HTTPS is a must on the web today. Address bars showing your domain alongside lock icons and green nuances grant security for your visitors and respect for you. Well, not necessarily the "respect" of your visitors, but for sure the respect of the browser they're using.
Chrome, picking one randomly, has been consistently - and constantly - discontinuing features under non-secure connections: access to device low-level capabilities (e.g. Webcam) isn't allowed if no https is around.
New awesome techy opportunities like PWA cannot be dreamed of without https.
SEO ranking gets boosted by https. And so on, and so forth...

But.

SSL certificates aren't cheap at all, everybody knows that!

That's not true anymore. Thanks to Let's Encrypt and their automated certificate issuing system (they just rely on 10 employees, as of 2017) it is even free!
People weren't satisfied at all, smart and demanding guys like sjkp insisted on having them installed and rolled over while sleeping or tossing a coffee!
Here we are now, cozy SSL/TLS for everyone. At least for those who have an Azure account. I want to share my experience on that.

Let's Encrypt as a Site Extension

The above sjkp provided a nice site extension named "Azure Let's Encrypt" (here is the repository) that automates the issuing and association of a certificate with your Azure Web Apps.
Step-by-step:

0. Web App with Custom Domain associated

I assume you already have a Web App configured (with a custom domain) in your Basic+ App Service Plan.

1. Sign up on Let's Encrypt

Go to Let's Encrypt and follow the instructions in order to register your account. Classic sign up process.

2. Give Access to your Storage Account

If you have a running app it is likely you also have a storage account associated with its resource group. Use its credentials to define a couple of new App Settings:

• Go to your <myapp> blade and click Application settings.
• Insert 2 new settings AzureWebJobsStorage and AzureWebJobsDashboard, both with value your storage connectionstring (something like DefaultEndpointsProtocol=https;AccountName=<your-account-name>;AccontKey=<your-account-key>)

• This will grant the site extension access to your storage.

3a. Create a Service Principal

You need a slave doing the unpleasant work for you, right? That's a principal. Sounds counter-intuitive? Then you'll remember it easier. To setup your service principal, just exploit the portal:

• Navigate the Azure Active Directory "blade" then pick App registrations.
• Click on New application registration .
• In the Create form: name your slave (something like myapp-svc-principal) , pick Web app / API as application type and type a foo Sign-on URL like https://myapp.com/signon. Yes, you can reuse this slav... - pardon - service principal even for other Apps different from "myapp". Hit the Create button.

• You should see the new service principal listed now (with its application id):

• Click it, then on Settings then enter the Keys blade and get prepared to save the service principal password. You'll have only one chance. Give a name to your keys, make 'em immortal, click Save.

• Note the generated password!

3b. Give your Service Principal a Role

You now need to give the service principal access to your resource group:

• Get into the subscription blade ultimately associated with your Web App.

• Click on Access control (IAM) then + Add permissions. Fill the form as in the following pic (while typing in the Select box, suggestions come, pick the right one...).

• Hit Save. Your service principal should now appear in the contributor list.

4. Install Azure Let's Encrypt

• Go to https://<myapp>.scm.azurewebsites.net/SiteExtensions/#gallery and search for "let's encrypt" or similar...

• Click on the "Install" (+) button and confirm you aim to install it. Once finished restart the site as suggested.
• Hit the play-like button on the just-installed extension.
• Now fill the form following the hints above in the page and the image below (I've highlighted the service principal password field, the one that you noted at the end of step 3a, right above is the ClientId aka the service principal application id).

• Hit Next and wait.
• Now you should be able to see your hostnames and certificates. Hit Next again.
• Pick one or more custom domains associated with your Web App from the combobox and enter the Email of your Let's Encrypt user account. Hit the Request and Install certificate button.
• Certificate successfully installed. Now sit and relax. You're done. Enjoy.

Kudos to...

...Nik Molnar who wrote this excellent post and pointed me in the right direction. In addition to that very thorough article of his, I've only added a more "visual" approach to the creation of the service principal.