DEV Community

Cover image for How to quickly setup a Let's Encrypt certificate in Azure Container Apps
Tatsuro Shibamura
Tatsuro Shibamura

Posted on

How to quickly setup a Let's Encrypt certificate in Azure Container Apps

Azure Container Apps now supports custom domain assignment in the latest update. Now you can easily publish your own web application with your own domain without using Front Door.

However, it does not currently support free managed certificates, and you must upload your own certificates.

Free certificates are issued by Let's Encrypt, so I developed an application to use them. This is based on code written by @jeffhollan of the Azure Apps team.

GitHub logo shibayan / containerapps-acmebot

Automated ACME SSL/TLS certificates issuer for Azure Container Apps

Container Apps Acmebot

Build Release License Terraform Registry

This is an application that automates the issuance and renewal of ACME SSL/TLS certificates for Azure Container Apps.

  • Support for multiple Container Apps and Container Apps Environment
  • Easy to deploy and configure
  • Highly reliable implementation
  • Ease of Monitoring (Application Insights, Webhook)

You can add multiple certificates to a single Container Apps.

Table Of Contents

Feature Support

  • Issuing certificates for Zone Apex / Multi-domain / Wildcard
  • Automatic binding of custom domains and certificates to Container App
  • Support for multiple Container Apps in a single application
  • ACME-compliant Certification Authorities

Requirements

  • Azure Subscription
  • Azure Container Apps
  • Azure DNS
  • Email address (required to register with Let's Encrypt)

Getting Started

1. Deploy Acmebot

Azure (Public) Azure China Azure Government

2. Add application settings

Update the following configuration settings of the Function App:

  • Acmebot:Webhook
    • Webhook destination…

It has the same functionality as other Acmebot products, but supports Container Apps specific features. Azure DNS is currently required for use.

From here, I will actually use Acmebot to add a custom domain and certificate to the Container App.

Deploy Acmebot

Deploy Acmebot using the "Deploy to Azure" button in the README on GitHub.

Created resources

After deployment is complete, add Azure AD authentication using App Service Authentication. Detailed instructions are provided in the README.

Setup RBAC (IAM) for Acmebot

Add the Contributor RBAC role to the deployed Acmebot for the resource group where Container Apps and Container Apps Environment are deployed.

Adding RBAC setting

Currently there is no RBAC role for Container Apps, so Contributor RBAC role must be assigned.

Since Acmebot requires Azure DNS for certificate issuance, assign the role of DNS Zone Contributor to Acmebot for Azure DNS as well.

Issue certificate

If the setup was successful, accessing the application will show a list of DNS Zones and Container Apps Environment.

The following simple screen allows you to select a DNS zone and issue a certificate for the required domain name.

Add certificate view

Container Apps certificates are associated with the Container App Environment, so the Container Apps Environment must be explicitly specified when the certificate is issued.

If the certificate is successfully issued, it can be found in the list of certificates in the Container Apps Environment.

Issued certificates

Acmebot is designed to attempt to automatically renew certificates associated with the Container Apps Environment.

Bind to Container App

An additional option is to add custom domain settings to any Container App at the same time the certificate is issued.

Bind custom domain to Container App

A custom domain is added to the Container App, but the actual A or CNAME DNS record is not automatically added and must be added manually. This is by design for safety.

After manually adding the A record, the browser will be able to view the Container App hosted in the HTTPS-protected Zone apex domain, as shown below.

Custom domain and certificate

In this way, Acmebot greatly reduces the effort of issuing certificates for Container Apps and automates their management.

Renew certificates

The default setting is to automatically renew certificates 30 days before they expire.

Upon successful renewal of the certificate by Acmebot, Container Apps will automatically use the new certificate.

Related post

If you are interested in the App Service and Key Vault version of Acmebot, please refer to the following post.

Enjoy Azure Container Apps and Let's Encrypt!

Discussion (0)