We have our own certificate (.pfx) issued by an authority before using Azure. We are now using Azure and would like to be able to use this certificate for all our app services.
I know we can upload them in the "SSL settings" section of the app service. But the problem is that we have to upload it in every single app service that we have. If we renew our certificates we need to go through all the apps and upload the new certificate again one by one.
What I am looking for is a place (like "App Service Certificates") where we can upload our certificate once and let the apps use it. It's ideal for us not to change apps if we renew our certificate and upload it again in that centralised place, wherever it is.
In the "App Service Certificates" blade, I see that we can only order a certificate and can't upload our own certificate. Is it even possible to do it there or should I be looking at some custom solutions?
BTW, we are using ARM templates to deploy our infrastructure and app services, any hints in ARM templates regarding SSL would be appreciated.
You can use keyvault and pull certificates from it using arm templates (they have to be in the same subscription though). you can use this snippet:
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[parameters('location')]",
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]"
}
},
https://github.com/Azure/azure-quickstart-templates/blob/master/webapp-keyvault-ssl/azuredeploy.json
Related
So, I'm trying to deploy a certificate to Azure using ARM template (currently using bicep).
I have received my .cer files from Sectigo, generating a pfx file using openssl seems to work fine since the generated pfx is possible to add using the Azure portal on my FunctionApp.
But when I try to deploy it using ARM template I get this error:
{
"code":"DeploymentFailed",
"message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code":"InternalServerError",
"message":"There was an unexpected InternalServerError. Please try again later. x-ms-correlation-request-id: f25b9b70-e931-4e19-b010-cc1907cdcbcc"
}
]
}
The deployment looks like this:
{
"type": "Microsoft.Web/certificates",
"apiVersion": "2016-03-01",
"name": "xxx20220609",
"location": "[resourceGroup().location]",
"properties": {
"pfxBlob": "[parameters('certificatePfx')]",
"password": "[parameters('certificatePassword')]"
}
}
The certificatePassword is provided as a parameter and is the same as when I import it manually.
The certificatePfx is found just reading the bytes from the pfx file and base64 encoding it, which I've done using C#:
Convert.ToBase64String(File.ReadAllBytes(#"[pfx-file-path]"))
Any idea on what the InternalServerError could be about?
Please check once the below points as, I was doing the below mistakes in my test application:
• In my environment I discovered that the certificate binding to the host's name must be done via two templates instead of one because we cannot have two operations against the same type within an ARM template.
• Even I was getting a subsequent validation error which was occurring due to the domain name containing upper case letters. Once I altered that, I was successfully able to issue an app service with a managed certificate via an ARM template.
Funny thing. Tried exporting the certificate again, with another password. This time it worked
I am attempting to create Azure Resource Manager templates for several web sites that read secrets from a key vault. In reading How to use managed identities for App Service and Azure Functions, the documentation states that the web site ARM template should contain the following upon creation for authenticating with a key vault:
"identity": {
"type": "SystemAssigned"
}
Once the web site is created, the the identity section changes to the following:
"identity": {
"type": "SystemAssigned",
"tenantId": "<TENANTID>",
"principalId": "<PRINCIPALID>"
}
Does this mean that after running the ARM templates to create the web sites that I have to go back into the ARM template(s) and update the identity section for every site so that I can run the ARM templates to update the sites if need be?
no, you dont have to do that. that is expected. it will not delete that. just rerun it and nothing will change.
I have an application in its own resource group in Azure that was provisioned using Azure Resource Management templates.
When I try to replace the SSL certficate by changing the pfxBlob to the base64 string of the renewed certificate .PFX file and then deploy the template everything appears to work correctly.
{
"type": "Microsoft.Web/certificates",
"name": "[variables('appService_name')]",
"apiVersion": "2016-03-01",
"location": "[parameters('resourceLocation')]",
"properties": {
"pfxBlob": "[parameters('sslCertificateData')]",
"password": "[parameters('sslCertificatePassword')]"
}
}
There are no errors, but when I check in the Azure portal, the certificate has not been updated and continues to show the details of the old certificate.
I can manually upload the certificate through the Azure portal (although it appears as a second certificate), so I'm certain there is no issue with the certificate.
Is it possible to overwrite an existing certificate using ARM templates?
I have a webapp running on Azure and it gets its SSL certificate from Keyvault.
I've updated the certificate on keyvault a week ago and the web app is still using the old one.
According to Azure doc, the webapp checks for new certificates regularly
Here is what I see on Azure KeyVault -> Certificates:
Here is the certificate on my webapp:
The certificate was attached with Azure ARM template:
{
"type":"Microsoft.Web/certificates",
"name":"[parameters('environmentConfiguration').Certificate]",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[variables('keyVaultId')]",
"keyVaultSecretName":"[parameters('environmentConfiguration').Certificate]",
"serverFarmId": "[resourceId(variables('serverFarmResourceGroup'), 'Microsoft.Web/serverfarms', variables('serverFarmName'))]"
},
How to troubleshoot this kind of problems?
The web app is still using the old one after you have updated a week ago. The possible cause is as below:
The Web Apps feature of Azure App Service runs a background job
every eight hours and syncs the certificate resource if there are any
changes. When you rotate or update a certificate, sometimes the
application is still retrieving the old certificate and not the newly
updated certificate. The reason is that the job to sync the
certificate resource hasn't run yet.
Solution:
You can force a sync of the certificate. select the certificate from App Service Certificates.Select Rekey and Sync, and then select Sync. The sync takes some time to finish.When the sync is completed, you see the following notification: "Successfully updated all the resources with the latest certificate."
Update
Please verify if the configuration of the new certificate is correct referring to this.
Please check the Prerequisites, Deploying Key Vault Certificate into Web App, Rotating Certificate referring this blog: deploying Azure Web App Certificate through Key Vault.
I'm looking for a simple solution to Authenticate and use the WebSiteManagementClient. The examples I've seen utilize an Azure AD Application to create the SubscriptionCloudCredentials required. I would prefer to create the SubscriptionCloudCredentials without the use of an AD Application.
If at all possible, I would prefer to just use the Web Deploy un/pw credentials found in the Publish Profile Settings XML (as I already have code that uses these to interact with the kudu api with basic auth)
I found this potential solution that instead uses a management certificate (more info). But again, if at all possible, I would prefer to just use the Web Deploy un/pw.
(I understand the management cert is at a subscription level, and the Web Deploy un/pw are at a App Service/WebSite instance level. I'm just stating what my desired solution would look like.)
Management certificates allow you to authenticate only with the classic deployment (Azure Service Management) model and not the Azure Resource Management deployment model.
If your web app is not created using the classic deployment model, you'll need a TokenCloudCredential instead of the CertificateCloudCredential.
Technically, you can still create Certificate-based SubscriptionCloudCredentials but it will only work with Azure web app created with the classic deployment model.
I would prefer to just use the Web Deploy un/pw.
If you want to upload certificate to Azure WebApp during Web Deploy then we can use ARM template , more details please refer to the document.
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"properties": {
"pfxBlob": "pfx base64 blob",
"password": "some pass"
}
}
About how to create subscriptionCloudCredentials with certificate and how to create customized cert, I did a demo for it. More details please refer to another SO thread.
If we try to run the project on the Azure. Please refer to document Using Certificates in Azure Websites Applications. Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application
So we also need to add the AppSetting in the ARM template, more detail info please refer to the document.
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webSiteName'))]"
],
"tags": {
"displayName": "WebAppSettings"
},
"properties": {
" WEBSITE_LOAD_CERTIFICATES ": "thumbprint "
}