Microsoft Azure

Azure App Service Lets Encrypt Renewal Failures and Resolution

Paying for certificates isn’t the done thing when you can get free certificates from Lets Encrypt. Free certificates from Lets Encrypt come at a different price and that is lifetime as the certificates are only ever valid for 90 days. If you’re still manually buying and installing certificates annually then you don’t want that four times a year so we automate the process end-to-end. This has been working perfectly since about 2018 for us, however, a recent alert about a certificate expiring made us sit up and look at this case of Azure App Service Lets Encrypt renewal failures and the resolution.

How is it automated?

The automation happens using an Extension installed within Azure App Service where we host our website. The extension, Azure Let’s Encrypt can be found at https://github.com/sjkp/letsencrypt-siteextension.

After a bit of tinkering to get it correctly installed, at the interval you set, a WebJob that runs against the App Service website will automatically retrieve a new certificate from Let’s Encrypt and apply it to your site. You have the option to define an alerting email address during the set-up process when things go wrong which in today’s case, proved important.

What was the problem?

What alerted us to a problem was the email notification to one of our monitoring mailboxes to report that the certificate was going to soon expire. We’ve never had this alert before because, for 3 years, this has worked without issue and never once failed to renew the certificate in time.

Looking at the logs for the WebJob in the App Service, we saw an error Unable to complete challenge with Lets Encrypt servers.

We took a look at the Issues log on the GitHub repository for the project behind the extension and it transpires that we were running version 1.0.4 of the extension and that other users reported that version 1.0.6, released just days ago, had no such issues.

Resolving the problem

Resolving the problem was a trivial task. First, we head into the Azure Portal at https://portal.azure.com and we navigate to our App Service instance where the extension is installed.

The Azure Let’s Encrypt extension showing version 1.0.4 installed and that an update is available

From the Extensions page, we can see that we have version 1.0.4 installed and that it is reporting that there is an update available. Drilling in to the extension itself, we can simply hit the Update button to update to the latest version of the Extension. Doing so took a matter of seconds and reported back 1.0.6 as the version okay.

From here, you can go to the WebJobs page to view the status of the Let’s Encrypt WebJob. This correctly shows as a Continuous job and the current status is Running which are both correct.

Verifying the type and status of the WebJob for the Let’s Encrypt Extension

If you dig into the Extension, you have the option to view the log files. Here, we can see the previous failures that have occurred. In our test site, this now correctly showed as successfully completing and in the TLS/SSL Settings page for the App Service, we can see that new certificate has been issued and applied to the site.

We’ve now applied the same change to our production site and when the next instance of the WebJob runs, it will successfully issue and apply the new certificate as it has done for our test site already.

Do you want to get away from paying for certificates or automate any of your processes?

As this article hopefully illustrates, you can have nice things for free. The power of automation has saved us many hours over the 3 years that we’ve been using it and the solution turned out to be a simple one.

Simple isn’t always the name of the game though and your savings through automation could be many times more than ours.

Contact us at Arcible to find out how we could help you save time and money through automating routine business processes to streamline your business and give you and your staff more time to focus on what’s important.

If you interested in learning more about our services such as modernising existing services or maybe you want to explore moving to Microsoft Azure for your website or other applications, take a look at what we can offer.

Running a Static Website for Less than a Latte

Yes, you read that right. If all you need is a way to show a couple of static web pages you could run a static website for less than the cost of a coffee for the entire year. Although the focus here is a small, simple, and static website, you can apply the same logic to larger sites or even if you need a way to serve up static content over HTTP, not just a website.

What do we mean by a static website?

In web terms, there are primarily two types of website: those which are static based on traditional Hypertext Markup Language (HTML) files and those which are dynamic, calculating different content server-side or retrieving information from a database.

Here, we’re talking about the former. Using the Static Website feature in Azure Storage, we can serve up HTML, JavsScript, and Cascading Stylesheets (CSS).

A website being static doesn’t mean that it can’t look good: by using JavaScript and CSS stylesheets, you can still have a great looking site it just doesn’t need the extra moving pasts like a database backend or a fancy interface to edit and add new pages.

Read more…

Replace Your File Server with Azure Files

We’ve previously talked about migrating files to SharePoint Online and OneDrive for Business. Even if you’ve done this, you will no doubt have a reason for a file server still. If cloud is your goal, why not replace your file server with Azure Files?

You get all the same capabilities as you do with an on-premises file server but the benefits of a Platform-as-a-Service solution that doesn’t require servers.

Read more…

Using Azure AD Application Proxy to Publish Internal Web Apps

With users working remotely, how are they accessing the internal line of business systems such as web applications that you have running? Chances are they may be having to use a VPN but Azure AD Application Proxy could provide you with a better solution.

Oftentimes, we work with customers to help them to move workloads to Microsoft Azure but what if you want or need to keep something on-premises?

Read more…

Security Key Login with Hybrid Windows 10 Devices

Technically speaking, this feature has been available for some time if you were prepared to use machines joined to the Windows Insider Programme, as it required a minimum build of Windows 10. Because that build, Build 18945, was exclusive to the Insider Programme, it meant that this feature wasn’t viable for production users because who wants to use preview builds with real users?

With the release of the May 2020 update for Windows 10, however, all the parts are now all there in production form to enable the use of a security key for Windows 10 login on hybrid devices.

Read more…

Securing Passwords with Azure AD Password Protection

Organisations define password policies to ensure that their users are not setting weak passwords that can be easily compromised. In this article, we explore securing passwords with Azure AD Password Protection and whether it can help make you more secure but also easier on your users.

Traditional password policies in Active Directory rely on basic filters to determine the number of characters and type of characters including numbers, letters, and symbols. On face value these policies may seem secure, however, are these policies actually causing the problem and much weaker than you think?

Read more…

Manage Software Updates with Azure Update Management

The answer is Azure Update Management so what is the problem we are trying to solve? At Arcible, we have some on-premises servers. To keep safe, secure, and compliant, these servers need patching just like any other server does. Our environment is small and not big enough to justify a Microsoft Endpoint Manager (formerly Configuration Manager) deployment and Windows Server Updates Services (WSUS) is too painful and manual to manage.

So if we aren’t using Microsoft Endpoint Manager or WSUS, what do we do? We want a solution that’s automated to reduce the admin overhead but while being lightweight and not costing much.

Read more…

Azure Cost Management for CSP

One of the primary routes for Azure consumption has been the Cloud Seller Programme (CSP) model, however, a problem has been that there has been no visible Cost Management for CSP. As of October 2019 though, this is now available giving you access to the same cost management for CSP as Enterprise Agreement and Pay-as-you-Go customers have had.

Read more…