Add HTTPS with Let's Encrypt to an Azure App Service

HTTPS is a basic requirement for running a website now, and I’ve been using App Service Certificate which I purchased right inside the Azure portal. It’s issued by GoDaddy and expires every 12 months, for $70 a year it covers my root and www sub domain. But one thing to be aware of is that the certificate renews 30 days before expiration with no email reminder to remind you that’s about to happen. So if you have an MSDN sub and you have your Spending Limit on, just be careful, it may exceed that.  And when that happens, your site goes down!  

This leads me to Let’s Encrypt, it is another CA or Certificate Authority like GoDaddy. But it’s free. It’s used by companies like Stackoverflow and Shopify. It expires every 3 months, so to renew the certificate I need to install an open source Let's Encrypt Site Extension running as a WebJob. It takes a few steps, hence I recorded a video to show you how I did it.

Here is the basic flow,

Let's Encrypt Azure Site Extension Flow
Let's Encrypt Azure Site Extension Flow

The “letsencrypt” site extension is installed on my web app as a WebJob, the extension communicates with Let’s Encrypt and gets back my certificate and stores a bunch of stuff into my Storage Account. To do all that on my behalf I need to register my application in Active Directory and assign my app a “Contributor” role in my Resource Group’s Access Control.

The prerequisite is my web app needs the right Service Plan. At a minimum a B1 plan is required, it gives me the ability to configure SSL bindings; it also gives me the “Always On” option which is required by the WebJob, so you have to turn it on in you App Service > Configuration settings. These two options are not in the cheaper Shared plan. 
Gotchas I've encountered 

1. If you publish your project from Visual Studio to #Azure with the "Delete Existing files" option, you will remove the web jobs your site extension uses. This has caused my letsencrypt site extension fail to renew cert on its own.

2. The Let's Encrypt extension needs update once in a while without notice, though Lets Encrypt will email you weeks in advance of certificate expiration so it's good to check on it. To update the extension, go to Kudu > Site Extensions and click on the extension's Update button (up arrow) and then click on Restart Site.