I have my own certificate that I want to use with azure static website(not web app, we use the one based on blob storage), but looks uploading my own certificate is not supported, is there any workaround or solution for this ?
Note : the static website is private with privatelink and the dns name is private (only used in internal network with our own dns server on premise)
In Azure Static web app We cannot bind our own certificates like as in Basic App Service. It provides it's own free certificate.
But we have a workaround here, through which You can bring your own certificate (I haven't tested it yet):-
First you need to set up Azure Front Door: https://learn.microsoft.com/en-us/azure/static-web-apps/front-door-manual
Then you need to configure SSL with your own certificate
Hope this helps!
Related
I am using Azure App Service to access a webservice hosted elsewhere. The webservice requires mutual TLS Authentication.
I have been given the public certificate from the provider of the webservice but where do I install this public certificate in Azure? In a traditional server environment, I would install in the certificate store. But in Azure, do I install it on the application gateway? or the Vault? How does Azure app service know where the certificate is installed and present it?
Private and Public certificates can be uploaded to Azure Web App: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal
Code running in Azure Web App can access those certificates in different ways, it depends on what language and runtime your application is using: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
In regards to your other questions:
"do I install it on the application gateway"?
From what I understand, your application is going to make outgoing calls to a webservice hosted elsewhere. Azure Web App outgoing traffic does not go through Application Gateway - so no, in your case storing certificate in Azure Web App and accessing it from the code is a good solution.
"or the Vault"? Azure Web App can also store certificates in Azure Key Vault. Your code could also connect to Azure Key Vault directly, bypassing Azure Web App key store altogether.
Finally, "How does Azure app service know where the certificate is installed and present it?" Please see the first two links I provided.
In the future, Azure has an excellent documentation on all of their products, a simple search engine search typically helps to narrow down many primitive answers.
Welcome to StackOverflow!
I am trying to follow this tutorial to create certificates in Azure for a custom domain. I have the same issue as Marc:
However, I have set access to DNS Zone already:
Could the problem be that is it a custom Domain? If so any workaround, if not anything else to check?
As the tutorial you followed mentioned that "there is a plugin for Azure Web Apps, but this only works for Windows web applications", so you may not follow that steps.
To create a certificate for the static website in a storage account, you can follow this blog1---Enable HTTPS with Lets Encrypt on Azure static site and read this blog2 for more details.
An Azure static site hosted on a storage container allows you to have a free certificate provided by DigiCert but only for subdomains (such as www). If you want to use the root domain, it's available for using the Bring your own certificate feature. You need to configure HTTPS on an Azure CDN custom domain.
There is an amazing project lets-encrypt-azure on GitHub that allows you can run as an Azure Function that will provide this endpoint, download the certificate to an Azure Key vault to be used by your CDN.
Given I have a HTTP (non-secure) web server up and running with the public address 111.111.111.11:80.
Are there any / what Microsoft Azure products, where I can setup my own custom domain (mydomain.com) as a HTTPS front/reverse proxy to my web server without buying my own certificate?
(Currently, I am using Cloudflare Crypto to achieve this, so I am investigating if Microsoft Azure can achieve this as well in an easy way)
As far as I know, the recommended Azure way to do this would be to use Application Gateway and a CNAME for the custom domain. This question also has some information on using a custom domain for Application Gateway.
However, if you want to use a custom domain, you will need to buy a certificate. You can do this through Azure as well. You can then use the certificate for the Application Gateway.
Edit: Sorry, Application Gateway does not seem to support the static public IP in your scenario. You would need to work around that. It might be easier to go a different route then...
I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.
Currently my application url coresponds to HTTP only. How can I make it compatible with HTTPS also.. Can I do that specifically to single service only.
For first you should upload your SSL certificate through Azure Management panel (.pfx with private key) and attach it to your cloud service or web site.
Then setup HTTPS endpoint for your WEB API web role within your Azure cloud project, there you should also define SSL certificate thumbprint.
Regards.