Add Wildcard SSL Certificate to Azure Gateway for free with LetsEncrypt

In this article, we are going to setup a free let’s encrypt wildcard certificate, attached to an Azure Gateway v2.
Banner Image Add Wildcard SSL Certificate to Azure Gateway for free with LetsEncrypt
Posted by phnogues on August 14, 2024

In this article, we are going to setup a free let’s encrypt wildcard certificate, attached to an Azure Gateway v2.

For this exemple we are going to use the best domain name ever : *.toto.com

Prerequisites

Certbot is only working on unix system. If you are using a Windows machine, like me :), it’s not a problem, you can use wsl from Windows. I will explain you at the end, how to move your certificate from wsl to your windows file sytem.

1 — Setup Certbot

sudo apt update
sudo apt-get install letsencrypt

2 — Generate the certificate

sudo certbot certonly --manual
--preferred-challenges=dns --email contact@toto.com 
--server https://acme-v02.api.letsencrypt.org/directory 
--agree-tos -d toto.com -d *.toto.com

Details of the command options :

📄 Full documentation can be found here.

The script ask you to share your email adress with Electronic Frontier Foundation, say Yes.

The script then ask you if you are ok with your IP being logged, say Yes.

3- Deploy DNS TXT record

Now, the script ask you to deploy a DNS record.

Go to your domain name provider portal and setup a new record :

Depending on your provider, it may take time to update changes. It’s time for a coffee ☕ ! For me, with OVH, changes were immediate.

You can use DigDns to check if your key has been registered https://toolbox.googleapps.com/apps/dig/#TXT/

4 — Congratulation

One it’s done, you will receive a message telling you that the certificate has been saved at path : /etc/letsencrypt/live/toto.com/

You can check your certificate details with the folowing command :

sudo certbot certificates

Let’s encrypt certificates are valid only for three months.

Certbot provide you a nice command to renew your certificate :

sudo certbot renew

If you have multiple domains registered on your machine, you can specify the domain name to renew :

certbot certonly --force-renew -d toto.com

ℹ️ You are free to develop an automatic renewal script that runs every 3 months

5 — Add your certificate to Azure

You certificate is now generated on your machine, it’s time to upload your certificate to your Azure Gateway !

Setup OpenSsl :

sudo apt-get update
sudo apt-get install openssl

Export the certificate :

sudo openssl pkcs12 -export -out live/toto.com/cert.pfx -inkey live/toto.com/privkey.pem -in live/toto.com/cert.pem

If you are using a Windows machine, you can’t access the Let’s encrypt folder from your explorer, this folder is protected.

My tip is to Zip the folder, give write rights to the archive, and you can now move the archive to a Windows folder.

sudo tar -chvzf certificates.tar.gz /live

That’s all ! You can now upload your certificate to your Key Vault, or directly to your Azure Gateway listener

Azure
Azure Gateway

Comments :