Creating A WordPress Blog Site on Azure – Part 3

So far I have created a WordPress site on Azure and setup my custom domain to work with it.  The only thing left is to add an SSL certificate.  I thought this might be a great time to see if I could use an SSL certificate from Let’s Encrypt to secure my blog.  You definitely can and while it does take quite a bit of time it’s not terribly difficult.

I was able to figure out how to do this primarily using the two resources below.  Quite a few things have changed in Azure since Troy Hunt wrote his blog about this process but it still came in extremely handy.  The other link is for the GitHub Wiki page of the individual who wrote the Azure Web Site Extension that makes this all work.


First thing that we need to do is to create an Azure Service Principal.  The Service Principal is an identity that Lets Encrypt will use to access the website.  Select Azure Active Directory from the left pane.  If you don’t see it you will need to click on More Services and search for it.

If you have multiple Azure Active Directories make sure that you select the right directory.  I only have one directory so I won’t need to do this.

Click App Registrations and then New Application Registration

Normally the Sign-on URL is what your application would need to sign in with, but because of the way the site extension works we won’t actually use it so we can use whatever we want.

When it finishes creating the App Registration click the name of the application in the list.  This will take you to the All Settings page for the application and then click on Keys.

Give the new key a description, select a duration and hit Save.  After saving the client secret will show up in the value column. Save that for later, you will not be able to retrieve the key later so you will want to copy it now.

Your application is now ready and the service principal created on the tenant.  When signing in as the Service Principal the Application ID/Client ID is the username and the key value that you copied and saved above is your password.  The next thing we need to do is to grant permissions for the Service Principal.

Open the resource group that contains your App Service/App Service Plan, Click Access Control (IAM) and then click Add

Fill out the information using the name of the Service Principal you created earlier.

The next thing we need to do is add some Web Jobs that will be responsible for doing most of the work of SSL generation and re-keying.  Get the primary connection string from your storage account.  If you don’t already have a storage account you will need to create one.

Next we need to create the Application Connection Strings.  Click on your App Service, then Application Settings, and scroll down until you find the Connection Strings section.  The two connection strings need to be named AzureWebJobsDashboard and AzureWebJobsStorage.  Both of these should be set to the Azure Storage Account connection string we copied above.  If it appended as the suffix on the string (HINT:  IT DID), make sure to remove it.  Click Save at the top of the screen.

Now we are going to install and configure the Lets Encrypt Site Extension.  Browse to the address https://{yourwebsitename}  In my case this looks like .  Click Site Extensions in the top right corner.  Click the Gallery tab.  You can browse for or search for the Lets Encrypt site extension.  Click the + Button.

When it’s done installing the + will change to a play button.  If you click that right now you are going to see a blank page that only says “No route registered for ‘/letsencrypt/'”.  To fix this we need to stop the website and start it again.  A restart isn’t good enough.  Click the stop button and wait.  Click the start button and wait.

Now when you hit the play button you will be taken to an Application Settings page.  You can either fill them out from the site extension or you can set the properties as app settings. If you want to fill them out as app settings reference Troy Hunt’s blog.  I just filled them out.  The tenant and subscription ID can be found in the Subscriptions section of the Azure portal.  ClientID is the Application ID of the service principal we created earlier.  Client secret is the secret we copied out earlier because we were going to need it later.  Resource group names are straightforward.  If you have everything in one group it’s the same.  Check the box for Update Application settings.  Click next in the lower right.

When it finishes updating we can go back to the Application Settings (where we added the connection strings earlier) and see all the information there.

If you don’t have a custom domain setup already you will need to take care of that now.  This article walks through how to do so.  You can also reference post #2 in this series.  Once your custom domain is registered click Next on this page.

Pick your custom domain and put in an email address that you check.  This is where Lets Encrypt will send information to.

If everything goes the way that it should (and it did for me, on the first try, which is completely amazing) you will see this:

We can verify by going into our App Service and clicking SSL Certificates.

One other thing to do while you are in this area of the portal is to go into the Custom Domains section and change HTTPS only to ON.

On your custom domain you will now see an Add Binding link. Click on that.

Configure settings.  There are two types to pick from.  You can find more information here .  I stuck with the default.

Your custom domain will now look like this:

And if refresh my blog page, I have an HTTPS and everything looks great!