Free TLS/SSL certificates for Azure App Service
Last month, it was announced at MS Ignite that users of Azure App Service would have free, managed TLS/SSL certificates:
Julien Dubois@juliendubois
Free SSL certificates on Azure App Services! It's one of my most-awaited announcement at MS Ignite!!
azure.microsoft.com/en-us/updates/…07:35 AM - 05 Nov 2019
Azure App Service is a very popular Platform-as-a-Service, which supports Docker images as well as many different languages and frameworks. For example, if you are using Java and Spring Boot, I believe it's the easiest way to go to production on 一种zure. And using TLS/SSL is of course mandatory when going to production!
配置这些证书并不是很明显,因为您可能没有使用Azure来管理DNS:此简短指南可以为您提供帮助!
Configure your DNS records
配置DNS记录可能是最棘手的部分,因为这将取决于您的DNS提供商。
Here we will setup a very generic configuration, which should work on most DNS providers. But as a concrete example, we are going to use Gandi, which is a French DNS provider, and which is the one I use for my julien-dubois.com personal website as well as the different JHipster websites.
您需要做的是添加一个“ CNAME”记录,该记录将从生产DNS名称指向您的Azure App Service实例。
例如,在这里:
- 我的生产网站将是https://petclinic。julien-dubois。com。我的App Service实例称为吉博伊·佩特克利尼克,因此默认情况下托管在https://吉博伊·佩特克利尼克。azurewebsites。net。
警告:主机名条目通常以点号(。) unless you specifically want it to be suffixed by the current domain。 This is what most DNS provider will require, and this is why in the screenshot we have jdubois-petclinic。azurewebsites。net。(请注意。 at the end)。
您的DNS提供商可能还允许您直接配置这些DNS记录,而无需使用Web控制面板。 在这种情况下,您的DNS条目将如下所示:
petclinic 1800 IN CNAME jdubois-petclinic.azurewebsites.net.
保存此配置后,请记住,DNS记录最多可能需要48小时才能传播,但通常速度要快得多。
In order to check the propagation of your record, you can use a tool like https://dnschecker.org/. In our example, you can see on https://dnschecker.org/#CNAME/petclinic.julien-dubois.com that our CNAME record was correctly propagated.
Configure your Azure App Service instance
You can now go to the Azure portal, and select your Azure App Service instance.
"Custom domains" configuration
在左侧的“自定义域”菜单中:
- 选中“仅HTTPS”框,因为不需要保留不安全的HTTP选项。单击“添加自定义域”,然后添加您使用DNS提供商配置的域名
此处的“验证”按钮将检查您的DNS记录是否正确:如果您配置了错误的记录,或者尚未传播您的记录,那么您将在此获取错误。
"TLS/SSL settings" configuration
在左侧的“ TLS / SSL设置”菜单中,转到“私人密钥证书(.pfx)”选项卡。
单击“创建应用程序服务托管证书”,这将显示一个特定屏幕,您可以在其中选择先前配置的域名:
单击“创建”,然后等待几秒钟来创建证书:
现在,仍然在“ TLS / SSL设置”页面中,单击“绑定”选项卡:
单击“添加TLS / SSL绑定”,然后选择先前生成的证书。 您应该使用“ SNI SSL”,因为它将在所有现代浏览器上都可以使用:
单击“添加绑定”,设置完成!
您现在可以使用TLS / SSL来访问您的网站: