Microsoft has finally created an option for free HTTPS certificates in Azure App Service, that is fully managed by them. Recently announced at Ignite 2019, we can now enable HTTPS for our own domains for free on Azure App Service!
How is this different from other options
This offering differs from existing options for HTTPS in that it is missing some of the features. You can also buy App Service Certificates from Azure, which have more features than the free offering but do cost money of course.
Then there is, of course, Let’s Encrypt, which my personal blog uses. But Let’s Encrypt’s integration in Azure is not very good. It’s a bit of a mess where you kinda just hope all the components work every time to renew your certificates. I have had multiple times within the couple years that I have used it when the renewal didn’t work for one reason or another. So having a managed certificate is certainly a nice thing.
So what are those missing features of this new free offering?
- No wildcards
- No apex domains
- Cannot export the certificate
- Can only enable if the custom domain is already added with an A / CNAME record (not TXT, so no live migrations to this)
The capability is in preview, so some of these limitations may be removed. In particular, I’d like to see support for apex domains. I cannot use this feature on my blog since it is on an apex domain (joonasw.net instead of a sub-domain). A lot of applications we build for clients could use this though as those are often on sub-domains.
Enabling a free certificate
To test this capability, I first tried to enable it on one of my existing App Services. It already had a custom domain and an expired Let’s Encrypt certificate. The renewal had gotten broken because I moved the app to another subscription.
I removed the Let’s Encrypt extension, removed the existing TLS/SSL binding from the domain and went to add a certificate through the Create App Service Managed Certificate button (found under TLS/SSL settings -> Private Key Certificates).
But it did not work 🙁
I also tried it with a new App Service, but got the same errors:
504 Gateway Timeout errors for some reason from the API. I sent a support ticket, but got notified on Twitter that the issue should be fixed the same day 🙂
So, let’s see the successful steps to adding one of these certificates:
It’s pretty easy right? Just select the domain and click Create:
And done, the certificate is valid for 6 months:
Well, almost done. Still have to add the TLS/SSL binding:
And now we are done! The certificate will be automatically renewed by Microsoft behind the scenes. Here’s the certificate chain as shown by Chrome:
So the certificates come from DigiCert behind the scenes.
This is definitely a capability that will get used in projects later. A great step to securing the Web as well!