The provided client secret keys are expired
This error happens because the secret created with the app identity that Let’s Encrypt uses to access the web app in Azure has expired.
- Find the app in app registrations. Login to Azure portal and navigate to Azure AD ? App Registrations.
- Search for the app by name or ID (Let’s encrypt ClientId).
- Select the app registration and navigate to Certificates & Secrets.
- Create a new client secret and set the expiration to never expire. Leave the description blank.
- Copy the secret that is generated. Don’t lose this secret because you can’t see it again.
Now you need to replace the existing letsencrypt:ClientSecret in your app service config with the new one. You can do this manually or use this powershell script.
$rg = Read-Host "Resource group name"
$sec = Read-Host -assecurestring "New secret"
$secret = ConvertTo-SecureString $sec -AsPlainText -Force
$apps = Get-AzWebApp -ResourceGroupName $rg
$appnames = $apps.Name
ForEach ($appname in $appnames) {
$app = Get-AzWebApp -ResourceGroupName $rg -Name $appname -ErrorAction Stop
$newAppSettings = @{}
$app.SiteConfig.AppSettings | %{$newAppSettings[$_.Name] = $_.Value} # Preserve existing app settings
$newAppSettings["letsencrypt:ClientSecret"] = $secret; # Update the new secret
$app = Set-AzWebApp -AppSettings $newAppSettings -ResourceGroupName $rg -Name $app.Name -ErrorAction Stop
}