Azure Container Apps now supports custom domain assignment in the latest update. Now you can easily publish your own web application with your own domain without using Front Door.
However, it does not currently support free managed certificates, and you must upload your own certificates.
Free certificates are issued by Let's Encrypt, so I developed an application to use them. This is based on code written by @jeffhollan of the Azure Apps team.
Automated ACME SSL/TLS certificates issuer for Azure Container Apps
Container Apps Acmebot
This is an application that automates the issuance and renewal of ACME SSL/TLS certificates for Azure Container Apps.
- Support for multiple Container Apps and Container Apps Environment
- Easy to deploy and configure
- Highly reliable implementation
- Ease of Monitoring (Application Insights, Webhook)
You can add multiple certificates to a single Container Apps.
Table Of Contents
- Issuing certificates for Zone Apex / Multi-domain / Wildcard
- Automatic binding of custom domains and certificates to Container App
- Support for multiple Container Apps in a single application
- ACME-compliant Certification Authorities
- Azure Subscription
- Azure Container Apps
- Azure DNS
- Email address (required to register with Let's Encrypt)
1. Deploy Acmebot
2. Add application settings
Update the following configuration settings of the Function App:
- Webhook destination…
It has the same functionality as other Acmebot products, but supports Container Apps specific features. Azure DNS is currently required for use.
From here, I will actually use Acmebot to add a custom domain and certificate to the Container App.
Deploy Acmebot using the "Deploy to Azure" button in the README on GitHub.
After deployment is complete, add Azure AD authentication using App Service Authentication. Detailed instructions are provided in the README.
Contributor RBAC role to the deployed Acmebot for the resource group where Container Apps and Container Apps Environment are deployed.
Currently there is no RBAC role for Container Apps, so
Contributor RBAC role must be assigned.
Since Acmebot requires Azure DNS for certificate issuance, assign the role of
DNS Zone Contributor to Acmebot for Azure DNS as well.
If the setup was successful, accessing the application will show a list of DNS Zones and Container Apps Environment.
The following simple screen allows you to select a DNS zone and issue a certificate for the required domain name.
Container Apps certificates are associated with the Container App Environment, so the Container Apps Environment must be explicitly specified when the certificate is issued.
If the certificate is successfully issued, it can be found in the list of certificates in the Container Apps Environment.
Acmebot is designed to attempt to automatically renew certificates associated with the Container Apps Environment.
An additional option is to add custom domain settings to any Container App at the same time the certificate is issued.
A custom domain is added to the Container App, but the actual A or CNAME DNS record is not automatically added and must be added manually. This is by design for safety.
After manually adding the A record, the browser will be able to view the Container App hosted in the HTTPS-protected Zone apex domain, as shown below.
In this way, Acmebot greatly reduces the effort of issuing certificates for Container Apps and automates their management.
The default setting is to automatically renew certificates 30 days before they expire.
Upon successful renewal of the certificate by Acmebot, Container Apps will automatically use the new certificate.
If you are interested in the App Service and Key Vault version of Acmebot, please refer to the following post.
Enjoy Azure Container Apps and Let's Encrypt!