Add SSL binding to Azure custom domain - azure-web-app-service

Trying to add SSL binding for a custom domain, but keep getting the error message "Cannot enable SNI SSL for a hostname 'xxx.com' because current site mode does not allow it."
The app service plan is in the D1 (shared infrastructure) tier, and the SSL certificate is one that I (accidentally) purchased through azure.
Does anyone have any idea what the problem could be?

From https://learn.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site#check-the-pricing-tier: "Custom SSL is not supported in the F1 or D1 tier."

Steps to use Azure App Certificate SSL w/out upgrade a shared resource account to a more expensive account that allows SSL config.
1. Download Azure App Certificate
2. Install Certificate to a local machine
3. Export the certificate from the local machine and add password protection to the export certificate
4. Open Azure -> Custom domains -> Add binding -> upload the pfx certificate and now you can type your password

Related

Azure key vault certificate renewal on web apps with hostname bindings

We are trying to set up an automatic way to update our custom certificates bound to a lot of different hostnames (custom domains) that we use on all of our web apps.
When a renewal is needed we update a new version of the certificate in our key vault on which it will automatic sync with all of the web apps that uses the certificate. This proces works fine in Azure but we still have to update the TLS/SSL bindings in the web app by hand as this will still be bound to the old certificate, even though the new certificate is synced to the web app.
Is there a workaround for this so we don't have to open every web app and change the TLS/SSL binding by hand for each hostname with the renewed certificate?

azurewebsites.net built-in certificate

I have created web apps in Azure which use the built-in certificate for *.azurewebsites.net. SSL works fine here.
I have recently created another web app and the certificate it is using is MYSITE.azurewebsites.net. This certificate has a completely different chain than the other one--the root of which is not trusted on my machine.
Can anyone explain why one site would use the wildcard and the other one wouldn't? Also, why would the certificate chain be different?
(The wildcard cert has a DigiCert root, whereas the site-specific domain (MYSITE.azurewebsites.net) has a Cisco umbrella Root CA)
I wrote Azure Support an got in contact with their Azure Web App Product Group. They gave me the following message
This Cisco Umbrella certificate is not coming from Azure. You doesn’t have any SSL binding nor uploaded any certificate into your subscription.
Most likely your client machine is in a network protected by Cisco Umbrella product. Kindly contact to Cisco Umbrella product support team.
Another option to resolve this issue is to bind a custom domain and add a SSL certificate (Free or App Service or any other certificate) so that you do not use .azurewebsites.net URL.
I am providing you relevant articles which will give you all the details about adding custom domain and binding SSL to your App Service.
You can go through them once and then feel free to reach out to me if you have any questions or concerns
https://learn.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain -> Buy a custom domain name for your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain -> Add custom domain to your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-> Bind SSL certificate

Azure Web App Free SSL Stage

I'm in the process of moving our site to Azure Web App (S1). I might be over thinking this but need to create a temp domain for my team to QA the temp Azure site before I move the prod site to Azure.
I've done the following so far:
1. Create Azure Web App account and deployed site mysite.azurewebsites.net - done
2. Create subdomain stage.mycompany.com - done
3. Create cname #2 and point to #1 - done
Since stage.mycompany.com is temporary (until we move the actual site over), I don't want to purchase an SSL for this.
I thought I could just create an SSL using openssl and install that cert on Azure. I tried that but get "Not secure" in chrome for the cname.
Will this idea work (free SSL for cname azure web app) but I just didn't install the ssl correctly?
I thought I could just create an SSL using openssl and install that
cert on Azure. I tried that but get "Not secure" in chrome for the
cname.
Probably, you have not imported the certificate in your Trusted Root Certification Authorities directory on your machine. You can check configurations on your side as following steps.
If you create a certificate using OpenSSL, you should export the certificate with the private key then upload the certificate .pfx file to the Azure portal. Export certificate to PFX.
Or, you can generate a self-sign certificate with PowerShell.
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "stage.mycompany.com" -FriendlyName "MySiteCert" -NotAfter (Get-Date).AddYears(1)
Export the certificate. Then run MMC, Follow the path to locate the newly generated certificate in your machine. File--- Add\Remove Snap-In---Certificates----add---computer account. Copy the certificate from Personal directory to Trusted Root Certification Authorities directory. Also, you need to export the certificate (.pfx file) with private Key.
On the Azure side, you need to upload and bind the newly generate the self-sign certificate to your websites.
Map your subdomain stage.mycompany.com to your websites. You can select Custom domains in your web app page. Add hostname stage.mycompany.com, refer to this.
Bind your SSL certificate. Click SSL settings in the left navigation of your web app. Upload your newly .pfx certificate, and bind your SSL certificate with SNI-based SSL type.
After that, you can access the website with https://stage.mycompany.com. I test it in my lab with IE and Chrome explore as below:

How to deploy the 'nodejs-sentiment-bot-sample' on azure?

The microsoftgraph/nodejs-sentiment-bot-sample can run on your localhost with a self-signed certificate. What changes are necessary in order to deploy it on Azure regarding this certificate?
The Bot Framework works with bots deployed on any cloud hosting service, as long as you have an internet-accessible endpoint and a valid SSL certificate. If you are deploying to Azure App Service, your projectname.azurewebsites.net is covered by the existing *.azurewebsites.net SSL cert, so you should not need any additional configuration.
On the other hand, if you want to host on another cloud provider, the only requirements is that you have a current and valid SSL certificate registered to your domain name.
What is meant by "current and valid"? -- Most of the checks for "current and valid" are standard checks for server SSL certificates: the Certificate Name must match the hostname, it must not be expired, it must not be listed in a CRL, it must have the correct set of EKUs, etc.
Most importantly, your SSL certificate must chain to a root certificate authority trusted by Microsoft. The latest list of these CAs is available here: http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx
For more information on deploying your bot, see: https://learn.microsoft.com/en-us/bot-framework/deploy-bot-overview

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Resources