Wildcard SSL certs in azure with cloudflare

Wildcard SSL certs in azure with cloudflare

Wildcard SSL Certificates in Azure with Cloudflare: A Complete Guide

Setting up wildcard SSL certificates for your Azure applications can seem daunting, but with Cloudflare’s free services, it becomes surprisingly straightforward. This guide will walk you through the entire process of configuring wildcard SSL certificates for your Azure App Service using Cloudflare.

Why Wildcard SSL + Cloudflare?

Wildcard SSL certificates allow you to secure unlimited subdomains with a single certificate. Combined with Cloudflare’s free tier, you get:

  • Free wildcard SSL for public-facing traffic
  • Free origin certificates for Azure backend
  • Global CDN and DDoS protection
  • Easy certificate management with automatic renewals

Prerequisites

  • An Azure subscription
  • A custom domain name
  • A Cloudflare account (free tier works)
  • An Azure App Service or similar Azure resource

Step 1: Setting Up Your Domain in Cloudflare

1.1 Add Your Domain to Cloudflare

  1. Log into your Cloudflare dashboard
  2. Click “Add a Site”
  3. Enter your domain (e.g., yourdomain.com)
  4. Choose the Free plan
  5. Cloudflare will scan your existing DNS records

1.2 Update Your Domain’s Nameservers

Cloudflare will provide you with two nameservers. Update these at your domain registrar:

example.ns.cloudflare.com
another.ns.cloudflare.com

Wait for DNS propagation (usually 15-30 minutes).

Step 2: Configure DNS Records in Cloudflare

2.1 Create the Wildcard CNAME Record

In your Cloudflare DNS settings:

  1. Type: CNAME
  2. Name: * (this creates the wildcard)
  3. Target: Your Azure App Service URL (e.g., yourapp.azurewebsites.net)
  4. Proxy status: Orange cloud (Proxied) for free SSL

2.2 Add Root Domain Record

Also add a record for your root domain:

  1. Type: CNAME
  2. Name: @ (or your domain name)
  3. Target: Your Azure App Service URL
  4. Proxy status: Orange cloud (Proxied)

Your DNS should look like this:

TypeNameContentProxy Status
CNAME*yourapp.azurewebsites.netProxied
CNAME@yourapp.azurewebsites.netProxied

Step 3: Configure Azure App Service

3.1 Add Custom Domains

In the Azure Portal:

  1. Navigate to your App Service
  2. Go to SettingsCustom domains
  3. Click “Add custom domain”
  4. Add your root domain: yourdomain.com
  5. Add wildcard domain: *.yourdomain.com

Azure will verify domain ownership through the DNS records you created.

3.2 Validate Domain Ownership

For each domain, Azure may require validation:

  • Domain validation: Azure checks your DNS records
  • TXT record method: Add a TXT record if prompted
  • CNAME validation: Your CNAME records should be sufficient

Step 4: Set Up SSL Certificates

4.1 Cloudflare Universal SSL (Front-end)

Cloudflare automatically provides SSL for traffic between users and Cloudflare:

  1. Go to SSL/TLSOverview
  2. Set encryption mode to “Full (strict)”
  3. Cloudflare will automatically issue a wildcard certificate for public traffic

4.2 Cloudflare Origin Certificate (Back-end)

For the connection between Cloudflare and Azure:

  1. Go to SSL/TLSOrigin Server
  2. Click “Create Certificate”
  3. Choose these settings:
    • Key type: RSA (2048-bit)
    • Hostnames: Add yourdomain.com and *.yourdomain.com
    • Certificate validity: 15 years
  4. Click “Create”
  5. Download both the certificate and private key

4.3 Install Origin Certificate in Azure

Method 1: Through Azure Portal

  1. Convert the certificate to PFX format:
    openssl pkcs12 -export -out certificate.pfx \ -inkey private.key -in certificate.pem
  2. In Azure Portal:
    • Go to App ServiceTLS/SSL settings
    • Click Private Key Certificates (.pfx)
    • Upload your PFX file
    • Bind to your custom domains

Method 2: For Container Apps or Custom Deployments

Store certificates in your application and reference them in your web server configuration:

# Nginx configuration example
server {
    listen 443 ssl;
    server_name yourdomain.com *.yourdomain.com;
    
    ssl_certificate /path/to/cloudflare.pem;
    ssl_certificate_key /path/to/cloudflare.key;
    
    # Your application configuration
    location / {
        # Your app configuration
    }
}

Step 5: Configure SSL/TLS Settings

5.1 Cloudflare SSL Settings

In Cloudflare dashboard:

  1. SSL/TLSOverview: Set to “Full (strict)”
  2. SSL/TLSEdge Certificates:
    • Enable “Always Use HTTPS”
    • Set Minimum TLS Version to 1.2
    • Enable “Automatic HTTPS Rewrites”

5.2 Azure App Service SSL Settings

In Azure Portal:

  1. Go to TLS/SSL settings
  2. Set HTTPS Only to “On”
  3. Set Minimum TLS Version to 1.2
  4. Bind your certificates to the custom domains

Step 6: Testing Your Setup

6.1 Test Wildcard Functionality

Test various subdomains to ensure they work:

# These should all work with SSL
curl -I https://yourdomain.com
curl -I https://api.yourdomain.com
curl -I https://app.yourdomain.com
curl -I https://staging.yourdomain.com

6.2 Verify SSL Configuration

Use SSL testing tools:

  • SSL Labs: https://www.ssllabs.com/ssltest/
  • Cloudflare SSL checker: Built into the dashboard
  • Browser inspection: Check certificate details in browser

Troubleshooting Common Issues

Issue 1: “Flexible SSL” Redirect Loops

Problem: Infinite redirects between HTTP and HTTPS Solution: Change Cloudflare SSL mode from “Flexible” to “Full (strict)”

Issue 2: Certificate Mismatch

Problem: Browser shows certificate warnings Solution: Ensure origin certificate includes both root and wildcard domains

Issue 3: Azure Domain Validation Fails

Problem: Azure can’t validate custom domain Solution:

  • Wait for DNS propagation (up to 48 hours)
  • Temporarily set Cloudflare DNS to “DNS only” (gray cloud)
  • Add TXT record if required by Azure

Issue 4: Mixed Content Warnings

Problem: Some resources load over HTTP Solution: Enable “Automatic HTTPS Rewrites” in Cloudflare

Environment-Specific Configuration

Production vs Staging

For multiple environments, you can use different subdomains:

# Production
app.yourdomain.com → production-app.azurewebsites.net

# Staging  
staging.yourdomain.com → staging-app.azurewebsites.net

Create separate CNAME records for each environment while still using the same wildcard SSL certificate.

Security Best Practices

  1. Use Full (strict) SSL mode in Cloudflare
  2. Enable HSTS in both Cloudflare and Azure
  3. Set minimum TLS version to 1.2 or higher
  4. Regularly rotate origin certificates (though they’re valid for 15 years)
  5. Monitor certificate expiration in Azure

Cost Analysis

This setup is remarkably cost-effective:

  • Cloudflare Free Plan: $0/month
  • SSL certificates: Free from Cloudflare
  • Azure App Service: Standard pricing (no additional SSL costs)
  • Custom domains: Free with Azure App Service

Conclusion

Setting up wildcard SSL certificates with Cloudflare and Azure provides a robust, cost-effective solution for securing all your subdomains. The combination of Cloudflare’s free Universal SSL and Origin Certificates with Azure’s custom domain support creates a professional, scalable infrastructure.

This setup gives you:

  • ✅ Free wildcard SSL for unlimited subdomains
  • ✅ Global CDN and DDoS protection from Cloudflare
  • ✅ End-to-end encryption
  • ✅ Easy certificate management
  • ✅ High availability and performance

The initial setup might seem complex, but once configured, it requires minimal maintenance and provides enterprise-grade SSL security for a fraction of the traditional cost.

Next Steps

  • Consider enabling Cloudflare Pro for additional features like image optimization
  • Set up Azure Application Insights for monitoring
  • Configure custom error pages in Cloudflare
  • Implement WAF rules for additional security
  • Set up automated deployments with proper SSL binding

Happy deploying! 🚀

Leave a Reply