Develop Reference

SSL Certificate is not found in /var/lib/waagent/ for Linux Azure VM

I am trying to add an SSL certificate for my website hosted in a Linux Virtual Machine. I added the certificate successfully doing this:
$certURL=(Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $key).id
$vm=Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName
$vaultId=(Get-AzureRmKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName $resourceGroup -VM $vm
Then, I checked that the certificate was added successfully:
az vm secret list --name $vmName --resource-group $resourceGroup
[
{
"sourceVault": {
"id": "/subscriptions/...."
},
"vaultCertificates": [
{
"certificateStore": null,
"certificateUrl": "https://name.vault.azure.net:443/secrets/ssl/123456ABCDFG (example)"
}
]
}
]
However, when I check in /var/lib/waagent/, I can't find the certificate 123456ABCDFG. I don't know where it is?

I just followed the Tutorial: Secure a web server on a Linux virtual machine in Azure with SSL certificates stored in Key Vault. When you create a VM, certificates and keys are stored in the protected /var/lib/waagent/ directory.
In fact, the SSL certificate is referenced by the version ID in certificateUrl, the 123456ABCDFG is the CURRENT VERSION of your certificate in your key vault.
Check the Version
Check the certificate Thumbprint, the certificate is indeed there.
In addition, I validated your Powershell commands with az module, it also works on my side.
$certURL=(Get-azKeyVaultSecret -VaultName $keyVaultName -Name $key).id
$vm=Get-azVM -ResourceGroupName $resourceGroup -Name $vmName
$vaultId=(Get-azKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-azVMSecret -VM $vm -SourceVaultId $vaultId -CertificateUrl $certURL
Update-azVM -ResourceGroupName $resourceGroup -VM $vm
Edit
If you would like to run scripts developed for AzureRM module using Az module, use the Enable/Disable-AzureRmAlias cmdlets to add or remove aliases from AzureRM cmdlets to Az cmdlets. Refer to more details here. The AzureRm module will be retired, it's recommended to use the new Az module.
I test your old PowerShell commands as below:

This operation is not supported for a relative URI PowerShell Azure

I am trying to create a URL in my $osDiskUri variable which will be used in below powershell command. But i get error "This operation is not supported for a relative URI"
$SourceMachineName = 'NewSource'
$DestinationBlobStorageURL = 'https://myblobstorage.blob.core.windows.net/vhds/'
$osDiskUri = '{0}{1}Fix.vhd' -f $DestinationBlobStorageURL, $SourceMachineName
Set-AzureRmVMOSDisk -VM $vmConfig -Name "myOsDisk" -VhdUri $osDiskUri -CreateOption Attach -Windows
But if I try to pass the hardcoded path in $osDiskUri for e.g. https://myblobstorage.blob.core.windows.net/vhds/OM-SourceFix.vhd
it works fine

I did the test without getting the error and it works well. The result below:
So, you can check your storage account and script again.

How can I get the URL of a captured VM Image stored in Azure Resource Manager?

I am trying to create a new VM in Azure RM based on the sysprepped capture of an existing VM installation. That is:
$urlOfCapturedImage = <I cannot find this>
...
$vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDiskName -VhdUri $newOsDiskUri `
-CreateOption fromImage -SourceImageUri $urlOfCapturedImage -Windows
New-AzureRmVM -ResourceGroupName $resourceGroupName -Location $location -VM $vm
My current problem is finding the correct URL for the stored VM image, since it doesn't appear to be stored as a VHD blob in my storage account. Instead, I find it in the Images category, with the following, limited information:
I have tried using the following URL/URIs, but none of them work:
https://<storage-account-name>.blob.core.windows.net/system/Microsoft.Compute/Images/jira-7-sysprep-20170724133831.vhd
/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/images/jira-7-sysprep-20170724133831
Does anyone know how to get the proper URL for my VM image? Or could it simply be that I am using the wrong method altogether?

Does anyone know how to get the proper URL for my VM image?
For a Azure VM image, the VHD is managed by Azure, you could not get the URL.
Your command is used for create VM from storage account. If you want to create VM from image, you could use the following command to create a VM from custom image.
$image = Get-AzureRmImage `
-ImageName myImage `
-ResourceGroupName myResourceGroupImages
# Here is where we specify that we want to create the VM from and image and provide the image ID
$vmConfig = Set-AzureRmVMSourceImage -VM $vmConfig -Id $image.Id
$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $nic.Id
New-AzureRmVM `
-ResourceGroupName myResourceGroupFromImage `
-Location EastUS `
-VM $vmConfig
More information about this please refer to this link.

How to add a certificate to an Azure RM website with Powershell

Lightly related to How to add an SSL certificate to an azure website using powershell?
I am trying to add a certificate to an Azure RM website via Powershell.
I don't think there is a direct Azure Powershell command, and it will need to be done via New-AzureRmResource

In the latest release of Azure PowerShell v 1.1.0, there is a number of new commands to handle SSL certificates in Azure Web Apps
You can upload the certificate and bind it to hostname using
New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com
And then remove the binding but without removing the certificate, the app should be able to use it after you add a app setting referencing that cert (this should be done using the portal - the PowerShell command to do so will come soon - No ETA for now)
Remove-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -Name www.contoso.com -DeleteCertificate $false

Looking through the ARM Template the "Microsoft.Web/certificates" template takes a pfxblob and a password.
It seems the easiest way of obtaining a pfxblob is via New-AzureRmApplicationGatewaySslCertificate (thanks to #vigneshaj for the pointer) reading the source, it seems that this is simply a local conversation cmdlet. So it doesn't matter that it is for an application gateway, all we need is the data it passes back.
$pfx = New-AzureRmApplicationGatewaySslCertificate -Name example `
-CertificateFile E:\PS\example.pfx `
-Password "bananas"
Once we have that data, we can simply plug it into New-AzureRmResource and it will create our certificate on Azure.
The small problem with this, is that if you're a cheapskate (like me) and you've obtained a free cert from that Chinese CA that gives sha256 certs, this process will strip off the certificate that signs pages with sha256, and so it falls back to TLS 1.2, which gives errors (on Chrome at least)
$ResourceLocation = "West Europe"
$ResourceName = "Newcertificate"
$PropertiesObject = #{
pfxBlob = $pfx.Data
password = $pfx.Password
}
New-AzureRmResource -Name $ResourceName -Location $ResourceLocation `
-PropertyObject $PropertiesObject `
-ResourceGroupName examplecomRG `
-ResourceType Microsoft.Web/certificates `
-ApiVersion 2015-08-01 -Force
The next job from there is configuring your Web App to use that cert. Because these properties are child objects of the hostNameSslStates array I created an inner hash table, and then attached that. I'm sure there's a more elegant way, but this worked!
$ResourceName = "ConfuseioWebapp"
$InnerPropertiesObject = #{
name = "www.example.com"
sslState = 1
thumbprint = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
}
$PropertiesObject = #{
"hostNameSslStates" = [Object[]]$InnerPropertiesObject
}
New-AzureRmResource -Name $ResourceName `
-Location $ResourceLocation `
-PropertyObject $PropertiesObject `
-ResourceGroupName examplecomRG `
-ResourceType Microsoft.Web/sites `
-ApiVersion 2015-08-01 -Force
And that is pretty much it.

I came across the below article, which configures SSL through powershell, by creating Azure Application Gateway
https://azure.microsoft.com/en-us/documentation/articles/application-gateway-ssl/

How can you upgrade Azure Upgrade A-Series VM to D-Series VM?

The most recent information I could find while scouring the net was a post 6 months old (back toward the original deployment of D-Series servers). How can you seamlessly upgrade an A-Series Azure VM to a D-Series Azure VM without a huge headache?

To find out what sizes are available in your Region (and see the InstanceSize naming sceheme to use in Powershell) use this PowerShell Cmdlet:
Get-AzureLocation | Where-Object {$_.DisplayName.Contains("<your-region>")}
View the VirtualMachineRoleSizes property to see what sizes you have access to.
To update a VM you can use the following set of commands:
Get-AzureVM -ServiceName <cloudservice> -Name <vmname> | Set-AzureVMSize -InstanceSize <sizevalue> | Update-AzureVM
If you run the above command on a running VM it will be restarted in order to provision it on the right host infrastructure to support your desired Series.

# To Upgrade or downgrade your Azure VM Plan you can use the following script
$ResourceGroupName = "CMLAB"
$VMName = "2007CMCEN"
$NewVMSize = "Standard_A5"
$vm = Get-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $VMName
$vm.HardwareProfile.vmSize = $NewVMSize
Update-AzureRmVM -ResourceGroupName $ResourceGroupName -VM $vm