Although there isn’t much on the site, I thought it was time to configure the WebApp to use SSL certificates, and keeping to my Northern roots decided to try and do it as cheaply as possible. Therefore I decided to try and implement a WebJob to install a LetsEncrypt certificate.

letsencrypt-siteextension

Initially, I looked into using letsencrypt-siteextension as mentioned in Scott Hanselman’s blog, this would be more than adequate for the job if my WebApp was running on using a Windows App Service Plan. My WebApp is deployed on a Linux WebApp, which means I am unable to deploy site extensions directly to the blog. An additional consideration with using the Site Extension it requires to be deployed to each individual WebApp, so could add additional overhead when running multiple sites.

letsencrypt-webapp-renewer

Some of the issues I faced have been seen by other people too, and have been solved by Ohad Schneider. He has developed a console application that can be run as a WebJob and is capable of running for multiple sites. Although the WebJob needs a Windows WebApp to run, it can be used to create SSL certificates for Linux hosted WebApps.

So for an initial test, I have created a separate Windows WebApp using the Free tier and configured the WebJob using the blog post from Dixin. I deployed the OhadSoft.AzureLetsEncrypt.Renewal.WebJob.1.0.5.zip file downloaded from the release page and configured using the Set-LetsEncryptConfiguration.ps1.

For a WebJob with a CRON scheduled trigger, using a free tier is not suitable, due to the WebApp hosting the job needing to run in “Always On” mode. Therefore, I wanted to look into triggering the WebJob via a GitHub action whilst still utilising the free tier, as the App Service Plan is used for nothing else so if I can keep it on the free tier then all the better.

Terraform & GitHub Actions

I decided to deploy the infrastructure via Terraform. It was easy to deploy the Resource Group, App Service Plan and WebApp. The Configuration Settings for the WebJob were easy to add to the WebApp deployment, but I had issues deploying the actual WebJob to the WebApp. WebJobs seems to have some restrictions within Terraform, PowerShell and AzureCLI.

With me unable to deploy the WebJob via Terraform, I looked into other avenues. I ended up finding some GitHub Actions that can fetch the publish profile for the WebApp and then deploy the WebJob from a zip file.

Azure CLI & GitHub Actions

Whilst no Azure CLI command exists to deploy a WebJob there is a command to run one. So I created a second workflow in GitHub Actions that logs into my Azure Subscription and triggers the WebJob via AzureCLI, this workflow can then be triggered on a monthly schedule 0 0 1 * * . I also included the manual workflow_dispatch trigger to allow ad hoc runs of the command as needed.

Now I just to monitor the GitHub Actions workflows and my Website to ensure the certificate stays valid. I believe additional logging and alerting is available if you configure Zapier and SendGrid as well. Something I have not done, but another project for the backlog.

Further Reading

• letsencrypt-siteextension
• Scott Hanselman’s Blog Post
• letsencrypt-webapp-renewer Repo
• Dixin’s Blog Post about webapp-renewer