I was running my own website with Azure App Service, but in order to do custom domain and SSL binding, I need to select a plan of ** about 7,000 yen a month **, so I can not expect profits I thought that the system was a little expensive, but I learned that Linux would be a little cheaper, so I decided to switch.
| front end | Vue.js |
| Back end | .Net Core 3.1(C#) |
| Database | SQLServer |
| CI/CD | AzureDevopsPipelines |
| SSL certificate | Let’s Encrypt |
| Other services used | BlobStorage、SendGrid |
I don't know if it can be done for the time being, but I decided to make it once, so I created AppService (Linux). When I glanced at the contents, the following functions cannot be used on Linux.
I can't use the extension. .. .. So, do I have to manually install "Let's Encrypt"? .. .. Premonition of turbulence. .. .. (In the Windows version, it could be easily applied using the extension "Azure Let's Encrypt")
Since I created the service for the time being, I was able to deploy the source, set the configuration information, and start it without any problems. The custom domain setting method is the same as in Windows, so you can complete it without any problems.
So, the last difficulty, manually getting an SSL certificate by "Let's Encrypt"
SSH connection to the corresponding App Service (possible from Azure portal) and execute the following command
$ apt-get update
$ apt-get install certbot
You should now have Certbot installed.
Use Certbot to issue the certificate. Execute the following command in SSH as before
certbot certonly -d <domain> --manual --preferred-challenges dns
The "--preferred-challenges dns" part is the selection of the authentication method.
This time, I decided to authenticate by adding a TXT record to the domain for which I want to obtain a certificate called ** DNS Challenge **. (There are other ** Https challenge ** etc. that place a file in a specific location and refer to it)
As you proceed with the command, you will be instructed to "Create a TXT record using this value in DNS", so follow the instructions. Even if you create a TXT record, it will not be reflected for about 5 minutes, so check that it is reflected with the following command before proceeding.
nslookup -q=TXT [domain]
If the following character string is displayed, it is successful.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[domain]/privkey.pem
Your cert will expire on <some-date>. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Create a private certificate using the intermediate certificate obtained from Let's Encrypt.
$ mkdir /tmp/sandbox -p
$ cd /tmp/sandbox
$ SOURCE=/etc/letsencrypt/live/[domain]
$ sudo cp $SOURCE/{cert.pem,privkey.pem,chain.pem} .
$ sudo chown ope *.pem
$ openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
When you execute the last ** openssl ** command, you will be asked to set a password, so enter it. Remember the password you enter here as it will be required when you register the certificate with AppService.
Download the created pfx file and SSL binding from the AppService custom domain to the target domain. This completes the work!
When operating in a company etc., it is convenient to use ** Application Insight ** or analysis tools, but I personally thought that Linux would be fine if it was a small site operated by an individual. How about running .Net Core on a Linux server? .. .. I was thinking, but I'm glad that it worked normally. (However, I felt a little lighter than Windows. Is it because of my mind?)
It was ** about 7,000 yen a month ** for a Windows server, but ** about 2000 yen a month ** for a Linux server ** !! If this is the case, I think it's okay to start up some more servers and create a WEB service.
Recommended Posts