Website

Azure App Service Lets Encrypt Renewal Failures and Resolution

Paying for certificates isn’t the done thing when you can get free certificates from Lets Encrypt. Free certificates from Lets Encrypt come at a different price and that is lifetime as the certificates are only ever valid for 90 days. If you’re still manually buying and installing certificates annually then you don’t want that four times a year so we automate the process end-to-end. This has been working perfectly since about 2018 for us, however, a recent alert about a certificate expiring made us sit up and look at this case of Azure App Service Lets Encrypt renewal failures and the resolution.

How is it automated?

The automation happens using an Extension installed within Azure App Service where we host our website. The extension, Azure Let’s Encrypt can be found at https://github.com/sjkp/letsencrypt-siteextension.

After a bit of tinkering to get it correctly installed, at the interval you set, a WebJob that runs against the App Service website will automatically retrieve a new certificate from Let’s Encrypt and apply it to your site. You have the option to define an alerting email address during the set-up process when things go wrong which in today’s case, proved important.

What was the problem?

What alerted us to a problem was the email notification to one of our monitoring mailboxes to report that the certificate was going to soon expire. We’ve never had this alert before because, for 3 years, this has worked without issue and never once failed to renew the certificate in time.

Looking at the logs for the WebJob in the App Service, we saw an error Unable to complete challenge with Lets Encrypt servers.

We took a look at the Issues log on the GitHub repository for the project behind the extension and it transpires that we were running version 1.0.4 of the extension and that other users reported that version 1.0.6, released just days ago, had no such issues.

Resolving the problem

Resolving the problem was a trivial task. First, we head into the Azure Portal at https://portal.azure.com and we navigate to our App Service instance where the extension is installed.

The Azure Let’s Encrypt extension showing version 1.0.4 installed and that an update is available

From the Extensions page, we can see that we have version 1.0.4 installed and that it is reporting that there is an update available. Drilling in to the extension itself, we can simply hit the Update button to update to the latest version of the Extension. Doing so took a matter of seconds and reported back 1.0.6 as the version okay.

From here, you can go to the WebJobs page to view the status of the Let’s Encrypt WebJob. This correctly shows as a Continuous job and the current status is Running which are both correct.

Verifying the type and status of the WebJob for the Let’s Encrypt Extension

If you dig into the Extension, you have the option to view the log files. Here, we can see the previous failures that have occurred. In our test site, this now correctly showed as successfully completing and in the TLS/SSL Settings page for the App Service, we can see that new certificate has been issued and applied to the site.

We’ve now applied the same change to our production site and when the next instance of the WebJob runs, it will successfully issue and apply the new certificate as it has done for our test site already.

Do you want to get away from paying for certificates or automate any of your processes?

As this article hopefully illustrates, you can have nice things for free. The power of automation has saved us many hours over the 3 years that we’ve been using it and the solution turned out to be a simple one.

Simple isn’t always the name of the game though and your savings through automation could be many times more than ours.

Contact us at Arcible to find out how we could help you save time and money through automating routine business processes to streamline your business and give you and your staff more time to focus on what’s important.

If you interested in learning more about our services such as modernising existing services or maybe you want to explore moving to Microsoft Azure for your website or other applications, take a look at what we can offer.

Running a Static Website for Less than a Latte

Yes, you read that right. If all you need is a way to show a couple of static web pages you could run a static website for less than the cost of a coffee for the entire year. Although the focus here is a small, simple, and static website, you can apply the same logic to larger sites or even if you need a way to serve up static content over HTTP, not just a website.

What do we mean by a static website?

In web terms, there are primarily two types of website: those which are static based on traditional Hypertext Markup Language (HTML) files and those which are dynamic, calculating different content server-side or retrieving information from a database.

Here, we’re talking about the former. Using the Static Website feature in Azure Storage, we can serve up HTML, JavsScript, and Cascading Stylesheets (CSS).

A website being static doesn’t mean that it can’t look good: by using JavaScript and CSS stylesheets, you can still have a great looking site it just doesn’t need the extra moving pasts like a database backend or a fancy interface to edit and add new pages.

Read more…

Using Azure AD Application Proxy to Publish Internal Web Apps

With users working remotely, how are they accessing the internal line of business systems such as web applications that you have running? Chances are they may be having to use a VPN but Azure AD Application Proxy could provide you with a better solution.

Oftentimes, we work with customers to help them to move workloads to Microsoft Azure but what if you want or need to keep something on-premises?

Read more…

Introducing HTTP/2 and Support in Azure Web Apps

HTTP/2 is the latest upgrade for the internet offering us advantages in performance and reduction in wait times, server resource usage and network resource usage. In this article, we explain what HTTP/2 is and why you want to use it over and above HTTP/1.1, some of its advantages and some things you need to consider before thinking about using it.

Once we get past the introduction, we’ll talk about how we can support HTTP/2 in Azure-hosted websites.

If you run a website then performance is one of the key metrics that you must consider: how does the site perform for end-users accessing the page; how many connections the website can handle at once (concurrent connections) before things start to go a bit haywire; how does the load generated by end-users impact the performance of the server and more. For a long time now, the web has relied on HTTP/1.1 as a protocol for delivering content to end-users.

Read more…

PCI DSS Changes to Supported Security Protocols

Do you run a website? Is your organisation required or meet or have you opted to voluntarily meet the requirements of PCI DSS or do you just like to keep up with good security practices?

Starting on 30th June 2018, the PCI Security Standard Council (PCI SSC) has given organisations who must comply with PCI requirements until this date to move away from insecure web security standards. This means that if your organisation is running a website or have any web-based services which use a secure connection, they must use the TLS 1.1 or above protocols; the web service must reject connections over SSL 3.0 and TLS 1.0 protocols. There is a handy PDF guide at https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf.

For most websites and web services, this is a simple change to implement, however, some platforms will not allow you to make this change and some application development languages may not even support these newer versions.

For big businesses, they may have teams dedicated to managing these requirements but for small organisations or start-up businesses offering online web fronts and check-out shopping services, you may not. Why not get in touch with us about consulting and we can help you investigate whether you can simply make this change or whether there is more work in store to get yourselves ready for the change. Now may even be a good time to take a look at modernisation such as Azure Web Apps for your website.

Moving to a Secure Web World

The internet and digital communications are evolving. In recent years, there is momentum and support for stronger internet security and adherence to best practice and industry standards. Part of this is for more websites to deliver their content over secure channels even if the website is not transacting payments and orders or accepting input of personal data. If you are transacting and taking online payments or orders; if you have people entering their details such as a contact or subscription page on your website then you definitely should be using secure connections.

According to Scott Helme, a British security researcher, in 2017, the number of websites from the Alex Top 1 Million Websites using secure communication as standard reached 38% which is still a remarkably low number. Google now provides preference to websites which use secure channels in their rankings and modern web browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox all now clearly show you if the website being browsed is not secure.

Read more…