening.

        Seems as if this was closed without understanding both the necessity, and the reasons why it would be incredibly difficult to implement it on Key Vault, since you need access directly to the web server or the traffic router that sits in front of it.

      • Christian Weiss commented  ·   ·  Flag as inappropriate

        Is it even possible to integrate Let's Encrypt with Key Vault, if it doesn't have access to the DNS or the Webserver? How will the validation take place?

        With Let's Encrypt integrated into App Service AND Application Gateway (see related issue https://feedback.azure.com/forums/217313-networking/suggestions/15728205-let-s-encrypt-integration-for-https-certificates ) you would have the "epic" opportunity to make almost every public endpoint of Azure secure by default - this would be a huuuge selling point for Azure.

        It feels like you're clearly missing out on a great opportunity here. :-(

      • Nicolas Cadilhac commented  ·   ·  Flag as inappropriate

        This kind of decision makes me seriously think about 1. moving my sites out of azure, 2. creating new sites out of azure.

      • Mike Cousins commented  ·   ·  Flag as inappropriate

        They're obviously just trying to push their own super expensive SSL certs....

        Horrible decision Microsoft. This would be so much better if it was built into App Service instead of Key Vault.

      • Patrick commented  ·   ·  Flag as inappropriate

        This got closed twice now with both time a huge amount of votes.

        We need to vote again on a third User Voice to have this feature considered?

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is becoming more important all the time. I am reluctant to move a lot of sites over to Azure because of the lack of support for Let's Encrypt.

      • zmorris commented  ·   ·  Flag as inappropriate

        I would give all ten of my votes for this if I could. My whole team would pool all of our votes and put them toward this if we could.

      • Mark Allan commented  ·   ·  Flag as inappropriate

        NB for clarity - the "ideal solution" referred to is the request for a button in the Azure Portal, not all the manual fiddling around that takes up the rest of the post ;)

      • Phil commented  ·   ·  Flag as inappropriate

        The other question would have to be why free SSL certs like Let's Encrypt would only be made available to the more costly Basic plans and higher instead of offering for Shared pricing tiers. But that's probably a separate request.

      • Elias Probst commented  ·   ·  Flag as inappropriate

        Take a look at Caddy (https://caddyserver.com) as a perfect example how absolutely painless ACME/TLS support can be done…
        Also make sure to implement generic ACME support, not only ACME tied to Let'sEncrypt.

      ← Previous 1

      Feedback and Knowledge Base