Geek Answers Handbook

Azure Website - Configure SSL bindings using PowerShell or the middleware CLI

Our situation is that we often expect to add new user subdomains to several Azure websites, and we should be able to automate the process so that we can minimize any need for manual intervention and the risk of screwing something up.

The Azure Cross-Platform command line tools and PowerShell cmdlets provide me with all the functionality for a script, with the obvious exception of SSL bindings ... All websites have only HTTPS, and every domain that we add requires an SSL SNI binding.

Azure management portals allow you to manually configure SSL bindings for website domains. How can I achieve the same using PowerShell cmdlets or cross-platform CLI tools? If this is not possible using any of these tools, is there any other way that I can execute the script when we add / remove domains to sites?

+8
ssl powershell azure azure-web-sites
source share
2 answers

I finally managed to do this using the Azure Site Management REST API.

The source documentation that I based on my code example below in 2014 is no longer available, but the Azure Resource Explorer mentioned by Zain and related to the blog post in the comments is, in my opinion, an excellent resource. Direct link: https://resources.azure.com/

The link to the REST API for service management seems to be closest to the source documentation I used, but currently has nothing to do with Azure Web Apps (formerly known as Azure Websites): https://msdn.microsoft.com /library/azure/ee460799.aspx

eg:.

using System; using System.Linq; using System.Net.Http; using System.Net.Http.Formatting; using System.Net.Http.Headers; using System.Security.Cryptography.X509Certificates; using System.Threading.Tasks; private const string managementThumbprint = "0000000000000000000000000000000000000000"; private const string subscriptionId = "00000000-0000-0000-0000-000000000000"; private const string sslThumbprint = "0000000000000000000000000000000000000000"; private const string webspace = "eastasiawebspace"; private const string websiteName = "myWebsite"; private const string websiteDomain = "myDomain"; private const SslState sslState = SslState.SniEnabled; public async Task SetSslState() { //Retrieve management certificate var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); var certificate = store.Certificates.Cast<X509Certificate2>().First(xc => xc.Thumbprint.Equals(managementThumbprint, StringComparison.OrdinalIgnoreCase)); //Setup http client var handler = new WebRequestHandler(); handler.ClientCertificates.Add(certificate); var client = new HttpClient(handler) { BaseAddress = new Uri("https://management.core.windows.net/" + subscriptionId + "/services/WebSpaces/") }; client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); client.DefaultRequestHeaders.Add("x-ms-version", "2014-06-01"); var requestData = new { HostNameSslStates = new[] { new { Name = websiteDomain, SslState = (long)sslState, Thumbprint = sslThumbprint, ToUpdate = true } } }; var response = await client.PutAsJsonAsync(webspace + "/sites/" + websiteName, requestData); } public enum SslState { Disabled = 0, SniEnabled = 1, IpBasedEnabled = 2 }
+7
source share

You can now use this action in Azure Resource Manager mode of the Azure Powershell library. This also assumes that the selected certficate is already available in Azure, I already had the certificate used on other sites, so I did not need to upload it before adding it to the new site.

Install the library first to use Azure Resource Manager mode. This article provides a good idea of ​​what this mode provides.

 Switch-AzureMode -Name AzureResourceManager Add-AzureAccount Select-AzureSubscription -SubscriptionId $subscriptionId

The following variables are used in the code below:

 $apiVersion = "2015-08-01" $subscriptionId = "" #The ID of your Azure subscription $siteName = "myWebApp" $resGroup = "myResourceGroup" $appServicePlan = "myAppServicePlan" $location = "East US" #Select the appropriate Azure data centre. $hostName = "mywebapp.mydomain.com" $sslThumbprint = "" # Thumbprint of SSL certificate uploaded for use in Azure.

Once the correct mode is selected, the following code will retrieve the current site information. The new SSL information can then be added to the new object, which can be added to the end of the current HostNameSslStates array.

Finally, you can drop it back into Azure using the Set-AzureResource cmdlet.

 # Add SSL binding to custom domain $r = Get-AzureResource -Name $siteName -ResourceGroupName $resGroup -ResourceType Microsoft.Web/sites -ApiVersion $apiVersion -OutputObjectFormat New # Create an object containing the desired new SSL configuration $newSSL = @( @{ "Name" = $hostName; "SslState" = 1; "Thumbprint" = $sslThumbprint; "ToUpdate" = $true; } ) # Create an object which concatenates the existing SSL config with the new config object. $ssl = @{ "HostNameSslStates" = $r.Properties.HostNameSslStates + $newSSL } # Upload the new configuration into the web app. Set-AzureResource -ApiVersion $apiVersion -Name $siteName -ResourceGroupName $resGroup -ResourceType Microsoft.Web/sites -PropertyObject $ssl -OutputObjectFormat New
+4
source share

More articles:


All Articles