Setting Up Let’s Encrypt on an Azure App Service

Once I had my blog ported over to WordPress running as an Azure App Service, I knew I needed to figure out how to secure my site, both because I wouldn’t want to be logging into it, randomized unique password or not, and because I wanted to be a good web citizen and secure all the things.

I saw that my pal Jeramiah had used Let’s Encrypt to secure his site, so I did some Googling, and asked him if he’d used the Azure extension I’d seen mentioned in a few blog posts, and he confirmed he had.

I read a few guides on getting it done, and while I had a few issues along the way, I finally got everything working. In an effort to save people from the starting and stopping and Googling that I had to go through while working through it, I decided to document the entire process from start to finish on a fresh blog.

You’re going to need an Azure Storage Account

Once you’re logged into the Azure portal, look for Storage accounts on the left-hand menu.

Azure Storage Account 1

As you can see here, I have no storage accounts. Click Create storage account.

Azure Storage Account 2

You’ll need to fill out and select some options here. I like to name every account or aspect of an App Service based on the overall name of the App Service, so I went with geekfoodblog.

I left Resource Manager as the default, selected general purpose v1, located in East US, and selected Geo-redundant storage (GRS). That may be overkill for my needs, but based on the storage costs for this blog last month and the amount of MSDN credit I have, it’s moot.

I believe Secure transfer required was Disabled by default, and I left it that way. If you have more than one subscription, you can select that here.

I did choose to drop it into the existing geekfoodblog Resource Group, since I had already deployed WordPress as an App Service before setting up Let’s Encrypt.

I did not choose to configure  virtual networks, nor did I pin this account to my dashboard, and with that, I clicked Create.

Azure Storage Account 3

Click on Access keys and copy your primary Connection String into a secure note somewhere for later use.

Azure Storage Account 4

Now you need a Service Account (or App Registration)

You may see this referred to elsewhere as a Service Principal. Azure calls it an App Registration. So click on Azure Active Directory, then App registrations, and then New application registration.

Azure Service Principal 1

You can see how I named mine. You’ll make use of auto-complete later, so using a few memorable letters as a prefix helps.

Also, as noted below, the Sign-on URL doesn’t matter in the sense that it doesn’t have to be something you own or are working with, but it does has to be something that is recognized as a legitimate URL.

Azure Service Principal 2

Now you’ll need to create a client secret or key.  Click Settings, then Keys.

Azure Service Principal 3

Give your key a description – I used letsencrypt, and I selected Never expires as the duration. That’s probably terrible, but it’s a huge key, so sue me.

When you click Save, you will be warned to copy the key value, as you won’t be able to retrieve it later. Stick that in the same secure note with your Storage Account connection string from above.

Azure Service Principal 4

You’ll also want to copy and paste the Client ID of your Service Account / App Registration.

As you can see below, and as you’ll notice in the screenshot I saved with the Client ID error I left in, the Client ID is not what you named the App Registration, but rather the Application ID.

You can copy and paste this into your secure note, or you can go grab it later as I did.

App Registration App-Client ID

Time to assign permissions for your Resource Group to your Service Account

Now you need to make sure your Service Account has permissions to your Resource Group, in particular so it can access the Storage Account you created above.

Click on Resource groups, then on the Resource Group of which your Storage Account is a member.

Azure Service Principal 5

Click on Access control (IAM), then click Add. For Role, select Contributor.

Start entering the name of your Service Account in the Select field, and select it, then click Save.

Azure Service Principal 6

Azure Service Principal 7

Now let’s install the Let’s Encrypt Extension

But first, so you can avoid an issue I noticed when I first set this up, let’s ensure your App Service is configured to always be on.

Click on App Services, then click on your App Service.

Azure Extension 1

Now click on Application Settings, and scroll down to Always On and make sure it is set to On.

Mine was not for some reason, and I noticed an error at one point.

Azure Extension 2

Now click on Extensions, then Add.

Azure Extension 3

Look for Azure Let’s Encrypt by SJKP. Click on it, then OK to accept legal terms, then OK again.

Azure Extension 4

Before proceeding, to help you avoid an issue I’ll show with a screenshot later, go ahead and restart your App Service.

Scroll up to click Overview, then click Restart. Then scroll back to and click Extensions.

Restart Service

Click on Azure Let’s Encrypt, then click Browse.

Azure Extension 5

Azure Extension 6

If you didn’t restart your App Service, you might get this error below.

Azure Extension 7

Now fill out the Let’s Encrypt Authentication Settings

First you’ll enter your Tenant URL, which will be unique to your Azure tenant.

You’ll then add your Azure SubscriptionID – also unique to you.

Next, for ClientID, you’ll enter the Application ID of the Service Account / App Registration you created above. Did you copy and paste that into your secure note? If not, you can find it under Azure Active Directory > App Registrations > Name of your Service Account.

For ClientSecret, enter the Secret / Key from your Service Account / App Registration.

Enter your ResourceGroupName and ServicePlanResourceGroupName – which for me are the same thing.

Be sure to check Update Application Settings, as this is required for the web job that will renew the certificate later.

Azure Extension 8

At this point, assuming you already have your hostnames configured, you should see something similar to what I did below. So click Next.

Azure Extension 9 Azure Extension 10

Select the hostname, enter your email address, and click Request and Install certificate. 

I’d already done this once before, so I was fairly sure it would work, so I didn’t bother checking the UseStaging box.

Azure Extension 11

Now you’ll need to add the SSL binding to your Azure-hosted domain. So go to App Services Your App ServiceCustom Domains.

While you’re here, if you haven’t already done it, switch HTTPS Only to On.

Scroll down and click Add binding next to your domain

Azure Extension 12

Select your custom domain under Hostname. Select the new SSL certificate under Certificate. Click Add Binding.

Azure Extension 13

Time for some Azure WebJobs goodness

If you stopped right now, your site would be secured until the Let’s Encrypt SSL certificate expired in 3 months. Let’s ensure that doesn’t happen by connecting your Let’s Encrypt WebJob to the Azure Storage Account you created above.

Go to App Services Your App ServiceApplication Settings.

Scroll down to Connection Strings and create AzureWebJobsDashboard and AzureWebJobsStorage.

Both of these should have a value of, you guessed it, the Connection String you copied from your Azure Storage Account above.

Azure Extension 14

You can confirm your WebJob is running by going to App Services Your App ServiceWebJobs

Azure Extension 15

And once you’ve done all this, fire up your web browser, go to your custom domain, and check your your shiny new Let’s Encrypt SSL certificate.

Azure Extension 16

WordPress as an App Service on Azure

I’ve blogged on the WordPress platform for years, starting way, way back when I had what I thought of at the time as a shell account at Pair Networks. Since then I’ve installed and run WordPress on other web-hosting accounts, as well as on virtual private servers and, for a short period of time, even on a spare Linux box under the desk in my office. I’ve spent most of my career doing Windows system administration and a goodly bit of it using a Mac as my primary desktop/laptop computer, but I learned just enough Linux to install and keep Apache, PHP, MySQL, and WordPress running. At some point I grew tired of caring and feeding for WordPress itself, so I just imported my blogs into, paid for domain mapping and their “no ads” service, and let the folks at Automattic worry about it.

Will This Be Hard? No.

My first thought about running WordPress on Azure was that I would rather not go back to managing WordPress the old fashioned way involving managing the entire stack from the OS (Linux or Windows) on up. Turns out, as Jeramiah alluded to in his recent post, I don’t have to. There’s certainly more opportunity (and need, especially since I wanted to make my Azure-hosted blog secure) to fiddle with nerd knobs running an Azure App Service, but when it comes to getting WordPress up and running, it took about the same amount of time on Azure as it did at Want to see how easy it was? Let’s build another one together.

1. Log into the Azure Portal and click on App Services, then click Add.

0718 Azure Add App Service

2. You may be tempted to select one of the WordPress options you see right away. Resist that urge, unless of course you want to run WordPress on Linux or something else.

0718 Azure App Service Search

3. Instead, type WordPress into the search and hit enter. Select just plain WordPress as shown below, then click Create.

0718 Azure Just Plain WordPress

4. This next step is important for a few reasons. First, whatever App name you choose here will become your hostname in the domain Second, you will choose whether to create a new resource group or (if you have one), use an existing one. Most importantly, and it may not be obvious at this step (it wasn’t to me), you’re choosing whether you want to run and pay for a separate database service to run MySQL. I went that route at first, but after conferring with Jeramiah, I decided I’d rather save the money/credit and just run MySQL inside the App Service plan. I’ve included the disclaimer Azure shows you below as well.

Azure App Service Options0718 Azure DB Disclaimer

5. Click Create. I chose to pin my new App Service to my dashboard.

So five steps (maybe a couple more total clicks) to deploy. It takes Azure a minute or two to deploy the new App Service, and once it’s finished, it is fully live, as shown here:

Azure WordPress Setup

And just a minute or two after filling out the basic info for the WordPress Setup, I had a working install up and running, and even prompting me to update to the latest version.

Azure New WordPress

Back in the Azure Portal, I was presented with a nice data-rich view of my new App Service, along with lots of options, some of which I’ll go into when I detail how I used Let’s Encrypt to secure my new Azure blog.

Azure App Service Dashboard


And once I finished taking the screenshots I needed for this post, deleting the App Service was just as easy as creating it. Just click Delete, confirm by typing the App Service name, and click Delete again.


Azure Delete App Service

So Why Do This?

That’s a fair question. As I mentioned in my previous post, this blog was being neglected over at, but I could have simply fired up MarsEdit and kept posting to it there. But I want to learn more about Microsoft Azure, maybe get outside my comfort zone a little bit, and I figure one way to encourage me to do that is to port this blog over and set myself a challenge to document the experience. So that’s what I’m doing.

If I didn’t have an MSDN subscription with a monthly Azure credit, would I pay to host my blog here full time? I don’t know – maybe, maybe not. But I do, so I am. I figure hosting my blog is the least interesting thing I can do in Azure, but it’s a start.

If you have suggestions for other stuff I can try in Azure, let me know via Twitter, where I’m @mikestanley




Climbing Back into the Saddle

I love to write. Heck, my email address at work is And yet, somehow, I haven’t written a single blog post for more than a year and a half. The reasons why don’t matter. What does matter is that I’m tired of not writing, and I recently received what was almost certainly an unintentional kick in the behind from my buddy Jeramiah Dooley. Jeramiah published a post entitled “Who Needs Some Lab Gear” on his blog. I was intrigued that Jeramiah, a guy I met when my former employer was considering the vBlock, had started a new job at Microsoft in the Azure engineering group, and was divesting himself of a ton of “home” lab gear and moving his blog over to Azure.

That got me to thinking. I don’t really have a ton of lab gear… in fact, what little I do have, shown here, hasn’t been powered on since we bought our current house 13 months ago, so I should probably get rid of it as well.

Home Lab

What I do have, however, is an MSDN subscription with a healthy monthly Azure credit. I’d played with Azure a bit over the years, spinning up a virtual machine for a few hours until I did the math and realized I couldn’t keep it running all month, but that’s about it. I’ve been using it to test Microsoft Intune for a project at work recently, but when Jeramiah mentioned he “moved everything over to an Azure App Service, so no need for servers at all,” my curiosity was piqued, and I figured I could at least try to do the same thing.

Azure’s Pretty Cool, and Easy to Work With

I’ll detail this in another post, but it turns out, getting something up and running in Azure is crazy easy. I even messed up a few times, selected the wrong option without considering the consequences, but that wasn’t a big deal – I just deleted the App Service and started over. Once I decided what I wanted, it took me far less time to get the basic service up and running than it did for me to decide which photo I wanted to use as the header image for this blog. Here’s my current Azure dashboard:

Azure Dashboard

Since this was a learning experience for me, my next post will detail the process of getting a blog (on WordPress, in my case) up and running in Azure. For now, here’s a a meme:

Blogging Azure Style

An Unplanned Break from Blogging

So this will be even shorter than the one I’d spent a painful half hour typing before Squarespace decided to eat the post.

I completely failed in my commitment to keep up with and successfully complete the #vDM30in30 blog challenge. 

I did that for two primary reasons:

  1. We decided we needed a new, larger vehicle in November. As is normal for me, I obsessively researched the purchase.  We settled on a Kia Sorento and bought it the Saturday after Thanksgiving. Most of the spare time I had in November was spent doing car research, and nearly all of that on my iPhone 6S Plus because of reason 2.
  2. In late October I developed carpal tunnel syndrome. I’m still dealing with it now, having seen my primary doctor and am currently waiting to see a specialist. 

I typed up a good bit of info about my experience so far in the post Squarespace ate (and that I, admittedly failed to save – won’t make that mistake again) so I’ll just post a pic and a few links to what I’m trying right now.

This is me with the 2 trackballs I’m using with my right hand these days.  Not pictured is the one I also use with my left hand.

I’m using the Kensington Orbit with my left hand when I feel like I need to give my right hand a break. It’s cheap and not the best feel/quality, but I had it in a box at home and it’s good enough, for now anyway, for my off hand.

For my left hand, I am alternating between the Logitech M570 for precision work and the Kensington SlimBlade for general use. I bought the Logitech right away when I started hurting because I didn’t want to wait on the purchase process at work, and I figured I would need one at home anyway. I’m currently borrowing the Kensington Slimblade from my boss for a few days because, as the most expensive of the three, I want to make sure it will do well by me before asking him to drop nearly $100 on it.

I’m also going to borrow an Evoluent vertical mouse from a colleague this week. I’ve heard good things about vertical mice. I have tried and will be returning an Anker vertical mouse. It’s too small for my hand and gets fairly crummy wireless reception.

More to come as I figure all this out

I’m planning to post more about this as the pain allows and as my experience with it grows. I’m going to try to experiment with blogging via dictation either via my Mac or iPhone. While I anticipate needing to do some layout and image adding by hand, just being able to save typing most of these words would have been very nice.

iPad Pro – Not For Me

I may end up regretting this, since some folks in my life revel in reminding me when I declare I’m not going to buy [name of Apple product] that I often later do purchase it, but I just don’t see the iPad Pro in my near future, and maybe ever.

That’s a screenshot of our university Apple Store pricing for the iPad Pro and accessories. As an aside, I think it’s hilarious that Apple knocks $50 off the price of a MacBook Air, but only $20 off the price of an iPad Pro, even though they basically cost the same amount of money.

There’s no way I would buy an iPad without AppleCare+, especially having endured the pain of dealing with a shattered screen on an iPad 4 without accidental damage coverage. So the least I could spend on an iPad Pro would be $1028 plus tax. Since I can’t see the point of going with something as large as the iPad without getting the accessories to make full use of it, at a minimum I’d need to add the Smart Keyboard for an extra $169, bringing the minimum to $1197. 

I can’t draw, but I do like to write notes and sometimes doodle, so that’s another $99, bringing the pre-tax total to $1296. And since the state of TN isn’t going to give it to me tax free (outside of tax-free weekend, but that was back in August), my real out-the-door total price would be $1,415.88.

If that makes sense to you for your use case, I am very happy for you. For me, if I’m going to spend $1400+ on a device, I’m going to need it to do more than an iPad currently can do for me. I own a 13″ MacBook Pro with Retina Display and love it, and I didn’t pay too much more for it than I would this iPad Pro.

I’m not sure who the iPad Pro is really for – artists maybe, or maybe folks who can live fully on an iPad but would like a bigger screen than the iPad Air 2 offers.  Even though it isn’t for me, I’m sure it will appeal to a lot of people, and I wish them well.

New Blog, New Platform, New Challenge

I’ve wanted to reboot my blog for a while now and the timing for the #vDM30in30 challenge couldn’t be better. I participated last year and had a great, if somewhat stressful time completing the challenge, so why not add some spice to the holiday season this year, right?

Just like last year, I’ll be distributing my writing across (at least) two blogs – this one and my food blog, Geek Food Critic. I’ll keep the food stuff there and everything else here.

Topics I have in mind right now for either blog:

  1. My review of the new Apple TV
  2. My experience as a new Giganto Phone User (iPhone 6S Plus)
  3. A truly terrible experience at the Apple Store
  4. Thoughts on Dell World 2015
  5. Upgrading SCCM 2012R2 to the latest Cumulative Update
  6. A review of The Salt Lick, a BBQ restaurant
  7. A look back at our first year using Zoom video conferencing service

I’m sure there will be more, especially once I look at the backlog of food and tech posts I’ve meant to write for a while.

So why the blog reboot?

Good question. I started Single Malt Cloud in June of 2011 because I wanted to document a large VDI project I was spearheading and also (I thought) our university’s “journey to the cloud” – whatever the heck I thought that really meant at the time. I enjoyed writing about VDI and related technologies for quite a while, but I’m not working directly in that arena anymore. Over time I branched out and wrote about other topics, including consumer technology, IT conferences, my favorite podcasts – you name it. But it always seemed a little odd to be writing about that stuff on that blog.

The other reason is I was recently asked by a colleague what my blog name meant, and why it was named “Single Malt Cloud” and I realized two very important things:

  1. There was no reason for him or anyone else to “get” the little play on words I thought was so clever when I registered that domain name late one night, and explaining it stopped being fun a long time ago.
  2. I’m a father now, and while I am far from a prude, if I’m still blogging when my 3 year old son is old enough to read something his dad writes on the web … well, I’d rather it be under my name (or as close as possible given domain-squatting jerks), not a blog with a type of whiskey in the name.

I’m not sure what I’m going to do with the content over at SMC. I’m paid up through for a year, and it all lives at a free blog underneath the domain redirect anyway. I may leave all or most of the content there, or I may selectively pull some posts over here for continuity’s sake.

I’m trying out Squarespace for real this time. I’ve done a 30 day trial before and wasn’t pleased with the way mass imports from WordPress worked and I also didn’t like the idea of having to pay for an account for every domain on which I might want to host a blog, instead of just directing a domain to a subfolder on one account. That doesn’t bother me so much anymore, because as the father of a 3 year old I don’t have enough time to actively write for more than 1 or 2 blogs anyway. I’ve also played with podcasting a bit over the last year, and I like what my Twitter pal Keith Townsend has down with his CTO Chat podcast at Squarespace.

So that’s why I’m rebooting the blog, why I’m building it here, and what I’m doing for the first 30 (now 28) days. Wish me luck!


This is post #1 in the 2015 #vDM30in30 Blog Challenge