shibayan / appservice-acmebot Goto Github PK

I discovered an issue when using this extension on a website which uses IdentityServer4.

IdentityServer has a discovery endpoint which can be used to retrieve metadata about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc. The discovery endpoint is available via /.well-known/openid-configuration relative to the base address.

This conflicts when using this plugin, because the .well-known folder is mapped to folder under the site root, and not the wwwroot folder in the web app folder.

I know that IdentityServer is capable of working if a .well-known folder exists in it's base directory, so I was wondering if the function will still work if I move the folder and remove the virtual path mapping? Will it still be able to automatically renew the certificate, or are there any absolute or relative paths used within the function which expect the files to be exactly where they are?

Hello Shibayan, How are you?
Are you displaying an error message in the application application Insight below, how do I solve this problem?
Exception while executing function: CheckDnsChallenge <--- _acme-challenge.infraestruturameioambiente.sp.gov.br did not resolve.

Regards

Hello @shibayan, thanks for this awesome software! Is there a way to display the list of certificates that are being maintained?

Hi there,

So, I am trying to make use of this LetsEncrypt with Azure App Services on Linux. However, we do not wish to move our DNS zone / names to Azure DNS. Is there a way to use this function without being stuck to using DNS zone?

Orchestrator function 'AddCertificate' failed: The activity function 'Dns01Precondition' failed: "Azure DNS zone "<my_app_name>.trafficmanager.net" is not found". See the function execution logs for additional details.

I have a traffic manager located in front of my apps as well because I'm playing with geo-redundancy and for some odd reason this makes the function pick up the trafficmanager.net URL which is fine but I can't verify that either.

The certificate uses Elliptic Curve Cryptography (ECC):

var ec = ECDsa.Create(ECCurve.NamedCurves.nistP256); in SharedFunctions.cs

Unfortunately in Azure App Service Elliptic Curve Cryptography (ECC) certificates are supported only with TLS 1.2.

So if we need to support TLS 1.0 and TLS 1.1 only clients we have to stick with RSA certificates.

Could you make the chiper method configurable?

I read your instructions and it says if drop down is empty, it's likely an IAM issue. I followed your doc. I added permissions for website contributer and web plan contributer to the resource group and the function app. I logged out and in and still can't get anything to show in the pull downs.

I followed the walktrough to set up everything and I was able do select any of my Azure Apps with custom domains using the url https://.azurewebsites.net/add-certificate

When I submit the form I always get the "The certificate was successfully issued" message but (it seems) no certificate is created or binded to the custom domain.

What can be wrong at this point, is there an place where I can see the exact log/error of the operation?

It could be fine if the Web UI could display certificat from others CA than Let's encrypt. And add abilty to replace them.

Prior to use this extension, i had to remove all my certificats (for a short period of time, my apps had non certificat).

This looks very promising, but I haven't managed to get it working. The documentation in the readme is very sparse and I don't know what value to put into the curl command for "code". A full example would help. Even better would be step-by-step with pictures or a youtube video.

Hello shibayan,

I'm trying to set this up but getting this error. Would you be able to help?

Orchestrator function 'AddCertificate' failed: The activity function 'UpdateCertificate' failed: "Failed to deserialize exception from TaskActivity: {"$type":"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseException, Microsoft.Azure.Management.Websites","Request":{"$type":"Microsoft.Rest.HttpRequestMessageWrapper, Microsoft.Rest.ClientRuntime","Method":{"$type":"System.Net.Http.HttpMethod, System.Net.Http","Method":"PUT"},"RequestUri":"https://management.azure.com/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Planner/providers/Microsoft.Web/certificates/gardenroomplanner.com-F8884E5C752F58A36B0F0E99F178C23AABACE1EB?api-version=2018-11-01","Properties":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.Object, System.Private.CoreLib]], System.Private.CoreLib"},"Content":"{\r\n "properties": {\r\n "pfxBlob":
--Edited--
",\r\n "password": "",\r\n "serverFarmId": "/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Default/providers/Microsoft.Web/serverfarms/immu_plan"\r\n },\r\n "location": "West Europe"\r\n}","Headers":{"$type":"System.Collections.Generic.Dictionary2[[System.String, System.Private.CoreLib],[System.Collections.Generic.IEnumerable1[[System.String, System.Private.CoreLib]], System.Private.CoreLib]], System.Private.CoreLib","x-ms-client-request-id":["645f3bc6-1456-416e-8e6a-8029afbc818b"],"Accept-Language":["en-US"],"Authorization":[
--Edited--
],"User-Agent":["FxVersion/4.6.28008.02","OSName/Windows","OSVersion/Microsoft.Windows.10.0.14393.","Microsoft.Azure.Management.WebSites.WebSiteManagementClient/2.2.0"],"Request-Context":["appId=cid-v1:2c55cbc4-b765-433a-ba4e-f1421a1492f7"],"traceparent":["00-b80b1875a0a6a64f818598376c9acebb-91087dfe69759047-00"],"Request-Id":["|b80b1875a0a6a64f818598376c9acebb.91087dfe69759047."],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["4191"]}},"Response":{"$type":"Microsoft.Rest.HttpResponseMessageWrapper, Microsoft.Rest.ClientRuntime","StatusCode":403,"ReasonPhrase":"Forbidden","Content":"{"error":{"code":"LinkedAuthorizationFailed","message":"The client 'e1ee2f08-14fd-4bdc-adda-aaf51ba96256' with object id 'e1ee2f08-14fd-4bdc-adda-aaf51ba96256' has permission to perform action 'Microsoft.Web/certificates/write' on scope '/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Planner/providers/Microsoft.Web/certificates/gardenroomplanner.com-F8884E5C752F58A36B0F0E99F178C23AABACE1EB'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Default/providers/Microsoft.Web/serverfarms/immu_plan' or the linked scope(s) are invalid."}}","Headers":{"$type":"System.Collections.Generic.Dictionary2[[System.String, System.Private.CoreLib],[System.Collections.Generic.IEnumerable1[[System.String, System.Private.CoreLib]], System.Private.CoreLib]], System.Private.CoreLib","Cache-Control":["no-cache"],"Pragma":["no-cache"],"x-ms-failure-cause":["gateway"],"x-ms-request-id":["26df6ce4-45cd-41d8-a429-2ffad8f12eb7"],"x-ms-correlation-request-id":["26df6ce4-45cd-41d8-a429-2ffad8f12eb7"],"x-ms-routing-request-id":["WESTUS:20191101T110439Z:26df6ce4-45cd-41d8-a429-2ffad8f12eb7"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Date":["Fri, 01 Nov 2019 11:04:38 GMT"],"Connection":["close"],"Content-Type":["application/json; charset=utf-8"],"Expires":["-1"],"Content-Length":["662"]}},"Body":{"$type":"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponse, Microsoft.Azure.Management.Websites","error":{"$type":"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseError, Microsoft.Azure.Management.Websites","code":"LinkedAuthorizationFailed","message":"The client 'e1ee2f08-14fd-4bdc-adda-aaf51ba96256' with object id 'e1ee2f08-14fd-4bdc-adda-aaf51ba96256' has permission to perform action 'Microsoft.Web/certificates/write' on scope '/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Planner/providers/Microsoft.Web/certificates/gardenroomplanner.com-F8884E5C752F58A36B0F0E99F178C23AABACE1EB'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/70063eb6-ed26-4167-90be-95c2cb95034e/resourceGroups/Default/providers/Microsoft.Web/serverfarms/immu_plan' or the linked scope(s) are invalid.","target":null,"details":null,"innererror":null}},"Message":"Operation returned an invalid status code 'Forbidden'","Data":{"$type":"System.Collections.ListDictionaryInternal, System.Private.CoreLib"},"InnerException":null,"StackTrace":" at Microsoft.Azure.Management.WebSites.CertificatesOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String name, Certificate certificateEnvelope, Dictionary2 customHeaders, CancellationToken cancellationToken)\r\n at Microsoft.Azure.Management.WebSites.CertificatesOperationsExtensions.CreateOrUpdateAsync(ICertificatesOperations operations, String resourceGroupName, String name, Certificate certificateEnvelope, CancellationToken cancellationToken)\r\n at Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker2.InvokeAsync(TReflected instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\VoidTaskMethodInvoker.cs:line 20\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync(Object instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs:line 52\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker, ParameterHelper parameterHelper, CancellationTokenSource timeoutTokenSource, CancellationTokenSource functionCancellationTokenSource, Boolean throwOnTimeout, TimeSpan timerInterval, IFunctionInstance instance) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 585\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance, ParameterHelper parameterHelper, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 532\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance, ParameterHelper parameterHelper, IFunctionOutputDefinition outputDefinition, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 468\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance, FunctionStartedMessage message, FunctionInstanceLogEntry instanceLogEntry, ParameterHelper parameterHelper, ILogger logger, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 278","HelpLink":null,"Source":"Microsoft.Azure.Management.Websites","HResult":-2146233088}". See the function execution logs for additional details.

The documentation doesn't seem to be clear (Or I'm not reading it correctly).

How does one load this given that extensions are disabled for App Services for containers? I undersatnd it requires dns in that case, but I can't figure out how to a. load it, and b. get to the management page.

Thanks!

It is difficult to check errors when adding certificates.

We want to move some app-services which have Let's Encrypt certificates to a new Azure subscription and thus a new app-services(plan).
We have already installed your acmebot in the new subscription and the domain name is showing up in the addcertificate ui.
But we get an error: Exception while executing function: Order Error creating new order :: too many certificates already issued for exact set of domains: yyy.xxx.nl: see https://letsencrypt.org/docs/rate-limits/

Is this just because we tried to many times. Should procedure just work? Or are we missing steps?

Thanks for your answer in advanced.

Hi @shibayan, I've created role assignments hour before but still have failures on 'Dns01Precondition' step.

Logs:

2018-10-12T08:29:40.133 [Information] Executed 'AddCertificate' (Succeeded, Id=8a4b608b-4fb7-4857-8d72-d6913e4a22bc)
2018-10-12T08:29:40.133 [Information] 9a7cf9a85c904fcc8cfb43e19ae90401: Function 'AddCertificate (Orchestrator)' awaited. IsReplay: False. State: Awaited. HubName: DurableFunctionsHub. AppName: letsencrypt-function. SlotName: Production. ExtensionVersion: 1.6.2. SequenceNumber: 114.
2018-10-12T08:29:40.148 [Information] 9a7cf9a85c904fcc8cfb43e19ae90401: Function 'Dns01Precondition (Activity)' started. IsReplay: False. Input: (108 bytes). State: Started. HubName: DurableFunctionsHub. AppName: letsencrypt-function. SlotName: Production. ExtensionVersion: 1.6.2. SequenceNumber: 115.
2018-10-12T08:29:40.149 [Information] Executing 'Dns01Precondition' (Reason='', Id=75359d2c-2c0d-485f-99ea-711174e40923)
2018-10-12T08:29:40.611 [Error] Azure DNS zone "System.String[]" is not found
2018-10-12T08:29:40.149 [Information] Executing 'Dns01Precondition' (Reason='', Id=75359d2c-2c0d-485f-99ea-711174e40923)
2018-10-12T08:29:40.645 [Error] Azure DNS zone "System.String[]" is not found
2018-10-12T08:29:40.678 [Error] Executed 'Dns01Precondition' (Failed, Id=75359d2c-2c0d-485f-99ea-711174e40923)Operation is not valid due to the current state of the object.
2018-10-12T08:29:40.748 [Information] Executing 'AddCertificate' (Reason='', Id=02f20b7d-07e7-408c-b8e5-bd2392a33092)
2018-10-12T08:29:40.750 [Error] 9a7cf9a85c904fcc8cfb43e19ae90401: Function 'AddCertificate (Orchestrator)' failed with an error. Reason: Microsoft.Azure.WebJobs.FunctionFailedException: The activity function 'Dns01Precondition' failed: "Failed to deserialize exception from TaskActivity: Unhandled exception while executing task: System.AggregateException: An error occurred while writing to logger(s). (The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.) ---> System.IO.IOException: The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)at System.IO.FileInfo.Open(FileMode mode, FileAccess access)at Microsoft.Azure.WebJobs.Script.FileWriter.AppendToFile(FileInfo fileInfo, String content) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 114at Microsoft.Azure.WebJobs.Script.FileWriter.Flush() in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 92at Microsoft.Azure.WebJobs.Script.Diagnostics.FileLogger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileLogger.cs:line 94at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)--- End of inner exception stack trace ---at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.Log(LogLevel level, FunctionDescriptor descriptor, Guid functionId, String message, Exception exception) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 50at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.LogFunctionCompletedAsync(FunctionCompletedMessage message, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 41at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 136at Microsoft.Azure.WebJobs.Host.Executors.TriggeredFunctionExecutor`1.TryExecuteAsync(TriggeredFunctionData input, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\TriggeredFunctionExecutor.cs:line 54at Microsoft.Azure.WebJobs.Extensions.DurableTask.TaskActivityShim.RunAsync(TaskContext context, String rawInput)at DurableTask.Core.TaskActivityDispatcher.<>c__DisplayClass12_1.<<OnProcessWorkItemAsync>b__1>d.MoveNext()---> (Inner Exception #0) System.IO.IOException: The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)at System.IO.FileInfo.Open(FileMode mode, FileAccess access)at Microsoft.Azure.WebJobs.Script.FileWriter.AppendToFile(FileInfo fileInfo, String content) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 114at Microsoft.Azure.WebJobs.Script.FileWriter.Flush() in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 92at Microsoft.Azure.WebJobs.Script.Diagnostics.FileLogger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileLogger.cs:line 94at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)<---at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.Log(LogLevel level, FunctionDescriptor descriptor, Guid functionId, String message, Exception exception) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 50at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.LogFunctionCompletedAsync(FunctionCompletedMessage message, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 41at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 136at Microsoft.Azure.WebJobs.Host.Executors.TriggeredFunctionExecutor`1.TryExecuteAsync(TriggeredFunctionData input, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\TriggeredFunctionExecutor.cs:line 54at Microsoft.Azure.WebJobs.Extensions.DurableTask.TaskActivityShim.RunAsync(TaskContext context, String rawInput)at DurableTask.Core.TaskActivityDispatcher.<>c__DisplayClass12_1.<<OnProcessWorkItemAsync>b__1>d.MoveNext()". See the function execution logs for additional details. ---> DurableTask.Core.Exceptions.TaskFailedExceptionDeserializationException: Failed to deserialize exception from TaskActivity: Unhandled exception while executing task: System.AggregateException: An error occurred while writing to logger(s). (The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.) ---> System.IO.IOException: The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)at System.IO.FileInfo.Open(FileMode mode, FileAccess access)at Microsoft.Azure.WebJobs.Script.FileWriter.AppendToFile(FileInfo fileInfo, String content) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 114at Microsoft.Azure.WebJobs.Script.FileWriter.Flush() in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 92at Microsoft.Azure.WebJobs.Script.Diagnostics.FileLogger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileLogger.cs:line 94at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)--- End of inner exception stack trace ---at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.Log(LogLevel level, FunctionDescriptor descriptor, Guid functionId, String message, Exception exception) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 50at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.LogFunctionCompletedAsync(FunctionCompletedMessage message, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 41at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 136at Microsoft.Azure.WebJobs.Host.Executors.TriggeredFunctionExecutor`1.TryExecuteAsync(TriggeredFunctionData input, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\TriggeredFunctionExecutor.cs:line 54at Microsoft.Azure.WebJobs.Extensions.DurableTask.TaskActivityShim.RunAsync(TaskContext context, String rawInput)at DurableTask.Core.TaskActivityDispatcher.<>c__DisplayClass12_1.<<OnProcessWorkItemAsync>b__1>d.MoveNext()---> (Inner Exception #0) System.IO.IOException: The process cannot access the file 'D:\home\LogFiles\Application\Functions\Function\Dns01Precondition\2018-10-12T07-32-30Z-e6cea07370.log' because it is being used by another process.at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)at System.IO.FileInfo.Open(FileMode mode, FileAccess access)at Microsoft.Azure.WebJobs.Script.FileWriter.AppendToFile(FileInfo fileInfo, String content) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 114at Microsoft.Azure.WebJobs.Script.FileWriter.Flush() in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileWriter.cs:line 92at Microsoft.Azure.WebJobs.Script.Diagnostics.FileLogger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter) in C:\azure-webjobs-sdk-script\src\WebJobs.Script\Diagnostics\FileLogger.cs:line 94at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)<---at Microsoft.Extensions.Logging.Logger.Log[TState](LogLevel logLevel, EventId eventId, TState state, Exception exception, Func`3 formatter)at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.Log(LogLevel level, FunctionDescriptor descriptor, Guid functionId, String message, Exception exception) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 50at Microsoft.Azure.WebJobs.Host.Loggers.FunctionInstanceLogger.LogFunctionCompletedAsync(FunctionCompletedMessage message, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Loggers\FunctionInstanceLogger.cs:line 41at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.TryExecuteAsync(IFunctionInstance functionInstance, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 136at Microsoft.Azure.WebJobs.Host.Executors.TriggeredFunctionExecutor`1.TryExecuteAsync(TriggeredFunctionData input, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\TriggeredFunctionExecutor.cs:line 54at Microsoft.Azure.WebJobs.Extensions.DurableTask.TaskActivityShim.RunAsync(TaskContext context, String rawInput)at DurableTask.Core.TaskActivityDispatcher.<>c__DisplayClass12_1.<<OnProcessWorkItemAsync>b__1>d.MoveNext() ---> Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: U. Path '', line 0, position 0.at Newtonsoft.Json.JsonTextReader.ParseValue()at Newtonsoft.Json.JsonTextReader.Read()at Newtonsoft.Json.JsonReader.ReadForType(JsonContract contract, Boolean hasConverter)at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)at DurableTask.Core.Serializing.JsonDataConverter.Deserialize(String data, Type objectType)at DurableTask.Core.Serializing.DataConverter.Deserialize[T](String data)at DurableTask.Core.Common.Utils.RetrieveCause(String details, DataConverter converter)--- End of inner exception stack trace ------ End of inner exception stack trace ---at Microsoft.Azure.WebJobs.DurableOrchestrationContext.CallDurableTaskFunctionAsync[TResult](String functionName, FunctionType functionType, String instanceId, RetryOptions retryOptions, Object input)at AzureAppService.LetsEncrypt.AddCertificate.RunOrchestrator(DurableOrchestrationContext context, ILogger log) in C:\projects\azure-appservice-letsencrypt\AzureAppService.LetsEncrypt\AddCertificate.cs:line 47at Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker`2.InvokeAsync(TReflected instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\VoidTaskMethodInvoker.cs:line 20at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync(Object instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs:line 63at Microsoft.Azure.WebJobs.Extensions.DurableTask.TaskOrchestrationShim.Execute(OrchestrationContext innerContext, String serializedInput). IsReplay: False. State: Failed. HubName: DurableFunctionsHub. AppName: letsencrypt-function. SlotName: Production. ExtensionVersion: 1.6.2. SequenceNumber: 116.

Thank you in advance for any help,
Jakub

• Better error message
• Improvement renew certificates
• Remove expired certificates
• Documentation
  • Assign role
  • DNS-01 / Wildcard / Web App for Containers support

I have followed the documentation in the README and am able to get to the UI and get appropriate options in the drop down menu, but submitting results in a 500 error. I am unsure how to troubleshoot this. Is there a traceback I can post for you and where would I find it? Thanks!

Following this stackoverflow post I created here:
https://stackoverflow.com/questions/56042897/unable-to-use-lets-encrypt-certificate-into-azure-web-app

I wondering if there is any problem concerning the type of certificate created with Letsencrypt.
Why it's not possible to receive an RSA/DSA certificate?

I tried to use a certificate generated by Letsencrypt using another tool (https://certifytheweb.com/) and the exported certificate is working with my code.

Btw, why there is no password to secure the certificate generated by your tool?
Sorry for my questions but I'm not an expert in certificates management.

Hello!

I installed and setup the function app, followed the documentation to enable authentication on the function app, etc., yet, when I access the /add-certificate to create my certificate, once I click the Submit button, it tries to generate the certificate, and returns an error 500.

My Web App is pretty standard: Linux Web App w/ S1 SKU. I have the standard Production deployment slot, with a secondary slot as well; Trying to deploy the certificate on the Production deployment slot, using SNI-based SSL, no IP-pased.

I'm not quite sure what extra information I could supply to help troubleshooting, so let me know if you need more info. I've tried looking for logs on both the function app, and my web app, and I see nothing whatsoever.

As troubleshooting measures, I've removed all existing SSL certificates and bindings, just in case there was any conflict, and that didn't help.

Thanks in advance for the help!!

Do you want it?

Make it easier to manage using multiple SAN certificates when there are multiple ssl bindings.

Original post kamil-mrzyglod

Hey, so the setup is as follows:

front-end app(web)
back-end app(api)
Both have custom domains configured. Both are hosted with separate Web Apps. While requesting for a certificate, custom domains are correctly discovered, however using them to obtain a cert results in "Cannot find Azure DNS Zone". In the logs I saw it searched for web.* and api.* DNS Zones, not the main domain.

#129

I've deployed the resources via your script into my non-default subscription. When I try to access the URL, it asks me for credentials. Post that, all dropdowns are blank, but API status is 200. Any hints on how to solve the problem?

I just tried to deploy into my subscription, and I got this error. It's very sparse on details, so I've no idea what went wrong. It deployed a storage account, then the AI instance, and then stopped. Any ideas?

{
	"code": "DeploymentFailed",
	"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.",
	"details": [
		{
			"code": "BadRequest",
			"message": "{\r\n \"Code\": \"BadRequest\",\r\n \"Message\": \"Requested feature is not available in resource group SIT. Please try using a different resource group or create a new one.\",\r\n \"Target\": null,\r\n \"Details\": [\r\n {\r\n \"Message\": \"Requested feature is not available in resource group SIT. Please try using a different resource group or create a new one.\"\r\n },\r\n {\r\n \"Code\": \"BadRequest\"\r\n },\r\n {\r\n \"ErrorEntity\": {\r\n \"ExtendedCode\": \"59324\",\r\n \"MessageTemplate\": \"Requested feature is not available in resource group {0}. Please try using a different resource group or create a new one.\",\r\n \"Parameters\": [\r\n \"SIT\"\r\n ],\r\n \"Code\": \"BadRequest\",\r\n \"Message\": \"Requested feature is not available in resource group SIT. Please try using a different resource group or create a new one.\"\r\n }\r\n }\r\n ],\r\n \"Innererror\": null\r\n}"
		}
	]
}

Is it possible to add a feature for a MS Teams webhook in addition to Slack?

Hi Shibamura,

This is displaying an error when renewing the certificate in function Renew Certificate, I am worried because the certificate expires on June 7th. Could you help please?

Here are the logs that I collected:

Every help is welcome

First, thank you very much for this, it is working great and very useful!!

Would it be possible to extend this that it can support SSL certificates for static website hosting in Azure Storage Containers?
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website

That would be awesome!

https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/

Whether the domain in which the certificate was binding to the Web UI should also be displayed.
Replacement of certificates is supported, so Web UI issues

Ref #41 (comment)

I have also implemented the function and tried the AddCertificate. But always displays an error Error: Request failed with status code 401.
In function Authentication / Authorization from Azure Portal and turn on App Service Authentication. Then select Log in with as Anonymous access is enabled on the App Service app, that's right?
I have looked trough your code but can´t seem to find why and where this is a problem.
Can you help?

Thanks

Leonardo Almeida

Nice that a WebUI is added to add certificates, but no ResourceGroup is displayed in the dropdown.
I have added the Website contributor and Web Plan contributor roles to the target resourcegroup.
How to troubleshoot this?

BTW: Is there also a WebUI to view which apps are serviced by this function?

Support dns-01 challenge answer.

• Add Azure DNS management function

Hello,

I try to add a certificate, but I get a InternalServerError in the response when it tries to add the certificate to the app service. Any idea what the problem can be? Thank you?

Orchestrator function 'AddCertificate' failed: The activity function 'UpdateCertificate' failed: "Failed to deserialize exception from TaskActivity: {"$type":"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseException, Microsoft.Azure.Management.Websites","Request":{"$type":"Microsoft.Rest.HttpRequestMessageWrapper, Microsoft.Rest.ClientRuntime","Method":{"$type":"System.Net.Http.HttpMethod, System.Net.Http","Method":"PUT"},"RequestUri":"https://management.azure.com/subscriptions/1683198f-4c7d-4609-aaef-6ae9084e4682/resourceGroups/MSCLOUD-RG01/providers/Microsoft.Web/certificates/mijn.ubnuitzendbureau.com-1D3F7F2917DF29E03F286FC45EFEFCABF77A1FCD?api-version=2018-11-01","Properties":{"$type":"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.Object, System.Private.CoreLib]], System.Private.CoreLib"},"Content":"{\r\n "properties": {\r\n "pfxBlob": "Mrj5S",\r\n "password": "Pd",\r\n "serverFarmId": "/subscriptions/1683198f-4c7d-4609-aaef-6ae9084e4682/resourceGroups/MSCLOUD-RG01/providers/Microsoft.Web/serverfarms/PORTALS"\r\n },\r\n "location": "West Europe"\r\n}","Headers":{"$type":"System.Collections.Generic.Dictionary2[[System.String, System.Private.CoreLib],[System.Collections.Generic.IEnumerable1[[System.String, System.Private.CoreLib]], System.Private.CoreLib]], System.Private.CoreLib","x-ms-client-request-id":["2401a0c9-9e1e-4570-9a0e-38f3c7277352"],"Accept-Language":["en-US"],"Authorization":["Bearer eyJ0e4Q"],"User-Agent":["FxVersion/4.6.28207.03","OSName/Windows","OSVersion/Microsoft.Windows.10.0.14393.","Microsoft.Azure.Management.WebSites.WebSiteManagementClient/2.2.0"],"Request-Context":["appId=cid-v1:3945ab3b-2765-48b1-bfb1-4c7c7d56c12f"],"traceparent":["00-1f89ba052cc11540a960983455b96bfb-aef7c8ac223e8d4e-00"],"Request-Id":["|1f89ba052cc11540a960983455b96bfb.aef7c8ac223e8d4e."],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["4206"]}},"Response":{"$type":"Microsoft.Rest.HttpResponseMessageWrapper, Microsoft.Rest.ClientRuntime","StatusCode":500,"ReasonPhrase":"Internal Server Error","Content":"{"Message":"An error has occurred."}","Headers":{"$type":"System.Collections.Generic.Dictionary2[[System.String, System.Private.CoreLib],[System.Collections.Generic.IEnumerable1[[System.String, System.Private.CoreLib]], System.Private.CoreLib]], System.Private.CoreLib","Cache-Control":["no-cache"],"Pragma":["no-cache"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Server":["Microsoft-IIS/10.0"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"],"x-ms-failure-cause":["service"],"x-ms-ratelimit-remaining-subscription-writes":["1199"],"x-ms-request-id":["7573bfd1-b9bd-466b-bf76-6771e8f23038"],"x-ms-correlation-request-id":["7573bfd1-b9bd-466b-bf76-6771e8f23038"],"x-ms-routing-request-id":["WESTEUROPE:20191223T153459Z:7573bfd1-b9bd-466b-bf76-6771e8f23038"],"X-Content-Type-Options":["nosniff"],"Date":["Mon, 23 Dec 2019 15:34:59 GMT"],"Connection":["close"],"Content-Length":["36"],"Content-Type":["application/json; charset=utf-8"],"Expires":["-1"]}},"Body":{"$type":"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponse, Microsoft.Azure.Management.Websites","error":null},"Message":"Operation returned an invalid status code 'InternalServerError'","Data":{"$type":"System.Collections.ListDictionaryInternal, System.Private.CoreLib"},"InnerException":null,"StackTrace":" at Microsoft.Azure.Management.WebSites.CertificatesOperations.CreateOrUpdateWithHttpMessagesAsync(String resourceGroupName, String name, Certificate certificateEnvelope, Dictionary2 customHeaders, CancellationToken cancellationToken)\r\n at Microsoft.Azure.Management.WebSites.CertificatesOperationsExtensions.CreateOrUpdateAsync(ICertificatesOperations operations, String resourceGroupName, String name, Certificate certificateEnvelope, CancellationToken cancellationToken)\r\n at Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker2.InvokeAsync(TReflected instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\VoidTaskMethodInvoker.cs:line 20\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync(Object instance, Object[] arguments) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs:line 52\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker, ParameterHelper parameterHelper, CancellationTokenSource timeoutTokenSource, CancellationTokenSource functionCancellationTokenSource, Boolean throwOnTimeout, TimeSpan timerInterval, IFunctionInstance instance) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 585\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstanceEx instance, ParameterHelper parameterHelper, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 532\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance, ParameterHelper parameterHelper, IFunctionOutputDefinition outputDefinition, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 468\r\n at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstanceEx instance, FunctionStartedMessage message, FunctionInstanceLogEntry instanceLogEntry, ParameterHelper parameterHelper, ILogger logger, CancellationToken cancellationToken) in C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:line 278","HelpLink":null,"Source":"Microsoft.Azure.Management.Websites","HResult":-2146233088}". See the function execution logs for additional details.

I am trying to add a certificate but am getting the error above. I have checked the detailed logs from D:\home\LogFiles\Application\Functions\function\AddCertificate, but cannot find any clear reason why.

I thought it might be related to limits. I have removed D:\home.acme with the same results. I previously got the message that too many certs had been applied but I am no longer getting this error after leaving it for seven days.

I have just deployed the Function and tried the AddCertificate. But i always get af "Certificate XX was not found" error. I have looked trough your code but can´t seem to find why and where this is a problem.

There is no certificates ind either the App Service or in the Storage account. Where should the Certificate be stored?

Hi,

Thank you for this application. I have just tested it and put together for you some comments which if I knew before would speed up significantly my usage of this project, at least for me, hope also for others. It is just more explanatory wordings.

I found it quite confusing for myself. While your steps might be very clear for an experienced Azure users, a few more comments would help less experienced Azure users.

My reasoning in Italic.

0. In your description you could mention also:

• This is an alternative solution to https://github.com/sjkp/letsencrypt-siteextension
  (this is not to promote the other option but I didn't know clearly if this project solves the same problem, installing Let's Encrypt certificate for Azure Web App. This would make it very clear to me that I am in the right place as I think there are only 2 options how to do it, through this project and the alternative)
• This project creates/deploys one Azure App Service (Consumption Plan) you name in the deployment process with one Azure Service and a few Azure Functions in it.
  (this would explain clearly how your project is going to work)

This would make very clear that this project is trying to achieve the same as an alternative solution but more efficient way.

1. Deployment to Azure Functions (please elaborate more what that means, I saw there two icons and have no idea what it is going to do.)

• When you click "Deploy to Azure", your Azure portal will open and a few resources (listed below) will be added to your subscription once you approved it.
  (maybe put in the table what resources, description and reason. I was personally very confused and worried what this is doing and why as it says Purchase when you confirm this)

Also, naming the app service is quite important as my deployment failed, see below.

The first mistake I made was to name my App Service letsencrypt. Well, all resources were created except one.

• Maybe mention to prefix or suffix app name to avoid failed deployment.

Conflict
STATUS MESSAGE { "Code": "Conflict", "Message": "Website with given name letsencrypt already exists.", "Target": null, "Details": [ { "Message": "Website with given name letsencrypt already exists." }, { "Code": "Conflict" }, { "ErrorEntity": { "ExtendedCode": "54001", "MessageTemplate": "Website with given name {0} already exists.", "Parameters": [ "letsencrypt" ], "Code": "Conflict", "Message": "Website with given name letsencrypt already exists." } } ], "Innererror": null }
PROVISIONING STATE Failed
TIMESTAMP 24/04/2019, 16:20:18
DURATION 4 seconds
TYPE Microsoft.Web/sites
RESOURCE ID /subscriptions/08819ce4-9304-443b-bba6-f72ba92f9912/resourceGroups/UkResourceGroup/providers/Microsoft.Web/sites/letsencrypt
RESOURCE letsencrypt

2. Add application settings key.

• These keys should be created automatically but you can double check that they are in your new created function under "Application Settings"

3. Enable App Service Authentication (EasyAuth) with AAD

• In the new created Function, open Platform Features -> Authentication / Authorization ...

4. Assign roles to target resource group (Here I got lost, where can I get that window Add permissions?)

• Select Resource Group (where you Azure Service is installed) -> Access Control (IAM) -> Add -> Add Role Assignment
• You need to click Role Assignments to see the roles were added

Usage - Adding new certificate - When/Why should I tick "Use IP Based SSL"?

Well, at this point all was deployed and working.

Thank you everyone :)

I'm running into a problem because whenever the SSL Cert renews a path mapping is added which then breaks my website. My application supports open-id and so serves requests from hostname/.well-known however when my certificate renews a path mapping is added and breaks requests to that path.

It looks like you're configuring the path mapping here, is there any way you could clean up that path mapping once the renewal process is finished? Maybe by deleting the path mapping automatically? I saw previously that you recommended using the keyvault bot but I'm not using Azure DNS (only a single domain in azure) so that seems like overkill.

I've deployed your solution manually (by creating resources and reading through deployment JSON file) to my client's Subscription. When I try to access the URL, I get 500 status message with details as:

Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.

Any help on how to resolve the same?

Today I wanted to add a new certificate to a new hostname (added as a second hostname to an existing web app). Your webapp says the certificate is added, but actually it isn't.
When I look in the logs I see in the AddCertificate function log this error:

Orchestrator function 'AddCertificate' failed: The activity function 'CheckHttpChallenge' failed: 
"Failed to deserialize exception from TaskActivity: 
{
	"Message": "The SSL connection could not be established, see innerexception.",
	"Data": {
		
	},
	"InnerException": {
		"ClassName": "System.Security.Authentication.AuthenticationException",
		"Message": "The remote certificate is invalid according to the validation procedure.",
		"Data": null,
		"InnerException": null,
		"HelpURL": null,
		"StackTraceString": "   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslState.ThrowIfExceptional()
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)",
		"RemoteStackTraceString": null,
		"RemoteStackIndex": 0,
		"ExceptionMethod": null,
		"HResult": -2146233087,
		"Source": "System.Private.CoreLib",
		"WatsonBuckets": null
	},
	"StackTrace": "   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
   at System.Threading.Tasks.ValueTask`1.get_Result()
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at AzureAppService.LetsEncrypt.SharedFunctions.CheckHttpChallenge(DurableActivityContext context, ILogger log) in C:\\projects\\azure-appservice-letsencrypt\\AzureAppService.LetsEncrypt\\SharedFunctions.cs:line 169
   at Microsoft.Azure.WebJobs.Host.Executors.VoidTaskMethodInvoker`2.InvokeAsync(TReflected instance, Object[] arguments) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\VoidTaskMethodInvoker.cs:line 20
   at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2.InvokeAsync(Object instance, Object[] arguments) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionInvoker.cs:line 63
   at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.InvokeAsync(IFunctionInvoker invoker, ParameterHelper parameterHelper, CancellationTokenSource timeoutTokenSource, CancellationTokenSource functionCancellationTokenSource, Boolean throwOnTimeout, TimeSpan timerInterval, IFunctionInstance instance) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs:line 556
   at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithWatchersAsync(IFunctionInstance instance, ParameterHelper parameterHelper, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs:line 503
   at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstance instance, ParameterHelper parameterHelper, IFunctionOutputDefinition outputDefinition, ILogger logger, CancellationTokenSource functionCancellationTokenSource) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs:line 439
   at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.ExecuteWithLoggingAsync(IFunctionInstance instance, FunctionStartedMessage message, FunctionInstanceLogEntry instanceLogEntry, ParameterHelper parameterHelper, ILogger logger, CancellationToken cancellationToken) in C:\\projects\\azure-webjobs-sdk-rqm4t\\src\\Microsoft.Azure.WebJobs.Host\\Executors\\FunctionExecutor.cs:line 249",
	"HelpLink": null,
	"Source": "System.Net.Http",
	"HResult": -2146233087
}". See the function execution logs for additional details.

And the CheckHttpChallenge function shows this error:
The remote certificate is invalid according to the validation procedure.

Any idea what the problem can be?
The new hostname is just working (except that it is complaining about an invalid certificate of course.)
So I have no idea what the problem can be.

I think we need the option to be sent e-mail notification when the certificate is actually updated.

I have just deployed the Function via the Deploy to Azure Button and tried AddCertificate_HttpStart.
I always get af 202 and "[Information] Started orchestration with ID = 'xxx'. [Information] Executed 'AddCertificate_HttpStart' (Succeeded, Id=xxx)".
But, waiting for hours no SSL binding will be done.
I thought that the values ​​of ResourceGroupName, SiteName, and Domain were wrong, I rewritten it to a nonexistent value and executed it, but the result was the same.
I have looked trough README.md but I can't seem to find why and where this is a problem.

When I click on the AddCertificate_HttpStart function it says the function is read-only how to solve this? How to add the needed params?

Also to generate wildcard certificate should the domain be something like *.example.com ?

It is painful to use curl. I want to complete only with a browser.

Web App for Containers can not use HTTP-01 challenge.
Need to use DNS-01 preferred.

hello -

I am getting a 500 error when I try to issue a new cert.

It looks like it's failing at:

Exception while executing function: AddCertificate Orchestrator function 'AddCertificate' failed: The activity function 'Dns01Precondition' failed: "Azure DNS zone "" is not found". See the function execution logs for additional details.

I have the DNS zone for this domain in Azure, however it's in a different resource group from the webapp.

Do I need to apply more permissions to the resource group that the DNS zone is in?

Thanks!

First, thank you for this awesome work. I added a certificate to one of my web app and it worked good, now I'm trying to add another certificate to another web app and I'm getting this error:

{"instanceId":"e1ccfbc4e82847a08bbf4d25fc504e0c","runtimeStatus":"Failed","input":{"$type":"AzureAppService.LetsEncrypt.AddCertificateRequest, AzureAppService.LetsEncrypt","ResourceGroupName":"x","SiteName":"x-landing","SlotName":null,"Domains":["x.com"],"UseIpBasedSsl":true},"customStatus":null,"output":"Orchestrator function 'AddCertificate' failed: The activity function 'CheckHttpChallenge' failed: \"http://x.com/.well-known/acme-challenge/pacs5JZq1pUplU6YfmCQknZFF7pmhn22hCVwl0dTXRs is NotFound status code.\". See the function execution logs for additional details.","createdTime":"2019-05-11T03:16:03Z","lastUpdatedTime":"2019-05-11T03:17:28Z"

Hello Shibayan,
Can I export the certificate after it is created in a local folder on my server?
I found this article "https://benohead.com/export-app-service-certificate-pfx-file-powershell/" but displays an error below:
The Resource 'Microsoft.Web / certificates / xxxxx "under resource group' Letencrypt 'was not found

Thanks for the help

This app is fantastic but I'm giving a small suggestion. If I want to create a wildcard cert, for example, *.dummy.com, I have to add *.dummy.com as a custom domain of my site. However I do not wish others can access my site via abc.dummy.com or mail.dummy.com. The site should only be available at dummy.com and www.dummy.com.

Another case is that I have multiple web apps. e.g., a function app binded to api.dummy.com and a website binded to www.dummy.com. I wish these domains can share a same wildcard cert issued to *.dummy.com.

Would it be possible that the app creates cert for *.dummy.com and automatically bind the cert to any sub-domains? I think I'm able to implement this feature but things will go much more easier if you could help. Thanks.

We were using a webapp extension that did the same thing. However it's currently broken. I'm testing this out but I notice it creates the challenge file at /site/.well-known. For us this path isnt accessible via http. The path we had before and works is /site/wwwroot/.well-known. I want to change it to use this path.

Using Let’s Encrypt dns-01 and Azure DNS.

I got this after running the AddCertificate_HttpStart Function

But, when I go to Web App SSL cert is not there?

I ran this

{ "ResourceGroupName":"Knob", "SiteName":"live-knob-dev", "Domains":["www.dev2.kidsnightonbroadway.com"], "UseIpBasedSsl":false }

In the body part of the function in Azure.

Than ran ok, no errors so far, but not seeing the SSL cert.

Is there anything else that needs to be done?

I gave permissions for the Function on the entire Subscription.

When I go to the website resource group have same thing.

Am I missing something?

or just need to wait, so far been about 30mins from when I ran the function.

Thanks,

Brian Keith Davis