Azure LetsEncrypt cannot access .well-known/acme-challenge for my function

1
votes

I am trying to enable SSL for my azure function using the letsencrypt site-extension for azure as described here. I was following the instructions in that wiki and on this website.

However, I get an error when it tries to verify the website.

The error indicates that the acme-challenge page cannot be accessed (404).

This is my web.config under .well-known/:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <clear />
      <add name="ACMEStaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />
    </handlers>
    <staticContent>
      <remove fileExtension="." />
      <mimeMap fileExtension="." mimeType="text/plain" />
    </staticContent>
  </system.webServer>
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</configuration>

Does anyone have any ideas on what could be going wrong?

2
azuressl-certificateazure-functionslets-encrypt

2 Answers

3
votes

Here's how you can do that.

In your function app, create a new proxy for the challenge directory (this is required as the challenge will be a http get to /.well-known/acme-challenge/, and per default a function in a function app will only answer on /api/.

You can setup the proxy in the following way. enter image description here

proxies.json

{
  "$schema": "http://json.schemastore.org/proxies",
  "proxies": {
    "LetsEncryptProxy": {
      "matchCondition": {
        "route": "/.well-known/acme-challenge/{code}"
      },
      "backendUri": "http://%WEBSITE_HOSTNAME%/api/letsencrypt/.well-known/acme-challenge/{code}"
    }
  }
}

The important setting here is the Route Template: /.well-known/acme-challenge/{*rest} this will match all request that goes to the challenge directory.

Please note that proxies are a preview feature and you have to enable it, for it to work.

Reference: https://github.com/sjkp/letsencrypt-siteextension/wiki/Azure-Functions-Support https://blog.bitscry.com/2018/07/06/using-lets-encrypt-ssl-certificates-with-azure-functions/

0
votes

I figured it out:

Similar to KetanChawda-MSFT's answer, except the proxy needs to hit the api endpoint function that you create.

So here's the function:

// https://YOURWEBSITE.azurewebsites.net/api/letsencrypt/{code}

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, string code, TraceWriter log)
{    
    log.Info($"C# HTTP trigger function processed a request. {code}");

    var content = File.ReadAllText(@"D:\home\site\wwwroot\.well-known\acme-challenge\"+code);
    var resp = new HttpResponseMessage(HttpStatusCode.OK);
    resp.Content =  new StringContent(content, System.Text.Encoding.UTF8, "text/plain");
    return resp;
}

And here's the proxy that hits that function when letsEncrypt tries to verify the acme challenge:

{
  "$schema": "http://json.schemastore.org/proxies",
  "proxies": {
    "LetsEncryptProxy": {
      "matchCondition": {
        "route": "/.well-known/acme-challenge/{code}"
      },
      "backendUri": "http://%WEBSITE_HOSTNAME%/api/letsencrypt/{code}"
    }
  }
}