Generating and Configuring Free SSL Certs for Azure Windows IaaS Virtual Machines

Infrastructure-as-a-Service has provided the ability to quickly deploy hosts in Cloud environments such as Azure. However the certificate that comes with the host isn’t ready for Web Services. I hadn’t had to do this for quite some time and it came to my realisation again that whilst there are a few guides available they are for different scenarios than what I require. In my development environments I’m looking for an SSL Certificate that;

  • is free
  • can be verified through HTTP verification methods (not DNS as we obviously don’t own the *.cloudapp.azure.com namespace)
  • can be used on Windows Server IIS Websites
  • is trusted by the major browsers
  • is trusted by Azure PaaS Services (e.g Azure API Management)

This blog post details the process to generate free SSL Web Server Certificates using ZeroSSL and Let’s Encrypt, along with the process to implement them on IIS on Windows. Specifically;

  • Generating the Certificate using ZeroSSL
  • Converting the certificate to PFX format for IIS
  • Installing the Certificate on IIS
  • Testing a website configured with the SSL Cert

Generating the Certificate

Start by navigating to ZeroSSL and select Start SSL Certificate Wizard

Enter the address of the host you are generating the certification for. This can be found from the Overview section of your Virtual Machine in the Azure Portal under DNS Name. Select Accept ZeroSSL TOS and Accept Let’s Encrypt SA (pdf) and select Next.

Generate Azure IaaS Windows SSL Certificate Start.PNG

The Certificate Signing Request will be generated. Select Next.

Generate Azure IaaS Windows SSL Certificate 1.PNG

The Account Key will be generated. You can save the CSR and Account Keys from this page. Select Next.

Generate Azure IaaS Windows SSL Certificate 2.PNG

Create the folder structure in IIS as described in the ZeroSSL Verification page under your Windows Server IIS webroot. This by default will be c:\inetpub\wwwroot.

Generate Azure IaaS Windows SSL Certificate 3.PNG

You will need to create the .well-known folder using a windows command prompt.

Generate Azure IaaS Windows SSL Certificate 4

Create a web.config file in the acme-challenge directory so that IIS will provide access to the file created.

<configuration>
   <system.webServer>
     <staticContent>
      <mimeMap fileExtension="." mimeType="text/plain" />
     </staticContent>
   </system.webServer>
</configuration>

Ensure the permissions for the new directory and file will also allow access.

Generate Azure IaaS Windows SSL Certificate 4a

Click on the file link to make sure that ZeroSSL can access your IIS Website with the file in the path required. Depending on your Azure Networking, you may require an inbound NSG Rule for port 80 as shown below.

Generate Azure IaaS Windows SSL Certificate NSG 80 Incoming.PNG

Once you have validated the file is accessible, select Next to allow ZeroSSL to verify you have created the file with the appropriate content to validate you own the host. You will then be provided with your certificate.

Generate Azure IaaS Windows SSL Certificate 6.PNG

The top certificate file contains both your domain certificate and the issuer’s certificate.

  • Save it to your local Windows 10 workstation with the .txt extension. e.g. ServerCerts.txt

The second file contains your domain key.

  • Save the domain key to another file with the .txt extension e.g. ServerDomainKey.txt

Converting the Certificate

In order to be able to import the certificate in IIS we need it in PFX format. OpenSSL allows us to convert the .txt files into PFX format. OpenSSL is available Windows Subsystem for Linux by default.  Jumping into a WSL window run OpenSSL with the following syntax referencing the two files you created above.

openssl pkcs12 -export -out ServerCert.pfx -inkey ServerDomainKey.txt -in ServerCerts.txt

Provide a secure password for the PFX file. You will need this when importing the certificate on your IIS webserver.

Convert Cert Format.PNG

Checking out the certificate we can see that the certificate generated is a LetsEncrypt Cert for our Azure IaaS Host.

Cert Details 1

and the certificate path all looks good.

Cert Details 2

Installing the Certificate

On our IIS Server under our IIS Host in Internet Information Server (IIS) Manager select Server Certificates and Import to import the new Certificate as shown below.

Import Cert.PNG

Then selecting the IIS Website we want the certificate for, select Bindings and edit your HTTPS binding selecting the new certificate.

IIS Server Bindings.PNG

Testing the Certificate

After an IIS Reset you should then be able to access the IIS based Website using HTTPS. In my case the Lithnet FIM/MIM Service REST API.

Lithnet MIM Service REST API.PNG

Summary

Now that I have documented the end to end process it will be much quicker next time generating a certificate for the next host. With the certificate details saved I can also easily update the certificate when it expires in three months time.

I also have Azure API Management integration with the MIM Service using the Lithnet FIM/MIM Service REST API up and running in another environment.

MIM Service via API Management.PNG

 

 

Simultaneously Start|Stop all Azure Resource Manager Virtual Machines in a Resource Group

Problem

How many times have you wanted to Start or Stop all Virtual Machines in an Azure Resource Group ? For me it seems to be quite often, especially for development environment resource groups. It’s not that difficult though. You can just enumerate the VM’s then cycle through them and call ‘Start-AzureRMVM’ or ‘Start-AzureRMVM’. However, the more VM’s you have, that approach running serially as PowerShell does means it can take quite some time to complete. Go to the Portal and right-click on each VM and start|stop ?

There has to be a way of starting/shutting down all VM’s in a Resource Group in parallel via PowerShell right ?

Some searching and it seems common to use Azure Automation and Workflow’s to accomplish it. But I don’t want to run this on schedule or necessarily mess around with Azure Automation for development environments, or have to connected to the portal and kickoff the workflow.

What I wanted was a script that was portable. That lead me to messing around with ‘ScriptBlocks’ and ‘Start-Job’ functions in PowerShell. Passing variables in for locally hosted jobs running against Azure though was painful. So I found a quick clean way of doing it, that I detail in this post.

Solution

I’m using the brilliant Invoke-Parallel Powershell Script from Cookie.Monster, to in essence multi-thread and run in parallel the Virtual Machine ‘start’ and ‘stop’ requests.

In my script at the bottom of this post I haven’t included the ‘invoke-parallel.ps1’. The link for it is in the paragraph above. You’ll need to either reference it at the start of your script, or include it in your script. If you want to keep it all together in a single script include it like I have in the screenshot below.

My rudimentary PowerShell script takes two parameters;

  1. Power state. Either ‘Start’ or ‘Stop’
  2. Resource Group. The name of the Azure Resource Group containing the Virtual Machines you are wanting to start/stop. eg. ‘RG01’

<

p style=”background:white;”>Example: .\AzureRGVMPowerGo.ps1 -power ‘Start’ -azureResourceGroup ‘RG01’ or PowerShell .\AzureRGVMPowerGo.ps1 -power ‘Start’ -azureResourceGroup ‘RG01’

Note: If you don’t have a session to Azure in your current environment, you’ll be prompted to authenticate.

Your VM’s will simultaneously start/stop.

What’s it actually doing ?

It’s pretty simple. The script enumerates the VM’s in the Resource Group you’ve specified. It looks to see the status of the VM’s (Running or Deallocated) that is the inverse of the ‘Power’ state you’ve specified when running the script. It’ll start stopped VM’s in the Resource Group when you run it with ‘Start’ or it will stop all started VM’s in the Resource Group when you run it with ‘Stop’. Simples.

This script could also easily be updated to do other similar tasks. Like, delete all VM’s in a Resource Group.

Here it is

Enjoy.

Follow Darren Robinson on Twitter