I'm trying to folllow Azure Tutorial on how to get Api Management under a vnet and accessible through an application gateway (WAF). I'm stuck trying to upload the root cert into application gateway. It says that the "Data for certificate is invalid", apparently Azure Application gateway doesn’t like Letsencrypt certs.
My certs are:
mydomain.com.br
api.mydomain.com.br
developer.mydomain.com.br
managemnet.mydomain.com.br
I have used acmesh to generate all certs:
./acme.sh --issue -d mydomain.com.br --dns dns_gd --server letsencrypt
./acme.sh --issue -d api.mydomain.com.br --dns dns_gd --server letsencrypt
./acme.sh --issue -d developer.mydomain.com.br ---dns dns_gd --server letsencrypt
./acme.sh --issue -d management.mydomain.com.br --dns dns_gd --server letsencrypt
Vnet, Subnets, Security Groups and Api Management are all created successfully, all good except for the part I need to create the application gateway:
$appgwName = "apim-app-gw"
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location `
-BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool `
-BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting `
-FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 `
-HttpListeners $gatewayListener,$portalListener,$managementListener `
-RequestRoutingRules $gatewayRule,$portalRule,$managementRule `
-Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway,$certPortal,$certManagement `
-TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe,$apimPortalProbe,$apimManagementProbe
The last line is where I need to inform the path to my .cer file. I have tried to add the mydomain.com.br.cer and fullchain.cer, no luck. Tried to use openssl to create a Base64 file, also no luck:
sudo openssl x509 -inform PEM -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -outform DER -out trustedrootDER.cer
openssl x509 -inform der -in trustedrootDER.cer -out trustedroot.cer
I even created a VM running Windows to try this approach, no joy.
The solution from the Architecture point of view is pretty simple, but the certs problem makes it troublesome:
Any direction here is much appreciated!
Thanks
Why you want to add the Lets Encrypt Root CA cert on your application gateway?
From my understanding the Root CA from Lets Encrypt is ISRG Root X1 and this one should be already trusted by Clients (Browsers).You only want to add the Root CA if you have self signed certificates.
Here is a workflow with storing the certs in Azure Key Vault: https://techblog.buzyka.de/2021/02/make-lets-encrypt-certificates-love.html
Another Workflow here describes adding certs with ACME challenges: https://intelequia.com/blog/post/1012/automating-azure-application-gateway-ssl-certificate-renewals-with-let-s-encrypt-and-azure-automation
Related
I have been given a certificate.crt, intermediate.crt, root.crt and a private key. I created a new certificate file by merging the intermediate and root together and I have run the following command to convert them into a PFX which seems to have worked.
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile rootca.crt
I have then uploaded the PFX to an Azure application gateway. When I attempt to go to the URL, I get the following error 502 Bad Gateway.
When checking the health of the gateway I get the following error:
The root certificate of the server certificated used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend.
The issue I'm having is that I do not have access to the Linux backend server and I'm not confident with Linux either, so I am not sure whether the certificate has been created correctly on the backend. My question is, have I created the certificate correctly using the OPENSSL command mentioned above?
I tried to reproduce the same issue in my environment and got the expected results.
Created the certificates using PowerShell commands given below
Step-1
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Step-2
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
After Running the commands the certificate will be created as below
Click Windows + r and run the below command → Click Ok
certmgr.msc
Goto → Personal → certificates→ Right click on the certificate you want to export and Goto All tasks as below
We need both CER & PFX certificated to be exported
For CXR certificate after clicking on Export→Next→ Select No→Select Base-64 encoded x.509(CER) click on Next→Select folder location and folder name → Clik on finish.
For PFX certificate after clicking on Export→Next→Select Yes→ Select Export all extended properties with other options by default click on Next→Click on Password Checkbox and enter the password Click on Next→Select folder location and folder name → Click on finish
I have created the application gateway and I have imported the certificate
I am able to access the URL.
Reference taken from MS-Doc
in my company I have an Azure environment in which SSL certificates need to be renewed. But I was given no info about them.
So I have app services that run in an ASE, with an app Gateway.
The certificate for the ASE is handled, I'm trying to gather all the information I can on the app services certificate and the app gateway certificate.
with Azure CLI, running this command on the app gateway gives me lot of data including the serial number but not the thumbprint :
$publiccertprod1= az network application-gateway ssl-cert show -g RessourceGroupName --gateway-name AppGatewayName --name CertName --query publicCertData -o tsv
echo "-----BEGIN PKCS7-----" >> publicprod1.cert; echo "${publiccertprod1}" >> publicprod1.cert; echo "-----END PKCS7-----" >> publicprod1.cert
cat publicprod1.cert | fold -w 64 | openssl pkcs7 -print_certs | openssl x509 -noout -text
On the other hand, running this command on app service gives me the thumbprint but not the serial number
az webapp config ssl list --resource-group AppServiceRessourceGroup
So, how can I be sure it's the same certificate or not (from the internal intel I have it's a different one), and how can I get the missing serial number and thumbprint?
the internal process for certificate renewal asks me for serial numbers so getting this one would be huge.
Thanks
Edit: as Ked Mardemootoo suggested, using AzAppGWCert module gave me all necessary details. You can find it here : https://github.com/Welasco/AzureRMAppGWCert
Thanks #Ked Mardemootoo your insights helped lot.
Use below PoweShell script to get the both Thumbprint & SerialNumber
Before the script you can install the Required Module AzureRMAPPGWCert
Install-Module -Name AzureRMAppGWCert
Use the Below code to get the certificate values
Connect-AzureRmAccount
Import-Module AzureRMAppGWCert
Get-AzureRMAppGWCert -RG <RGName> -AppGWName <AppGatewayName>
Refer SO thread for more info
as #Ked Mardemootoo suggested, using AzAppGWCert module gave me all necessary details. You can find it here : https://github.com/Welasco/AzureRMAppGWCert
I'm looking for some CLI commands or a script of some sort that I can execute to do the following in one step
create a self-signed certificate
upload it to my Azure App Service
create an app setting param with the certificate thumbprint as value
Has anyone done this before?
1. Create a self-signed certificate
If you want to create a self-signed certificate, we can use OpenSSL to implement it. For more details, please refer to here and here
a. Create the certificate key and the signing (csr).
openssl req -new -x509 \
-newkey rsa:2048 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key \
-subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
The fields, specified in -subj line are listed below:
C= - Country name. The two-letter ISO abbreviation.
ST= - State or Province name.
L= - Locality Name. The name of the city where you are located.
O= - The full name of your organization.
OU= - Organizational Unit.
CN= - The fully qualified domain name
b. Generate the certificate
openssl pkcs12 \
-inkey example.key \
-in example.crt \
-export -out example.pfx \
-password pass:<your password>
2. Upload it to my Azure App Service and save the certificate thumbprint in Azure App service app settings
Regarding the issue, please refer to the following code
az login
# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)
# save thumbprint
az webapp config appsettings set --name $appName --resource-group myResourceGroup \
--settings "Certificate _Thumbprint=$thumbprint"
We have a wildcard certificate from DigiCert that is installed on our aks instance, and it works fine for IE and Chrome, but firefox has huge issues with it, not trusting the site. When I run the site through an SSL Checker, it indicates that
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
These are the instructions followed to install the certs originally:
Install the SSL Certificate into Each Namespace
Export the certificate from the pfx file
You will need openssl for this. This is the best resource I could find for installing and using it in Windows 10.
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN CERTIFICATE----- through to the bottom)
Export the private key from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN ENCRYPTED PRIVATE KEY----- through to the bottom)
Remove the passphrase from the private key
openssl rsa -in key.txt -out server.txt
Create the secrets
Connect to the kube through azure's cli, then run the command:
az aks get-credentials -g aks-rg -n clustername
to merge the kube to your kubectl cli.
If you need to remove previously installed certs, you should run the following commands:
kubectl delete secret clustername-tls --namespace dev
kubectl delete secret clustername-tls --namespace test
kubectl delete secret clustername-tls --namespace uat
kubectl delete secret clustername-tls --namespace prod
To create the new certs:
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace dev
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace test
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace uat
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace prod
What was missed to correctly install the intermediate cert?
are you using this secret as tls-secret in ingress.
you have to implement ingress with ingress controller and you have to use your secret there inside the path.
you can follow this guide to set up the ingress-nginx controller with cert-manager.
ingress nginx will work as the load balancer and expose the application to internet. certmanager will work as managing the ssl and tls certificate.
cert-manager automatically generate the ssl certifiacate and manage it.
please follow this : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
I setup an application gateway at Azure with two VMs. Now, I'm trying to install a SSL certificate into one domain name.
I upload the .cer file and I received a message that this certificate has been installed. But when I try to access the website with https, nothing happens.
Is there a step by step to install a certificate at Azure Application Gateway? Could you help me?
Thanks.
If I am understanding correctly, you should upload a .pfx file certificate. Click HTTPS for the protocol of the listener and make sure that the port is defined as 443.
Use the command to export a .pfx certificate.
$pwd = ConvertTo-SecureString -String "Azure123456!" -Force -AsPlainText
Export-PfxCertificate \
-cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 \
-FilePath c:\appgwcert.pfx \
-Password $pwd
You can get more details from this guide: Configure an application gateway with SSL termination using the Azure portal
Hope this helps.