Recently I created lots of SharePoint provider hosted apps for several customers most of them very simple apps to register aremote event receiver or send emails. But a few of them were complex business apps that used the integration options for SharePoint but stood almost separately as websites running on Azure. The first apps we created had the name <app>.azurewebsites.net and for some customers that looked so odd that they opened tickets and asked for confirmation if the apps are legit. And that makes perfect sense because everybody could create a website and call it superlegitcustomerapp.azurewebsite.net, right? So in this blog post I will show you how to run an app on a custom domain with a free SSL certificate.
For this article I assume that you have your SharePoint App up and running on Azure and I assume that you have a domain to use.Register the custom domain on Azure
3 easy steps to register a new hostname
First things first tell the azure website that it will have a new hostname to respond to. Therefore go to the azure portal, open your website and click on “custom domain”. Then add your domain or subdomain that should be the new entry point of your app. Once you have done that, you need to validate the websites by adding a txt record to your nameserver with the value * mapped to .azurewebsites.net full guide is here .
domain validation via nameserver entry. The @ symbol was not allowed, but with * it worked.
After validation was successfully it should look like that:
new entry was added successfully
For the custom domain you need at least a shared instance tier for your azure website.New name new problems
Ok, now we have setup the new hostname and we can open up the site with that but that creates some problems:The app registration (/_layouts/15/appregnew.aspx) needs to be updated The app manifest and the app points to the old site There is no SSL certificate for the new name
1 & 2 are easy solvable: Open the app in Visual Studio, change the app domain, upload it to the app store, trust it and re-add it to your sites. But if you open the new app you will either redirect to http:// and have all you traffic sent over an encrypted connection or you send it to https:// and will be greated by a security warning in your browser because there is no SSLcertificate present for your new domain.Free SSL certificate
In the past I heavily used free SSL certificates from StartCom because they were trusted in all browsers and were free for 1 year but they lost trust in google chrome and firefox recently so that is no longer an option. Not using a ssl certificate is no option at all business apps need security and trust therefore I needed another option, preferably free so no long discussion with customers, CSRs and all that to request a certificate for your needs. I want easy.Let’s encrypt for the rescue
There is a really great organization that provides free SSL certificates Let’s Encrypt and I use them for this blog with ease, too. So why not use them for my Azure websites? The let’s encrypt certificates only lasts 3 months and should be renewed automatically (way better than certificates that lasts 1 year and have to be renewed manually …) so there should be some sort of integration right into the azure websites for that and there is! Thanks to the awesome work of Simon J.K. Pedersen there is a Azure Website Extension for Let’s Encrypt .
The installation was really straightforward for me and is well documented here I added the extension (choose the correct version for 32 or 64bit!), register a new service principal and give it contribute permissions open the extension sitehttps://.scm.azurewebsites.net/letsencrypt/ and enter all the required values:
Once you save it the magic happens two webjobs will be registered that request a new certificate, register them and two weeks before expiry renew them automatically for you. Awesomesauce!
For the custom ssl certificate you need at least a basic app service plan.Summary
So once you have done all that you will have a nice domain for your app giving your users trust and easy to recall entry to your business application and all that is free with zero maintenance. And all your browsers love it, too:
trusted in Google Chrome
trusted in IE11
So if you create a new app register the domain first, follow the guide above and you are good to go the secure way: customer happy, developer happy, security guy happy!
Follow me!Max Melcher
Maximilian Melcher (MCSE, MCPD) is a Principal Consultant working at Alegri International Services in Munich, Germany. Max is a specialist in SharePoint technologies focused on search, social computing, web content management and collaboration. Max has led SharePoint implementations for Dax 30 companies since 2009.
Latest posts by Max Melcher ( see all )SharePoint App, Custom Domain and free SSL certificate - March 25, 2017 My notes: SharePoint Saturday Munich 2017 #SPSMUC - March 4, 2017 Efficiently empty a large SharePoint Online list - February 8, 2017