Automatic certificate renewal
The problem
Security is a major concern at Enable and as such we utilise the HTTPS communication protocol to encrypt our website traffic between the server and our users to protect our websites against attacks from malicious third parties.
In order to use HTTPS communication, an SSL/TLS certificate must be provisioned from a certificate authority. Historically this has required certificates to be manually purchased and installed for each domain owned by Enable, which had a high financial cost and increased the workload of our team.
Wild card certificates
To reduce the management overhead and costs Enable has utilised wild card certificates (such as *.deal-track.com), these allow HTTPS communication across multiple domains, which reduces the number of certificates that need to be purchased and managed.
Unfortunately, wild card certificates can lead to security problems, as while wildcard certificates are cryptographically no weaker than dedicated certificates, the effective security level is reduced to that of the weakest application or component.
In the unlikely event that a security breach compromised one of Enable's wild card certificates, any application running across that certificate's domains would be vulnerable to eavesdropping and man in the middle attacks.
What is Let's Encrypt?
Let's Encrypt is a free and automated certificate authority provided by the Internet Security Research Group (ISRG), which is a non-profit organization with a mission to create a more secure web by reducing the costs associated with HTTPS communications.
They allow the creation of SSL/TLS certificates at no cost for anyone and provide documentation on how to obtain certificates and automatically renew them once they expire. Enable has utilised several open source NuGet packages to create a solution which monitors the SSL/TLS certificates currently in use in our Microsoft Azure environments and allows us to provision, renew and install SSL/TLS certificates from Let's Encrypt.
Solution overview
What we built
To reduce our usage of wild card certificates while minimizing our running costs and management overhead, Enable has recently developed an automated solution that provisions, installs and renews SSL/TLS certificates using Let's Encrypt. This solution is easy to use with the only input being a toggle indicating whether the URL's certificates should be automatically managed.
Web Applications hosted in Microsoft Azure are contained within Resource Groups and each Web Application can have multiple Fully Qualified Domain Names or FDQN's associated with it, each FDQN has an SSL/TLS certificate that is configured within Microsoft Azure. This structure is replicated within a SQL database that is utilised by several Azure WebJobs that are responsible for the management of SSL/TLS certificates.
How it's structured
Each WebJob consists of a .NET Core console application that is hosted as a triggered Azure WebJob.
- The first WebJob is responsible for resource synchronisation, it ensures that the current state of our Microsoft Azure FDQN's is stored within our database.
- The second WebJob is responsible for monitoring our SSL/TLS certificates, tracking certificate providers and expiry dates.
- The third WebJob is responsible for installing and renewing SSL/TLS certificates as required.
These WebJobs utilise several open source NuGet packages that make working with Let's Encrypt and Microsoft Azure simple and easy.
Data synchronisation from Microsoft Azure
Our resource synchronisation WebJob replicates the structure and models used by Microsoft Azure within a SQL database. It is configured to trigger every day and collect information of the current state of Enables Microsoft Azure environments using the Microsoft.Azure.Management.ResourceManager NuGet package. The WebJob will collect information on any Resource Group, Web Application or Fully Qualified Domain Name that it is permitted to access within Microsoft Azure.
Custom comparison functions are then used to compare this information with the current state of the SQL database and any additions, edits or deletions are replicated on the database. This allows our automated Let's Encrypt solution to work with an up to date picture of our Microsoft Azure resources without requiring any manual effort from the Enable team.
Certificate checking
A certificate checker WebJob is triggered to run periodically, it iterates through a list of FDQN's stored in the database and checks each SSL/TLS certificate. It does this by making a HTTPS Header request to the production website being checked. It then grabs the SSL/TLS certificate from the websites response and stores information about it in the database such as the certificate provider and expiry date.
Let's Encrypt certificates are designed to expire every 90 days but it is recommended that they are renewed every 60 days. This is to increase security by limiting the damage of a compromised key and to encourage automated renewal systems. As the certificates expire frequently it is essential that our automated solution keeps up to date information about the expiry date of each SSL/TLS certificate in use by Enable.
Certificate renewal
Certificate renewal is handled by a final WebJob which collects a list of FDQN's that have been flagged as being managed by our automated solution. This management flag is toggled from an Angular single page application that lists all our resources currently hosted on Microsoft Azure and allows us to enable our automated SSL/TLS certificate solution for any FDQN at any time.
The WebJob then iterates through each managed FDQN and determines whether it's SSL/TLS certificate needs installing or renewing. If the certificate provider is anyone other than Let's Encrypt then the certificate is flagged for installation, if the provider is Let's Encrypt and the certificate is found to be expiring shortly then it is flagged for renewal.
To ensure fair usage of its free platform, Let's Encrypt rate limits certificate installations to 50 installations a week. However, there is no limit on certificate renewals, which means that determining when a certificate needs to be installed and when it can just be renewed is very valuable.
The actual renewal and installation of the certificates is handled by the LetsEncrypt.Azure.Core open source NuGet package. With minimal configuration this package will provision an appropriate certificate or renew an existing certificate from Let's Encrypt and will then handle the installation into Microsoft Azure.
Conclusion
Enable has developed an automated solution for SSL/TLS certificate management that utilises Let's Encrypt and Microsoft Azure WebJobs to monitor our Microsoft Azure Resources and install and renew SSL/TLS certificates as needed with no manual effort required from the Enable team and with no running costs.