Manual Let's encrypt setup for Azure App Service

I’m currently running this Blog on top of an Azure App Service and recently needed to create a new Certificate to run SSL on this Blog. As I don’t want to have any unnecessary dependencies, I decided to get this done manually through Certbot from my Windows PC.

Before we start let’s make sure we are all on the same page, you already have an App Service Running on Azure and I assume that you have a TLD registered and do know how to manage DNS records. As Certbot is only available on Linux I did run all the setup through WSL2, if you don’t have a running WSL2 setup yet please refer to the official Documentation: Install Windows Subsystem for Linux (WSL) on Windows 10 | Microsoft Docs

Now that we are ready to get started, I start a new shell in WSL2 and install Certbot. Even though the official documentation recommends using “snap” you still can use apt-get under ubuntu. Running snap in WSL2 might lead to some issues so I would recommend apt-get like sudo apt-get install certbot .

Now we can get started running Certbot, to do this we want to use the manual mode and DNS challenge as we are not running this request directly from our App Service.

sudo certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for

Now Certbot will ask you to create DNS TXT records for every domain you want to verify. Simply add the requested values to your DNS record and make sure that your Nameservers are updated.

Please deploy a DNS TXT record under the name with the following value:

After a successful validation you should now have the complete certificate chain, private key located in “/etc/letsencrypt/live/DOMAIN”. Now we need to generate a .PFX certificate as this is the format that App services expects. To get access to the folder and run the aprpiate command we want to elevate our access to root.

sudo -i
cd /etc/letsencrypt/live/
openssl pkcs12 -export -out multiplayer.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Now we want to copy the .PFX file somwhere where we can find it in windows.

sudo cp /etc/letsencrypt/live/ multiplayer.pfx

Now we can easily upload the certificate in our App Service under SSL/TSL Setting and add it as SNI binding to our domain.

And this is all you need to do get this running manually.