in my company I have an Azure environment in which SSL certificates need to be renewed. But I was given no info about them.
So I have app services that run in an ASE, with an app Gateway.
The certificate for the ASE is handled, I'm trying to gather all the information I can on the app services certificate and the app gateway certificate.
with Azure CLI, running this command on the app gateway gives me lot of data including the serial number but not the thumbprint :
$publiccertprod1= az network application-gateway ssl-cert show -g RessourceGroupName --gateway-name AppGatewayName --name CertName --query publicCertData -o tsv
echo "-----BEGIN PKCS7-----" >> publicprod1.cert; echo "${publiccertprod1}" >> publicprod1.cert; echo "-----END PKCS7-----" >> publicprod1.cert
cat publicprod1.cert | fold -w 64 | openssl pkcs7 -print_certs | openssl x509 -noout -text
On the other hand, running this command on app service gives me the thumbprint but not the serial number
az webapp config ssl list --resource-group AppServiceRessourceGroup
So, how can I be sure it's the same certificate or not (from the internal intel I have it's a different one), and how can I get the missing serial number and thumbprint?
the internal process for certificate renewal asks me for serial numbers so getting this one would be huge.
Thanks
Edit: as Ked Mardemootoo suggested, using AzAppGWCert module gave me all necessary details. You can find it here : https://github.com/Welasco/AzureRMAppGWCert
Thanks #Ked Mardemootoo your insights helped lot.
Use below PoweShell script to get the both Thumbprint & SerialNumber
Before the script you can install the Required Module AzureRMAPPGWCert
Install-Module -Name AzureRMAppGWCert
Use the Below code to get the certificate values
Connect-AzureRmAccount
Import-Module AzureRMAppGWCert
Get-AzureRMAppGWCert -RG <RGName> -AppGWName <AppGatewayName>
Refer SO thread for more info
as #Ked Mardemootoo suggested, using AzAppGWCert module gave me all necessary details. You can find it here : https://github.com/Welasco/AzureRMAppGWCert
Related
Planning to import an SSL certificate to a web app from Key Vault.
Found that Import-AzWebAppKeyVaultCertificate in Az.websites which performs the above task but the above fails in the azure pipeline and I'm looking into any alternative in AzureRm As for my research I can't find anything in documents.
Az docs - https://learn.microsoft.com/en-us/powershell/module/az.websites/import-azwebappkeyvaultcertificate?view=azps-6.0.0&viewFallbackFrom=azps-4.8.0
I want to know anything specific command to import ssl certificate to a web app from keyvault using AzureRm commands
Did you try with Azure CLI command ?
az login
# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"
# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64
# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx" --name "andywebsite" --resource-group "andywebbot" --certificate-password "" --query thumbprint --output tsv
You could use Invoke-RestMethod to call the REST API Certificates - Create Or Update manually.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/certificates/{name}?api-version=2019-08-01
To get the access token, refer to https://learn.microsoft.com/en-us/rest/api/azure/#client-credentials-grant-non-interactive-clients
In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
I'm trying to use Azure CLI to configure an Azure app service SSL certificates that are stored in an Azure KeyVault. I'm new to Azure CLI and am having trouble finding a complete set of sample code that does this. I've found documentation / examples of the individual commands, but am having trouble chaining them together. Definitely would appreciate some assitance/guidance as I feel like this is a common scenario.
At first, I thought this was would be a simple 'linking' type command. Certs are already uploaded in keyvault, so Azure App Service, go get 'em, here's the $pfxPassword.
It doesn't look like that is possible. I found some documentation that it looks like you need to download the Cert from the keyvault and then upload it.
It took me a little bit to realize that you don't use az keyvault certificate for this... you need to use az secret download.
I then found some other commands on how to upload the cert, get the thumbprint, and bind the cert to the app Service.
I chained these three commands together, but am not able to get it to work.
#download the cert
az keyvault secret download --file $fileName --vault-name $vaultName --name $certName;
#upload the cert and get the thumbprint
$thumbprint=az webapp config ssl upload --certificate-file $fileName --certificate-password $pfxPassword --name $site_name --resource-group $ResourceGroupName --query thumbprint --output tsv
#bind the uploaded cert to the app service.
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name $site_name --resource-group $ResourceGroupName
I can confirm the first command is downloading the cert. (After a while I was able to figure things out import into my win10 development machine -- even though the certs were uploaded into keyvault with a password, downloading them stripped the password out.).
Unfortunately, it looks like the second command (upload and get the thumbprint) REQUIRES a password.
What is the 'correct' way to do this?
Thanks for your guidance/advice.
According to my test, when we use the Azure CLI to download the certificate as pfx file from Azure key vault, it has a blank password. So when we use CLI to upload the pfx file to Azure web app, we can use the following command
az webapp config ssl upload --certificate-file "<pfx file name>" --name "<web name>" --resource-group "<group name>" --certificate-password "" --query thumbprint --output tsv
az login
# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"
# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64
# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx" --name "andywebsite" --resource-group "andywebbot" --certificate-password "" --query thumbprint --output tsv
Besides, if your certificate has been stored in Azure key vault, we can directly import it to Azure web app via Azure Portal.
I setup an application gateway at Azure with two VMs. Now, I'm trying to install a SSL certificate into one domain name.
I upload the .cer file and I received a message that this certificate has been installed. But when I try to access the website with https, nothing happens.
Is there a step by step to install a certificate at Azure Application Gateway? Could you help me?
Thanks.
If I am understanding correctly, you should upload a .pfx file certificate. Click HTTPS for the protocol of the listener and make sure that the port is defined as 443.
Use the command to export a .pfx certificate.
$pwd = ConvertTo-SecureString -String "Azure123456!" -Force -AsPlainText
Export-PfxCertificate \
-cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 \
-FilePath c:\appgwcert.pfx \
-Password $pwd
You can get more details from this guide: Configure an application gateway with SSL termination using the Azure portal
Hope this helps.
How you add SSL Cert to an existing azure Linux VM from Azure Key vault. for windows we use the following command
$vaultId=(Get-AzureRmKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "My" -CertificateUrl $certURL
Is there a similar one like this for linux vm? Is there a link similar to this for linux Secure IIS web server with SSL certificates on a Windows virtual machine in Azure
You could use Azure Cli to do this. Using following command.
secret=$(az keyvault secret list-versions \
--vault-name $keyvault_name \
--name mycert \
--query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm format-secret --secret "$secret")
az vm update -n shui -g shuikeyvault --set osProfile.secrets="$vm_secret"
Then the certificate stores on /var/lib/waagent, you could use Azure Custom Script to use it.
Note: You should use "$vm_secret", I test in my lab, only $vm_secret does not work for me.
ssh-copy-id -i ~/.ssh/id_rsa.pub aht#myserver. But if you have rights to the VM but not the original key, you want to use azure vm reset-access to do so. It is in fact documented as a standalone ability:
help: -M, --ssh-key-file path to public key PEM file or SSH Public key file for SSH authentication (valid only when os-type is "Linux")
of course, it doesn't say what ELSE should happen here in order to ADD the key I provide to the currently running VM I'm targeting. But the result needs to be that if I specify a user that already exists, and there's a key already there, this one needs to be added to the directory.
You'll note that in Azure/azure-linux-extensions#295, https://github.com/Azure/azure-linux-extensions/issues/295 believes that using azure vm set-extensions ,then reset-access is broken.
Update a Key Vault for use with VMs
Set the deployment policy on an existing key vault with az keyvault update. The following updates the key vault named myKeyVault in the myResourceGroup resource group:
Azure CLI
Copy
az keyvault update -n myKeyVault -g myResourceGroup --set properties.enabledForDeployment=true