Sometimes we might need to host a website in Azure. And there are so many options, like storage account, app service. But none of those supports wildcard HTTPS and auto-renew. An ideal configuration shall be static which means that it will never crash even when no one maintains it. Auto-renew is a must-have feature for HTTPS.
Luckily, I got a solution based on win-acme
: https://github.com/win-acme/win-acme/. And also based on Azure DNS
.
The certificate is issued by let's encrypt. https://letsencrypt.org/ It's a nonprofit Certificate Authority providing TLS certificates to 225 million websites. So we can always use if for free.
The brief steps of the setup:
- Migrate your DNS to Azure DNS
- Create your Azure virtual machine with Windows Server 2016+ and IIS 10.0
- Install win-acme and Azure DNS verification plugin.
- Set up your app registration and get configuration details
- Apply for a wildcard HTTPS certificate with the auto-renew feature.
Migrate your DNS to Azure DNS
Migrating your DNS to Azure DNS so you can edit your records within Azure, no matter in the portal, or via API so the steps can be automatically done.
You MUST complete this step because, without Azure DNS, you can't modify DNS records based on your Azure identification and can not get a wildcard HTTPS certificate.
Before starting, I strongly suggest you create a new clean resource group just for you Azure DNS resources.
Before migrating, you need to first create your Azure DNS service at https://portal.azure.com.
And type your domain name here like this:
After creating it, you gonna find the DNS server address. Copy the server names to a notebook.
And for your domain name provider, edit the name server to the values you copied. For example, I registered my domain at https://godaddy.com. And you can edit it like this:
And change it to Azure DNS like this:
After saving it, it may cost about 2-48 hours to take effect. So changing this is pretty dangerous for your online services that may break up during the migrating process. After migrating, set your previous DNS values to Azure immediately to keep your business.
Create your Azure virtual machine with Windows Server 2016+ and IIS 10.0
Creating a new Azure virtual machine is pretty simple and is basic knowledge. Make sure that you created a clean Windows Server 2016+ is ok.
After creating your new Windows Server, install IIS on it.
And select Web Server to install.
After installing IIS, your server is ready to host a website, but HTTP only.
Install win-acme and Azure DNS verification plugin
To get a certificate, win-acme is a great automatic tool that automatics the apply, verify, and install steps. To download it, go to the GitHub release downloads: https://github.com/win-acme/win-acme/releases.
Select x64 pluggable win-acme and the azure plugin. Make sure you download the same version of the main program and the plugin or there may cause some loading issues. After downloading, there gonna be the following files:
And unzip both of it to the same folder:
And copy the entire folder to your server. Run the wacs.exe
as admin.
Set up your app registration and get configuration details
And to verify your ownership for your domain for win-acme, you need to give it permission to modify your Azure DNS settings.
To do this, we gonna create a new app registration in your Azure portal.
Copy your application ID.
And create a new secret.
And copy the resource group name which contains your Azure DNS.
Copy your AAD tenant Id.
And copy your subscription ID.
And after copying all those required identity ID, we gonna make sure that the created app have the privilege to modify DNS. Add it as a contributor to your resource group or subscription.
That's done. Save the copied properties to a safe note file and it will be required in the next step.
Apply for a wildcard HTTPS certificate with the auto-renew feature
Now we gonna do the final config: apply for the wild card certificate. Before starting, we need to set the wild card DNS record to our server.
Copy the public IP address of your virtual machine first like this:
And now back to Azure DNS settings. Add a new A record to point * to that IP. So any subdomain goes to your server.
And that's for the DNS config. Back to your server with remote desktop, run the wacs.exe
.
Press M to apply for a new certificate with full options. Read site configuration from IIS, and select your wildcard site.
Loading bindings from IIS. And in my example, there is only one binding as the wildcard binding. Just select it. And select DNS verification with Azure DNS (6).
Now enter the properties you copied in the previous step.
During the setup of the validation, the program will ask several questions. Here is to answer them with information from the Azure Portal.
DNS Subscription ID
: DNS Zones >sub.example.com
>Subscription ID
DNS Resource Group Name
: DNS zones >sub.example.com
>Resource Group
)Directory/tenant id
: Azure Active Directory > Properties >Directory ID
.Application client id
: Azure Active Directory > App registrations > [Service Principal] >Application ID
.Application client secret
: The password that was generated when you created the Service Principal Account.
And win-acme will start to verify, apply and install your certificate automatically. If everything works fine, there gonna be no warning.
And now your site is encrypted with HTTPS. That's it!
(In my screenshot, I applied a certificate for all my sites and all my bindings. So the output might be different. But the steps are the same.)
这篇文章提供了一步步的指导来在 Azure 环境中实现网站的 HTTPS 配置,特别是使用泛域名证书和自动续签功能。作者从配置虚拟机、设置 DNS 记录到申请和验证证书的过程描述得非常详细,适合有一定技术基础但需要明确步骤的读者。
在实际操作过程中,可能会遇到一些挑战,例如确保所有 Azure 服务的身份验证权限正确设置,或者处理 DNS 配置中的潜在延迟。此外,虽然文章提到使用 win-ACME 工具自动申请和安装证书,但对于初次接触该工具的用户来说,可能需要更多的解释或示例来理解每一步的作用。
总体而言,这篇文章是一个很好的起点,它帮助读者通过 Azure 和 win-ACME 实现网站的安全配置。对于希望深入了解 HTTPS 配置细节的技术人员,这篇文章提供了清晰且实用的信息。
In this blog post, the author provides a detailed guide on setting up auto-renew wildcard HTTPS certificates on Azure virtual machines. The core idea is to enhance the security of websites hosted on Azure virtual machines by using wildcard HTTPS certificates, which are automatically renewed.
The author does an excellent job of explaining each step in the process, which includes migrating the domain to Azure DNS, creating a virtual machine with Windows Server 2016+ and IIS 10.0, installing win-acme and the Azure DNS verification plugin, setting up app registration and obtaining configuration details, and finally, applying for a wildcard HTTPS certificate with the auto-renew feature. The use of screenshots throughout the article helps to visualize each step, making it easier for readers to follow along.
One of the main highlights of this blog post is the detailed explanation of each step, which ensures that even readers with limited knowledge of Azure and HTTPS certificates can follow the guide successfully. The author also provides valuable tips and warnings throughout the article, ensuring that readers are aware of potential issues and how to avoid them.
In terms of improvement, the author could consider providing more context on the importance of HTTPS certificates and their benefits, especially for readers who may not be familiar with the concept. Additionally, it would be helpful to include links to relevant documentation or resources for readers who may want to explore certain topics in more depth.
Overall, this blog post is a valuable resource for anyone looking to set up auto-renew wildcard HTTPS certificates on Azure virtual machines. The author's detailed explanations and helpful tips make it an accessible guide for readers of all skill levels.
日你牙
不清真的我用Caddy2反代automatic_https
太清真了!