I am trying to follow this tutorial to create certificates in Azure for a custom domain. I have the same issue as Marc:
However, I have set access to DNS Zone already:
Could the problem be that is it a custom Domain? If so any workaround, if not anything else to check?
As the tutorial you followed mentioned that "there is a plugin for Azure Web Apps, but this only works for Windows web applications", so you may not follow that steps.
To create a certificate for the static website in a storage account, you can follow this blog1---Enable HTTPS with Lets Encrypt on Azure static site and read this blog2 for more details.
An Azure static site hosted on a storage container allows you to have a free certificate provided by DigiCert but only for subdomains (such as www). If you want to use the root domain, it's available for using the Bring your own certificate feature. You need to configure HTTPS on an Azure CDN custom domain.
There is an amazing project lets-encrypt-azure on GitHub that allows you can run as an Azure Function that will provide this endpoint, download the certificate to an Azure Key vault to be used by your CDN.
Related
I have an Azure storage account with a static website on the blob service enabled. I also have configured custom domain for my blob service. To be able to serve my website over HTTPS on the custom domain I need to somehow apply my certificate. How can I do it?
p.s.
I don't want no CDN
To be able to serve my website over HTTPS on the custom domain I need
to somehow apply my certificate. How can I do it?
Unfortunately it is not possible as of writing this answer because Azure Storage still doesn't have the ability to allow you to bring your own certificates. You will need to use CDN if you want HTTPS enabled custom domain mapped to your static website hosted in Azure Blob Storage.
From this link:
It's easier to enable HTTP access for your custom domain, because
Azure Storage natively supports it. To enable HTTPS, you'll have to
use Azure CDN because Azure Storage does not yet natively support
HTTPS with custom domains. see Map a custom domain to an Azure Blob
Storage endpoint for step-by-step guidance.
You can use an application gateway instead of CDN, here is a recipe:
https://github.com/easkerov/azure-sa-custom-domain-ssl-sample
My website and my domain are hosted on a different service provider from azure. I created a CNAME record and I have added my custom domain to the azure. So right now I can go to http://images.mysite.com/images/myimage.png. The image that loads comes from the blob storage from azure. However, if I try to do this via https, I get NET::ERR_CERT_COMMON_NAME_INVALID error.
I've been through many guides, and seen just about every setting in azure portal and I can't figure out how to import my ssl into azure so that this will work. I have a feeling it has to do something with Azure CDN option, which I don't have configured and don't want to pay extra just for this one feature. Can I do this without it somehow?
I've been through many guides, and seen just about every setting in
azure portal and I can't figure out how to import my ssl into azure so
that this will work.
Simple answer to your question is that it is not possible as of today. Azure Storage still doesn't support HTTPS with custom domain. You'll need to use CDN if you wish to use your SSL certificates to facilitate secure connection.
From https://learn.microsoft.com/en-us/azure/storage/blobs/storage-custom-domain-name:
Azure Storage does not yet natively support HTTPS with custom domains.
You can currently Use Azure CDN to access blobs by using custom
domains over HTTPS.
I am using Clickonce for deploying my WPF application and this is being done in Azure Blob storage. Since this is a custom URL it won't be white listed in many of the client machines and hence I mapped a custom domain for the same. I was able to access the HTML page and download the setup file but download of .application file is not being done as connection could not establish a trust relationship for the SSL/TLS secure channel.
Is there a way to overcome this? Can I map SSL certificates to my custom domain.
Taken from the documentation page:
Azure Storage does not yet natively support HTTPS with custom domains.
You can currently Use Azure CDN to access blobs by using custom
domains over HTTPS.
I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.
Anyone can find a workaround for having custom domain pointing to azure blob? Can application gateway pointed to there? how?
Facts :
- Azure blob does not support custom domain for SSL
- Using custom domain with SSL will prompt security concern due to the assets is from different SSL cert.
No. Currently there is no support for custom domains with SSL on Azure Storage services.
Give your vote here to help get this prioritised!
I have been using Application Gateway with my custom SSL to access BLOB.
Create a Application Gateway instance.
Add your custom SSL inside the SSL Settings in the App Gateway.
Configure backend pool and listener in App gateway.
Create a container and upload an image into it, copy the image URL. Replace the image domain BLOB URL with the Application Gateway IP. Request the image.
For retrieving sensitive files: Once you get the image, remember to turn off the Allow Blob public access toggle in your Storage Account settings.