terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Error Binding SSL Certificate to WebApp from keyvault

Open sahitya12 opened this issue 2 years ago • 4 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

// Now Read the Certificate data "azurerm_key_vault_certificate" "prod_certificate" { name = "testing-certificate-for-cic" key_vault_id = data.azurerm_key_vault.production_keyvault.id }

// Get Certificate from External KeyVault resource "azurerm_app_service_certificate" "cert" { name = "testing-certificate-for-cic" resource_group_name = azurerm_resource_group.Terraform.name location = azurerm_resource_group.Terraform.location key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id }

// Now bind the webapp to the domain. resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" { hostname = "portal-staging-westeurope.jasoncontenttestingdomain.com" app_service_name = azurerm_app_service.website_app.name resource_group_name = azurerm_resource_group.Terraform.name }

// Now bind certificate to the webapp. resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" { hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id ssl_state = "SniEnabled" certificate_id = azurerm_app_service_certificate.cert.id }

Terraform Version

">=0.13"

AzureRM Provider Version

"~>3.22.0"

Affected Resource(s)/Data Source(s)

azurerm_app_service_certificate_binding

Terraform Configuration Files

// Now Read the Certificate
data "azurerm_key_vault_certificate" "prod_certificate" {
  name         = "testing-certificate-for-cic"
  key_vault_id = data.azurerm_key_vault.production_keyvault.id
}

// Get Certificate from External KeyVault
resource "azurerm_app_service_certificate" "cert" {
  name                = "testing-certificate-for-cic"
  resource_group_name = azurerm_resource_group.Terraform.name
  location            = azurerm_resource_group.Terraform.location 
  key_vault_secret_id = data.azurerm_key_vault.production_keyvault.id
}

// Now bind the webapp to the domain. 
resource "azurerm_app_service_custom_hostname_binding" "website_app_hostname_bind" {
  hostname            = "portal-staging-westeurope.jasoncontenttestingdomain.com"
  app_service_name    = azurerm_app_service.website_app.name
  resource_group_name = azurerm_resource_group.Terraform.name
}

// Now bind certificate to the webapp. 
resource "azurerm_app_service_certificate_binding" "bind_certificate_to_webapp" {
  hostname_binding_id = azurerm_app_service_custom_hostname_binding.website_app_hostname_bind.id
  ssl_state           = "SniEnabled"
  certificate_id      = azurerm_app_service_certificate.cert.id
}

Debug Output/Panic Output

│ Error: creating/updating Custom Hostname Certificate Binding "xxx" with certificate name "pltedevwebe201d" (App Service "xxxxxx" / Resource Group "xxxxxx"): web.AppsClient#CreateOrUpdateHostNameBinding: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="NotFound" Message="Cannot find Certificate with name xxxxxxxxxxxxx." Details=[{"Message":"Cannot find Certificate with name xxxxxxxxxxxxxxxx."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"51004","Message":"Cannot find Certificate with name 3B67055B22278BBD37EFB016490AE1F6CCB3F0EC.","MessageTemplate":"Cannot find {0} with name {1}.","Parameters":["Certificate","3B67055B22278BBD37EFB016490AE1F6CCB3F0EC"]}}]

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

sahitya12 avatar Sep 20 '22 10:09 sahitya12

i would like to know what is use of using below block, this doesn't add certificate to app service , is there a way to specify app service name ?

resource "azurerm_app_service_certificate" "example" { name = "example-cert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location pfx_blob = filebase64("certificate.pfx") password = "terraform" }

sahitya12 avatar Sep 20 '22 12:09 sahitya12

// Get Certificate from External KeyVault works fine and this runs successfully azurerm_app_service_certificate and while doing azurerm_app_service_certificate_binding using certificate ID from azurerm_app_service_certificate getting above error

sahitya12 avatar Sep 20 '22 12:09 sahitya12

thanks @sahitya12 for raising this issue, by saying "external keyVault" are you suggesting azure key vault? does the binding work if you upload the cert from local, as I see you are referring to azure keyVault. if you are referring to azure key vault. please make sure you app have the access to the key vault:https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#granting-your-app-access-to-key-vault

xiaxyi avatar Sep 21 '22 16:09 xiaxyi

i would like to know what is use of using below block, this doesn't add certificate to app service , is there a way to specify app service name ?

resource "azurerm_app_service_certificate" "example" { name = "example-cert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location pfx_blob = filebase64("certificate.pfx") password = "terraform" }

the cert will be uploaded to every function app inside the resource group

xiaxyi avatar Sep 22 '22 03:09 xiaxyi

Hi @sahitya12, are you able to bind the cert, do you have any follow-up questions?

xiaxyi avatar Sep 28 '22 06:09 xiaxyi

yes able to do now thanks

sahitya12 avatar Sep 30 '22 18:09 sahitya12

@sahitya12 Can you let me know how you resolved the issue ? When i try to bind a cert on an app service , i got the same error as you , i assigned the required permission for the app service managed identity over the keyvault , i assigned Keyvault Admin RBAC role .

Error : Not found , cannot find certificate with name xxxxxxx. Error code : 51004

Thanks

bmnyc0923 avatar Dec 20 '22 22:12 bmnyc0923

Exactly the same error occurs for me

AccsoSG avatar Jan 19 '23 01:01 AccsoSG

Have you done these two actions?

  1. The Web App Resource Provider service principal "abfa0a7c-a6b6-4736-8310-5855508787cd" must have "Key Vault Secrets User" role on the certificate within the Key Vault.

  2. The "Allow trusted Microsoft services to bypass this firewall" firewall exception should be set tp "Yes" on the Key Vault (When IP restrictions are in place on the keyvault)

rybal06 avatar Jan 20 '23 22:01 rybal06

was able to fix it thank you

sahitya12 avatar Mar 13 '23 14:03 sahitya12

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Apr 13 '23 02:04 github-actions[bot]