Secure a Web Server on an Azure Virtual Machine with SSL Certificates
To secure web servers, an SSL certificate can be used to encrypt web traffic. It’s easy to create self-signed certificates as I’ve mentioned in the “Creating an HTTPS Server with Node.js using a Self-Signed Certificate” post but they’re not considered trusted by many applications. So in this post, we’re going to talk about:
- Problems with self-signed certificates
- How to obtain an SSL certificate signed by public certificate authorities (CAs) for an Azure Virtual Machine (VM)
Problems with self-signed certificates
Let’s have a look at the following examples to understand why GlobalSign has warned us about the dangers of self-signed certificates.
Example 1: You’re hosting a website and your users use Chrome to access it. They’ll encounter the warning below:
You can ignore the warning and proceed further but it’s not a good user experience. On public sites this type of security warning may drive away potential clients for fear that the website does not secure their credentials.
Example 2: You’re hosting a web service and your Node.js app needs to access it. As soon as it hits the web service’s endpoint, the following error occurs:
That’s because Node.js blocks self-signed certificates by default. If you do a quick search for it, there are many suggestions to set:process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"This should never be done in a production environment since it allows any unauthorized certificate and makes your system insecure.
In the next section, you will learn about how to obtain an SSL certificate from trusted certificate authorities (CAs).
Obtain an SSL certificate from CAs
When purchasing an SSL certificate, it’s required to have a domain name so that CAs can verify your ownership. For example, godaddy uses HTML page or DNS record methods to verify that you control the domain for which you’re requesting the certificate.
Since your web server runs on a virtual machine, which has a static IP address, you need to purchase a domain name and make it point to your virtual machine. This can be done using App Service Domain and App Service Certificate.
Purchasing a domain name
This step assumes that you don’t have any domain name.
In Azure portal, search for App Service Domain and click the Create App Service domain button:
Choose an available domain name, fill in Contact information and click the Create button:
Note: Azure App Service Domains resell domains via GoDaddy.
Assigning App Service Domain to Azure VM
First, go to your VM and look for its Public IP address:
Then go back to your domain and choose DNS zone setting:
Click on Add a Record set, add an A record and enter your VM’s IP address:
Purchasing an SSL certificate
In Azure portal, search for App Service Certificate and click the Create button:
Fill in all required info. In the Naked Domain Host Name text box, enter precisely the domain name that you’ve purchased in the previous step:
After the certificate is created, the certificate needs to be configured in 3 steps.
Step 1 (Store): in this step, you need to have a Key Vault so that you can store certificates securely.
Step 2 (Verify): you need to verify that you own the domain name. To do this, select Manual validation method that uses DNS TXT record.
Step 3 (Assign): this will tell you when your certificate has been issued successfully and is ready to use.
If you’re curious about how to read that certificate from Key Vault using Azure SDK for NodeJS, check my other blog post about “Creating an HTTPS Server with Node.js using a Self-Signed Certificate”.
Exporting an App Service Certificate (optional)
Open your app service certificate in Azure portal, select Export Certificate and then Open Key Vault Secret:
Select the current version of the certificate, set the content type to application/x-pem-file, click Save and then Download as a certificate:
The exported PEM file can be used to create an HTTPS server in Node.js as shown below:
Conclusion
Overall, it seems complicated to obtain an SSL certificate from trusted certificate authorities but it’s the right way to do and will benefit you for long term. I hope you’ve found this blog post helpful and feel free to leave any comment.
