In this blog I will show how to renew a SSL certificate for an Azure WordPress blog site. When obtaining or renewing a certificate it is necessary to prove ownership of the DNS domain the certificate will be issued for. In my case the domain is blog.ictnsure.nl.
The website I use to get free SSL Certificates is SSLforFree. They offers several ways you can proof domain ownership. One of these is adding a DNS TXT-record with a specific value and I describe this procedure in a previous blog. I found this DNS-record method a little challenging because my DNS provider does not let me adjust the TTL of DNS records; the TTL is hardcoded to 60 minutes. Furthermore, their DNS replication is slow.
Therefore, when a renewal of the certificate was due I decided to take another route namely Manual Verification. With this verification method you must place a specific text-file in the root folder of your blog web site so as to proof ownership of the domain.
renewing the certificate
An SSLforFree certificate has a validity of three months. One week before expiration an email is sent stating that the certificate is about to expire.
After logging on to SSLforFree I can see an overview of my certificates.
Click on Renew.
Choose for Manual Verification.
Click Manually Verify Domain and download the verification file to disk. You need to place this specific file in a folder named /.well-known/acme-challenge in the root of your website. To upload this file we will be using FTP and I will explain the details in the next section.
Uploading the verification file
First look up the Azure website FTP settings and credentials in your Microsoft Azure administrative portal: navigate to App Services | <select your WordPress app service> | Deployment Center | FTP/Credentials.
For FTP I personally like to use the FileZilla client. The Azure FTP settings translate in FileZilla as:
Once connected successfully navigate to folder /site/wwwroot. From there create folder .well-known/acme-challenge and upload the SSLforFree domain verification file to this folder.
The website needs to be listening on port 80 (possibly forwarding to 443). This presents no problem for my Azure blog website. I set it to forward all http traffic to https as per the Azure setting below.
In the next section I will explain the additional configuration required for the SSLforFree website to be able to verify my domain ownership.
Next we need to make sure the website uses mimeType=”text/plain” for documents without a file extension. This is necessary because the SSLforFree domain verification file does not have an extension but should be processed as a text-file. You can verify whether SSLforFree can read the file successfully by browsing to the verification file (SSLforFree provides a link). If the website return a page showing the characters of the filename the website is correctly configured.
If you get a message saying that the page cannot be shown than either the verification file is not in the correct folder or the web server does not correctly indicate that the file should be processed as a text-file. To solve the latter please add the following section under the <server.webServer>-section in the web.config file (located in folder /site/wwwroot ).
<staticContent> <mimeMap fileExtension="." mimeType="text/plain" /> </staticContent>
My web.config then looks like this (the <rewrite>-section is collapsed in this picture).
The changes are in effect immediately and there is no need to restart the website. Refreshing the browser will do the trick.
Now that SSLforFree is able to verify your ownership of the domain the certificate can be generated, downloaded and installed.
Installing the certificate
After downloading the files they must be converted to PFX-format (for a more detailed explanation please have a look at my blog How to Convert PEM Certificates to PFX Format. This conversion can be done using the decoder.link website.
Letting a third party convert your certificate files for you is potentially dangerous. If you want to be very secure you can convert the certificate files on your own laptop. See my blog How to Convert PEM Certificates to PFX Format on how to do this.
On the decoder.link website navigate to the SSL Converter page, choose PEM To PKCS#12 and upload the SSLforFree files as shown below.
Rename the downloaded file to a more usefull name. Than log in to your Azure admin portal and navigate to your App Service | TLS/SSL Settings | tab Private Key Certificates (.pfx).
Now bind the new certificate to the domain.
After binding navigate to the website and check the new certificate. I had to close my browser and start it again to refresh.
I hope the information has been useful to you.