Lesson Learned from building the Azure Let's Encrypt  Site Extension


Global Azure Bootcamp 2019 - Copenhagen

Simon J.K. Pedersen

@simped / mail@sjkp.dk

Quick Intro

  • Azure Web Apps
  • Site Extensions
  • SSL Certificates
  • Let's Encrypt

How many uses Azure Web Apps - with a custom domain?

are you paying for your SSL certificate?

Why did I build it

personal challenge/learning oppotunity

Learnings

  • Azure Web Apps behind the scenes
  • Moving on from the site-extension approach (Functions and ACI)
  • Using Key Vault and ARM templates

Azure Web Apps

  • So many application frameworks are used
  • Some people have massive deployments
  • Web Jobs in site-extensions.....
  • Server farms/app service plans and their location
  • Not all scale units are created equal
  • Deploy from ZIP/read-only disk
  • KUDU API
  • Traffic manager

Moving on

  • Avoid support when people mess up the web job
  • Avoid support when working with Service Principals
  • Support other azure services
    • Azure CDN
    • Azure API Management
    • Azure Functions
  • Better security (KeyVault)Az

Attempt #1

  • Make an API
  • Host the API in the site-extension
  • Let people call the API from Azure Functions/Logic Apps
  • More trouble for the user
  • Why even use site-extension

Attempt #2

  • make a nuget 
  • let people do it themselves
  • and some did ...

Attempt #3

  • Wait for Microsoft to do it...

Attempt #4

  • Found certes (https://github.com/fszlin/certes)
  • Rewrite to .net core (so we can use Azure Function v2 and docker)
  • Support wildcard
  • Realize a lot of DNS providers are VERY slow at propagating DNS changes
  • Use Managed Service Identity 
  • Use KeyVault 

Demo Time

Architecture

KeyVault and ARM Templates

  • Existing Resources (different resource groups)
    • Azure DNS
    • Azure Web App
  • What we want to deploy
    • KeyVault
    • Azure Function (Storage Account & App Service Plan)
      • Managed Service Identity
      • App Settings
    • Application Insights
    • Role Assignments to Managed Service Identity

Managed Service Identity

Key Vault Access to MSI

Save secrets in Vault 

Reference Secrets

Role Assignments 

Link

Made with Slides.com