Azure Container Apps (ACA) with Cloudflare Origin Server Certificates

Azure Container Apps (ACA) with Cloudflare Origin Server Certificates

I recently deployed a containerised application to Azure Container Apps and decided that I was going to use Cloudflare as a proxy for the application (as I do for most of my services).

As I wanted the connection between Azure Container Apps and the Cloudflare edge to be over HTTPS, I decided to use a Cloudflare Origin Server certificate to facilitate this. In this post I will cover the steps needed to make the Cloudflare Origin Server certificate available in Azure Container Apps and the issues I encountered.

I originally followed a blog post describing how to use Azure Container Apps with Cloudflare, but I encountered the following error message when trying to add the certificate in Azure Container Apps.

“Failed to add new private key certificate: [certificate name]. The certificate [certificate name] is invalid or password is incorrect.”

After a while of searching, I eventually came across this GitHub issue which provided potential solutions. To use a Cloudflare Origin Server certificate with an Azure Container App you can follow the steps below.

Prerequisites

For the purposes of this blog post, I will assume that you have:

  • A Cloudflare account with your website setup.
  • A deployed Azure Container App.
  • A domain/subdomain you can amend DNS records for.

I will use the Azure Container Apps quick start image and make it available on custom domain test.example.com.

Generate a Cloudflare Origin Server Certificate

The first step is to generate the certificate that will use to secure the communication between the Azure Container App and the Cloudflare edge network. We can do this by doing the following steps in the Cloudflare account.

  1. Select the SSL/TLS menu.
  2. Select Origin Server menu item.
  3. Select the Create Certificate button.
  4. You can use the default settings, so select the Create button.
  5. Create a new file named cloudflare-cert.pem.
  6. Leave the PEM key format selected and copy your Origin Certificate and paste it into the cloudflare-cert.pem file.
  7. Copy your Private Key and paste this directly below your Origin Certificate.
  8. Save the cloudflare-cert.pem file.

Your cloudflare-cert.pem file should look similar to the example below.

-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIUVCU/0LiDqdEfAlIEpj2g++31pSkwDQYJKoZIhvcNAQEL
...[REDACTED FOR BREVITY]...
7r1Qqe5MLvlaWqM+0f+LIXuvrSrWEgUvexGrZ2hQ2SD+cR/dxDbnu3eCkOdUzOwX
BH8hmYpo2qzG+LvxeSZ2orL4U7uVghTzWd4z69sxOJ7GWG+Dn0fy28zC
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4mHoRwLhvCKuh
...[REDACTED FOR BREVITY]...
RC9hQYCGMAnD00vxwtWkvbWO4tq+ly7dhwx/XubTv34hIk3OnZ7AuDz+oNbhvNWP
kd04izyyAjcDgWRCK3506MQwDw==
-----END PRIVATE KEY-----

Now that we have the Cloudflare Origin Server certificate ready, the next step is to setup the Azure Container App.

Add the custom domain to the Azure Container App

Now we need to add the desired custom domain to the Azure Container App. I will use the placeholder domain test.example.com which you will need to replace with your domain.

  1. Go to your Azure Container App in Azure Portal.
  2. Select the Custom domains menu item.
  3. Select the Add custom domain button.
  4. Enter your desired custom domain and select the CNAME host record type.
  5. Copy the CNAME record value and add the appropriate DNS entry in Cloudflare, ensure this has the Cloudflare proxy enabled.
  6. Copy the TXT record value and add the appropriate DNS entry in Cloudflare.
  7. Select the Validate button. The CNAME check will produce an error as it is using Cloudflare as a proxy, but it is safe to proceed.
  8. Select the Next button.
  9. Select the Create new link next to the Certificate label.
  10. Enter a name for your Certificate which you will recognise and select the cloudflare-cert.pem file created earlier. Select the Validate button.
  11. Select the Add button.
  12. You should now be shown the new custom domain with the new certificate pre-selected. Select the Add button.

After following the steps above, you should receive a confirmation that the custom domain has been successfully added.

Summary

You can add a Cloudflare Origin Server certificate to an Azure Container Apps Environment and use it to secure communication between the Cloudflare edge network and an Azure Container App. The certificate should be in the PEM format and include the private key.

After the certificate has been added to the Container Apps Environment, it is available to use by all Container Apps within that environment. The certificate will only be valid for the Cloudflare edge network, as a result the domain for the Container App must be proxied through Cloudflare.