azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

az network application-gateway ssl-cert create nnot working with KV certificates

Open svaraksin-gd opened this issue 10 months ago • 3 comments

Describe the bug

az network application-gateway ssl-cert create --gateway-name *** --name test-cert --resource-group *** --key-vault-secret-id "https://***.vault.azure.net/certificates/certificate-name" returns the following error:

Message: SecretId 'https://***.vault.azure.net/certificates/certificate-nam' specified in '/subscriptions/***/resourceGroups/***/providers/Microsoft.Network/applicationGateways/***/sslCertificates/test-cert' is invalid. Reason: The specified Key Vault URI doesn't properly reference a secret. A valid Key Vault URI should be in the following format: https://{keyvaultname}.{keyvaultdomain}/secrets/{secretname}. A secret version may optionally be appended as well.

But as per az cli documentation: image

Related command

az network application-gateway ssl-cert create

Errors

above

Issue script & Debug output

above

Expected behavior

Allow use certificates from KeyVault Certificate store

Environment Summary

azure-cli 2.59.0

core 2.59.0 telemetry 1.1.0

Dependencies: msal 1.27.0 azure-mgmt-resource 23.1.0b2

Python location '/opt/az/bin/python3' Extensions directory '/home/runner/.azure/cliextensions'

Python (Linux) 3.11.8 (main, Mar 27 2024, 04:03:04) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

above

svaraksin-gd avatar Apr 25 '24 18:04 svaraksin-gd

Thank you for opening this issue, we will look into it.

yonzhan avatar Apr 25 '24 18:04 yonzhan

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

microsoft-github-policy-service[bot] avatar Apr 26 '24 07:04 microsoft-github-policy-service[bot]

@svaraksin-gd I have found a workaround for now which seems to work. You can change the url of the certificate to have secrets instead of the certificates and the WAF is able to use the certificate. So if you have https://vaultname.vault.azure.net/certificates/myCertificate putting https://vaultname.vault.azure.net/secrets/myCertificate seems to succeed.

az network application-gateway ssl-cert create --gateway-name *** --name test-cert --resource-group *** --key-vault-secret-id "https://***.vault.azure.net/secrets/certificate-name" in your example

alsastre avatar Aug 28 '24 16:08 alsastre