Wednesday, 24 May 2017

Let's Encrypt on Azure Web Apps - Key Expiration Issue

I run a side-project website on Azure PaaS, for a music library business called The Perfect Music Library. For a year or so this has had an SSL certificate provided by Let's Encrypt.

The certificates provided for this service expiry relatively quickly, and so in order to keep this updated I've set up and deployed a site extension and web job using the excellent instructions provided by Nik Molnar.

Recently though I noticed that the most recent update had failed which meant browser warnings of an outdated certificate were being seen by visitors that attempted to access the site. It turns out the issue was a key that's created as a process of setting up a "service principal" (step 5 of instructions linked above) had expired after a year or so.

To diagnose this I opened up the Azure portal, located the web application in question and navigated to the list of web jobs. Within that, right-clicking on the letsencrypt.siteextension.job allows the view of the associated logs. Looking at a failed job named Functions.RenewCertificate revealed this error: Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.RenewCertificate ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.

Some googling of that error took me here that revealed the problem. To fix I searched for "App registrations" in the portal, selected the AD application created as part of the initial setup instructions and navigated to the Keys blade. Sure enough, the single key had expired a couple of months ago.

I created a new key and set it to Never expire (only recently an option I understand) and took a copy of the value generated.

With that I went back to the web app in the portal, located Application settings and updated the value of letsencrypt:ClientSecret with the new value.

When the job next ran, it did so successfully so am back with a secure certificate on the website.

1 comment:

  1. Just ran across this today. Thanks for the tip! Saved me some time digging around to figure out how to resolve.

    ReplyDelete