Setup auto-renew wildcard HTTPS certificate on Azure virtual machine

Sometimes we might need to host a website in Azure. And there are so many options, like storage account, app service. But none of those supports wildcard HTTPS and auto-renew. An ideal configuration shall be static which means that it will never crash even when no one maintains it. Auto-renew is a must-have feature for HTTPS.

Luckily, I got a solution based on win-acme: https://github.com/win-acme/win-acme/. And also based on Azure DNS.

The certificate is issued by let's encrypt. https://letsencrypt.org/ It's a nonprofit Certificate Authority providing TLS certificates to 225 million websites. So we can always use if for free.

The brief steps of the setup:

• Migrate your DNS to Azure DNS
• Create your Azure virtual machine with Windows Server 2016+ and IIS 10.0
• Install win-acme and Azure DNS verification plugin.
• Set up your app registration and get configuration details
• Apply for a wildcard HTTPS certificate with the auto-renew feature.

Migrate your DNS to Azure DNS

Migrating your DNS to Azure DNS so you can edit your records within Azure, no matter in the portal, or via API so the steps can be automatically done.

You MUST complete this step because, without Azure DNS, you can't modify DNS records based on your Azure identification and can not get a wildcard HTTPS certificate.

Before starting, I strongly suggest you create a new clean resource group just for you Azure DNS resources.

Before migrating, you need to first create your Azure DNS service at https://portal.azure.com.

And type your domain name here like this:

After creating it, you gonna find the DNS server address. Copy the server names to a notebook.

And for your domain name provider, edit the name server to the values you copied. For example, I registered my domain at https://godaddy.com. And you can edit it like this:

And change it to Azure DNS like this:

After saving it, it may cost about 2-48 hours to take effect. So changing this is pretty dangerous for your online services that may break up during the migrating process. After migrating, set your previous DNS values to Azure immediately to keep your business.

Create your Azure virtual machine with Windows Server 2016+ and IIS 10.0

Creating a new Azure virtual machine is pretty simple and is basic knowledge. Make sure that you created a clean Windows Server 2016+ is ok.

After creating your new Windows Server, install IIS on it.

And select Web Server to install.

After installing IIS, your server is ready to host a website, but HTTP only.

Install win-acme and Azure DNS verification plugin

To get a certificate, win-acme is a great automatic tool that automatics the apply, verify, and install steps. To download it, go to the GitHub release downloads: https://github.com/win-acme/win-acme/releases.

Select x64 pluggable win-acme and the azure plugin. Make sure you download the same version of the main program and the plugin or there may cause some loading issues. After downloading, there gonna be the following files:

And unzip both of it to the same folder:

And copy the entire folder to your server. Run the wacs.exe as admin.

Set up your app registration and get configuration details

And to verify your ownership for your domain for win-acme, you need to give it permission to modify your Azure DNS settings.

To do this, we gonna create a new app registration in your Azure portal.

Copy your application ID.

And create a new secret.

And copy the resource group name which contains your Azure DNS.

Copy your AAD tenant Id.

And copy your subscription ID.

And after copying all those required identity ID, we gonna make sure that the created app have the privilege to modify DNS. Add it as a contributor to your resource group or subscription.

That's done. Save the copied properties to a safe note file and it will be required in the next step.

Apply for a wildcard HTTPS certificate with the auto-renew feature

Now we gonna do the final config: apply for the wild card certificate. Before starting, we need to set the wild card DNS record to our server.

Copy the public IP address of your virtual machine first like this:

And now back to Azure DNS settings. Add a new A record to point * to that IP. So any subdomain goes to your server.

And that's for the DNS config. Back to your server with remote desktop, run the wacs.exe.

Press M to apply for a new certificate with full options. Read site configuration from IIS, and select your wildcard site.

Loading bindings from IIS. And in my example, there is only one binding as the wildcard binding. Just select it. And select DNS verification with Azure DNS (6).

Now enter the properties you copied in the previous step.

During the setup of the validation, the program will ask several questions. Here is to answer them with information from the Azure Portal.

• DNS Subscription ID: DNS Zones > sub.example.com > Subscription ID
• DNS Resource Group Name: DNS zones > sub.example.com > Resource Group)
• Directory/tenant id: Azure Active Directory > Properties > Directory ID.
• Application client id: Azure Active Directory > App registrations > [Service Principal] > Application ID.
• Application client secret: The password that was generated when you created the Service Principal Account.

And win-acme will start to verify, apply and install your certificate automatically. If everything works fine, there gonna be no warning.

And now your site is encrypted with HTTPS. That's it!

(In my screenshot, I applied a certificate for all my sites and all my bindings. So the output might be different. But the steps are the same.)