I have an Azure function app. It works well with HTTP locally. Also it works well on production. I am trying to run it with HTTPS locally. I created a certificate but it's still showing a certificate error on the browser. I tried to add my certificate to KeyChain Access as well but the result is the same.
How can I run my function with an SSL certificate locally?
I'am trying to access my service from my mobile app but android is not allowing me to call a HTTP endpoint.
Thanks.
The command line arguments need to be set correctly, and then the Azure Functions can be started in Visual Studio with HTTPS and take advantage of the break point debugging without having to attach the func process in Visual Studio.
Install the tools for local Azure Function development:
Microsoft Azure Storage Explorer
Microsoft Azure Storage Emulator
Install the Azure Functions Core Tools
Or
npm install -g azure-functions-core-tools
Install the Azure Functions Visual Studio Extensions
Azure Functions and Web Jobs Tools need to be installed as an extension in Visual Studio.
Configure the Azure Functions project to use HTTPS
Create a certificate and add this to the operating system.
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -``in server.pass.key -out server.key
openssl req -``new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -``in server.csr -signkey server.key -out server.crt
or
New-SelfSignedCertificate -DnsName "server.com"``, "server.com" -CertStoreLocation "cert:\LocalMachine\My"
Get the thumbprint for later use
$mypwd = ConvertTo-SecureString -String "1111" -Force -AsPlainText
Get-ChildItem -Path cert:\localMachine\my\``"thumbprint from above" | Export-PfxCertificate -FilePath C:\server.pfx -Password $mypwd
Copy the pfx file to the Function project and then configure the properties to copy this to the output.
Configure the command line arguments for Debug.
The application arguments starts with host in Visual Studio and not func! This would be func in the command line.
Or just set this in the launchSettings.json
{
"profiles"``: {
"FunctionApp1": {
"commandName":` "Project",
"commandLineArgs": "host start --useHttps --cert \"server.pfx\" --password \"1111\""
}
}
}
When you start the Azure Function project with Visual Studio, the HTTPS URL will be used. This can be checked in the command line window which opens up after starting. Break point debugging is now possible as we started from Visual Studio.
If you start this from the console using the func start –useHttps –cert “server.pfx” –password “1111”, you need to attach the func process for break point debugging for using Visual Studio.
Related
I have created a pfx file using openssl commands as below
opensl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out public_key.cer -days 100 -sha512 -sub "/CN=self-signed"
openssl pkcs12 -export -out samplepkcs12.pfx -inkey private_key.pem -in public_key.cer
Then I have imported my pfx file to my Azure Key vault.
Now in my azure function, I need to download this certificate and create a client certificate.
I am tried below code
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
KeyVaultSecret certificateSecret = client.getSecret(<certificateName>);
IClientCertificate clientCertificate =
ClientCredentialFactory.createFromCertificate(
new ByteArrayInputStream(certificateSecret.getBytes()),"<password>");
But I am getting below exception
java.IO.Exception to DerInputStream rejects type 77
at java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:873)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCSKeyStore.java:1994)
Any suggestion on the right way of uploading(if my approach is wrong) or retreiving certificate and creating a clientCertificate ?
You are using the Secret library. Instead you should use the Certificate library described here:
https://azuresdkdocs.blob.core.windows.net/$web/java/azure-security-keyvault-certificates/4.3.2/index.html
CertificateClient certificateClient = new CertificateClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
KeyVaultCertificate certificate = certificateClient.getCertificate("<certificate-name>");
Main goal
I am trying to find a way to add licenses to a user using ubuntu linux; either by powershell or any other programmable method. My last resort is to use selenium with python.
Actual problem
I am trying to use Connect-MgGraph cmdlet with a certificate for unattended scripts. The information on this is here: https://learn.microsoft.com/en-us/graph/powershell/app-only?tabs=azure-portal
I already have app registered with exchange and admin access. I also already have a cert. I used it before when connecting to exchange online powershell.
When I try to run: Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $Certificate
It Gives me an error: certificate was not found or has expired.
Here us what I tried:
I first tried using the certpath as a variable and then passing that - failed
$CertificateFilePath = "/home/tech/scripts/powershell_scripts/exchangecert/msexchange.pfx"
##other stuff
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $CertificateFilePath
### FAILED RESULT
Connect-MgGraph: /home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer certificate was not found or has expired.
I tried using this bit of commands that I found from here:https://github.com/Azure/azure-powershell/issues/8675
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("/home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer","apassword",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
### FAILED RESULT
Connect-MgGraph: [Subject]
CN=adomain.com
[Issuer]
CN=adomain.com
[Serial Number]
aserialnumber
[Not Before]
5/30/2021 2:51:16 PM
[Not After]
5/30/2022 3:01:17 PM
[Thumbprint]
athumbprint
certificate was not found or has expired.
Everything I have tried so far is failing. I know this would work on windows but I would really like to authenticate unattended on ubuntu.
Thanks everyone.
-CertificateName should be the subject name of the cert, not the path to the cert. But, you should probably try using the thumbprint instead. I think you're missing some more code for installing the cert. Try something like this, substituting your details in the beginning to generate the correct PFX. (i.e. Make sure key.pem and cert.pem exist in /etc/ssl/private/)
$CertPath = '/etc/ssl/private/'
$CertKey = $CertPath + 'key.pem'
$CertPublic = $CertPath + 'cert.pem'
$CertMerge = $CertPath + 'merged.pfx'
$CertPass = 'somepassword'
$CertExpire = 365
$CertName = 'somecertname')
# Generate new certificate and convert it to pfx format
openssl req -newkey rsa:2048 -new -nodes -x509 -days $CertExpire -keyout $CertKey -out $CertPublic -subj "/C=LV/ST=Some-State/L=LV/O=$CertName/OU=IT"
openssl pkcs12 -in $CertPublic -inkey $CertKey -export -out $CertMerge -passout pass:$CertPass
At this point, you should check to make sure merged.pfx got created. Then continue:
# Store certificate in certificate store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
# Get cert thumbprint
$CertValue = [Convert]::ToBase64String($Certificate.GetRawCertData())
$Thumbprint = $Certificate.Thumbprint
Then use $Thumbprint to log in:
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateThumbprint "YOUR_CERT_THUMBPRINT"
My AD application certificate expired and I have put a new one in and deleted all the old expired ones, however when I go to the application it still shows it as expired
You could follow the steps below to create a new certificate credential for your AD App.
1.Run the PowerShell command in local, change the -FilePath to what you want.
$cert=New-SelfSignedCertificate -Subject "CN=TodoListDaemonWithCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
Export-Certificate -Cert $cert -FilePath C:\Users\joyw\Desktop\user1234.cer
2.Navigate to the Azure Active Directory in the portal -> your AD App -> Certificates & secrets -> Upload certificate.
Or if you don't want to upload the certificate manually, you could use the powrshell script as below, after running the script, refresh the portal, you will find it works fine. Make sure you install the Az module.
Connect-AzAccount
$cert=New-SelfSignedCertificate -Subject "CN=TodoListDaemonWithCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
$binCert = $cert.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-AzADAppCredential -ApplicationId <application-id of the AD App> -CertValue $credValue -StartDate $cert.NotBefore -EndDate $cert.NotAfter
I am trying to connect to ServiceFabricCluster using "Connect-ServiceFabricCluster" but keep getting
Connect-ServiceFabricCluster : An error occurred during this operation. Please check the trace logs for more details
The command I am using is:
Connect-ServiceFabricCluster -ConnectionEndpoint $endpoint `
-X509Credential `
-ServerCertThumbprint $serverThumbprint `
-FindType FindByThumbprint -FindValue $serverThumbprint `
-StoreLocation CurrentUser -StoreName My
for the value $serverThumbprint I am using the thumbprint on the Azure portal for the cert in question (see below)
I have also downloaded the .cer from Azure and installed it on my machine.
For the endpoint, I am using the "Client connection endpoint" supplied in the overview blade of the cluster.
I have also downloaded the .cer from Azure and installed it on my
machine.
That's the point, instead of .cer you had to download .PFX containing both private and public key, and then install it to both Personal and Trusted Root directories of the Current User.
Then, in the publish profile of your app you need to specify the following section:
<ClusterConnectionParameters
ConnectionEndpoint="XXX.westeurope.cloudapp.azure.com:19000"
X509Credential="true"
FindType="FindByThumbprint"
FindValue="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
ServerCertThumbprint="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
StoreLocation="CurrentUser"
StoreName="My" />
FindValue and ServerCertThumbprint are the same.
I'm using the following npm to try and create a cloud service using NodeJS.
https://www.npmjs.com/package/azure-mgmt-compute
This is the code i'm using:
var file = __dirname + '/azure-cert.pem';
var computeManagementClient = computeManagement.createComputeManagementClient(computeManagement.createCertificateCloudCredentials({
subscriptionId: userCredentials.subscriptionId,
pem: fs.readFileSync(file, 'utf-8')
}));
I'm getting the error: "The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription".
Status code 403.
I've done what's written here:
https://msdn.microsoft.com/en-us/library/azure/gg551722.aspx
And converted to PEM using OpenSSL.
I also tried the following:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout azure-cert.pem -out azure-cert.pem
pkcs12 -export -out azure-cert.pfx -in azure-cert.pem -name "My Self Signed Cert"
openssl x509 -outform der -in azure-cert.pem -out azure-cert.cer
Everything fails.
Any ideas?
I tried to follow the section "How to Use -> Authentication " of the page https://www.npmjs.com/package/azure-mgmt-compute to get the .pem file via Azure Xplat-CLI and run the sample code. It works fine.
Firstly you need to install the Azure Xplat-CLI via command npm install -g azure-cli, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/.
Secordly you need to connect to your Azure subscription via command azure login -u <username>, please refer to https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-connect/.
Then you can command azure account cert export to get the .pem file. The code works with the subscription id & pem file.
Best Regards!