I'm looking for some CLI commands or a script of some sort that I can execute to do the following in one step
create a self-signed certificate
upload it to my Azure App Service
create an app setting param with the certificate thumbprint as value
Has anyone done this before?
1. Create a self-signed certificate
If you want to create a self-signed certificate, we can use OpenSSL to implement it. For more details, please refer to here and here
a. Create the certificate key and the signing (csr).
openssl req -new -x509 \
-newkey rsa:2048 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key \
-subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=Security/OU=IT Department/CN=www.example.com"
The fields, specified in -subj line are listed below:
C= - Country name. The two-letter ISO abbreviation.
ST= - State or Province name.
L= - Locality Name. The name of the city where you are located.
O= - The full name of your organization.
OU= - Organizational Unit.
CN= - The fully qualified domain name
b. Generate the certificate
openssl pkcs12 \
-inkey example.key \
-in example.crt \
-export -out example.pfx \
-password pass:<your password>
2. Upload it to my Azure App Service and save the certificate thumbprint in Azure App service app settings
Regarding the issue, please refer to the following code
az login
# Upload the SSL certificate and get the thumbprint.
thumbprint=$(az webapp config ssl upload --certificate-file $pfxPath \
--certificate-password $pfxPassword --name $webappname --resource-group $resourceGroup \
--query thumbprint --output tsv)
# save thumbprint
az webapp config appsettings set --name $appName --resource-group myResourceGroup \
--settings "Certificate _Thumbprint=$thumbprint"
Related
I am trying to create the kubernetes secret using PFX certificate that are stored in the keyvalut
I have download the secrets and the certificates to store the secrets
I have followed the below steps to store the secrets but i am getting the below error
#To get the password of the certificate
az keyvault secret show --name $secret_name --vault-name $keyvault_name -o tsv --query value)
#download the certificate
az keyvault certificate download --file $cert_pfx --name $cert_name --vault-name $keyvault_name
#convert pfx to key
Error:
0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
#140546015532944:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=PKCS12
Any idea? Thanks for the help :)
I tried to reproduce the same in my work environment and got the expected results as shown in below
I have the keyvault with newly created secrets and set the polices to access the secrets
az keyvault set-policy -n "keyvault-name" --spn "service-principal-id" --secret-permissions get
I have created the certificate with the name "policycert"
az keyvault certificate create --vault-name newcertkv --name policycert -p "$(az keyvault certificate get-default-policy -o json)"
Added the polices to access the certificate
az keyvault set-policy -n newcertkv --spn "spn-id" --certificate-permissions get
Generated the private keyvault and certificate
openssl genrsa 2048 > pkeys123.key
openssl req -new -x509 -nodes -sha256 -days 365 -key pkeys123.key -out newcert123.cert
After enter the command it will ask the name and cert related documents
I generated the password using below command
openssl pkcs12 -export -out certificate.pfx -inkey pkeys123.key -in newcert123.cert
I have conerted this into pfx
$fileContentBytes = get-content ‘newcert123.pfx' -AsByteStream
[System.Convert]::ToBase64String($fileContentBytes) | Out-File ‘pfx-encoded-bytes.pem
The secrets need to be set to PKCS file format
az keyvault secret set --vault-name newcertkv --name newcertsecret --file pfx-encoded-bytes.pem --description "application/x-pkcs12"
I have downloaded the certificate and converted the pfx to pem and then PFX to key
az keyvault certificate download --file newcert123.pem --name my-certificate --vault-name newcertkv
openssl pkcs12 -in newcert123.pfx -clcerts -nokeys -out newcert123.pem -password pass:0000
openssl pkcs12 -in newcert123.pfx -nocerts -out newcert123.key -password pass:XXXX
I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:
I'm trying to folllow Azure Tutorial on how to get Api Management under a vnet and accessible through an application gateway (WAF). I'm stuck trying to upload the root cert into application gateway. It says that the "Data for certificate is invalid", apparently Azure Application gateway doesn’t like Letsencrypt certs.
My certs are:
mydomain.com.br
api.mydomain.com.br
developer.mydomain.com.br
managemnet.mydomain.com.br
I have used acmesh to generate all certs:
./acme.sh --issue -d mydomain.com.br --dns dns_gd --server letsencrypt
./acme.sh --issue -d api.mydomain.com.br --dns dns_gd --server letsencrypt
./acme.sh --issue -d developer.mydomain.com.br ---dns dns_gd --server letsencrypt
./acme.sh --issue -d management.mydomain.com.br --dns dns_gd --server letsencrypt
Vnet, Subnets, Security Groups and Api Management are all created successfully, all good except for the part I need to create the application gateway:
$appgwName = "apim-app-gw"
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $resGroupName -Location $location `
-BackendAddressPools $apimGatewayBackendPool,$apimPortalBackendPool,$apimManagementBackendPool `
-BackendHttpSettingsCollection $apimPoolGatewaySetting, $apimPoolPortalSetting, $apimPoolManagementSetting `
-FrontendIpConfigurations $fipconfig01 -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 `
-HttpListeners $gatewayListener,$portalListener,$managementListener `
-RequestRoutingRules $gatewayRule,$portalRule,$managementRule `
-Sku $sku -WebApplicationFirewallConfig $config -SslCertificates $certGateway,$certPortal,$certManagement `
-TrustedRootCertificate $trustedRootCert -Probes $apimGatewayProbe,$apimPortalProbe,$apimManagementProbe
The last line is where I need to inform the path to my .cer file. I have tried to add the mydomain.com.br.cer and fullchain.cer, no luck. Tried to use openssl to create a Base64 file, also no luck:
sudo openssl x509 -inform PEM -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -outform DER -out trustedrootDER.cer
openssl x509 -inform der -in trustedrootDER.cer -out trustedroot.cer
I even created a VM running Windows to try this approach, no joy.
The solution from the Architecture point of view is pretty simple, but the certs problem makes it troublesome:
Any direction here is much appreciated!
Thanks
Why you want to add the Lets Encrypt Root CA cert on your application gateway?
From my understanding the Root CA from Lets Encrypt is ISRG Root X1 and this one should be already trusted by Clients (Browsers).You only want to add the Root CA if you have self signed certificates.
Here is a workflow with storing the certs in Azure Key Vault: https://techblog.buzyka.de/2021/02/make-lets-encrypt-certificates-love.html
Another Workflow here describes adding certs with ACME challenges: https://intelequia.com/blog/post/1012/automating-azure-application-gateway-ssl-certificate-renewals-with-let-s-encrypt-and-azure-automation
We have a wildcard certificate from DigiCert that is installed on our aks instance, and it works fine for IE and Chrome, but firefox has huge issues with it, not trusting the site. When I run the site through an SSL Checker, it indicates that
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
These are the instructions followed to install the certs originally:
Install the SSL Certificate into Each Namespace
Export the certificate from the pfx file
You will need openssl for this. This is the best resource I could find for installing and using it in Windows 10.
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN CERTIFICATE----- through to the bottom)
Export the private key from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.txt
Open .txt file and remove the header (i.e. keep from -----BEGIN ENCRYPTED PRIVATE KEY----- through to the bottom)
Remove the passphrase from the private key
openssl rsa -in key.txt -out server.txt
Create the secrets
Connect to the kube through azure's cli, then run the command:
az aks get-credentials -g aks-rg -n clustername
to merge the kube to your kubectl cli.
If you need to remove previously installed certs, you should run the following commands:
kubectl delete secret clustername-tls --namespace dev
kubectl delete secret clustername-tls --namespace test
kubectl delete secret clustername-tls --namespace uat
kubectl delete secret clustername-tls --namespace prod
To create the new certs:
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace dev
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace test
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace uat
kubectl create secret tls clustername-tls --key server.txt --cert cert.txt --namespace prod
What was missed to correctly install the intermediate cert?
are you using this secret as tls-secret in ingress.
you have to implement ingress with ingress controller and you have to use your secret there inside the path.
you can follow this guide to set up the ingress-nginx controller with cert-manager.
ingress nginx will work as the load balancer and expose the application to internet. certmanager will work as managing the ssl and tls certificate.
cert-manager automatically generate the ssl certifiacate and manage it.
please follow this : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
I'm trying to automate my infrastructure using puppet with Azure.
I've created my puppet master using puppet enterprise VM from gallery on Azure. After that, I've generated a certificate running the following commands:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem
sudo openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
Then, I've uploaded my cert file to Azure Management Portal and finally, I've create a VM with the following command:
puppet azure_vm create --management-certificate /tmp/cert.pem --azure-subscription-id=xxxxxx --image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-12.04-x64-v13.4 --location 'west us' --vm-name puppetslave --vm-user xxxx --password xxxxx --puppet-master-ip 23.102.xxx.xxx
Finally, I've exported my private key using PuttyGen and I'm using it to connect to my new linux vm. Unfortunately, I'm getting the following error:
server refused out key
And I don't know why. I'm stuck at this point and don't know how to proceed.