letsencrypt-siteextension icon indicating copy to clipboard operation
letsencrypt-siteextension copied to clipboard

Published 20 hours ago verified publisher icon sjkp

Can't figure out permissions

Open ephraimm opened this issue 9 years ago • 10 comments

I'm getting the following exception after clicking "Request & Install Cert" What am I missing?

The client 'XXXXXXX-cb8f-4c98-aee2-XXXXXXXX' with object id 'XXXXXX-cb8f-4c98-aee2-XXXXXX' does not have authorization to perform action 'Microsoft.Web/certificates/write' over scope '/subscriptions/XXXXXXX-8eb9-44c7-8a23-XXXXXXX/resourceGroups/xxxxxxx-Resources/providers/Microsoft.Web/certificates/xxxxx.xxxxxxxxx.com'.

Microsoft.Azure.Management.WebSites.<CreateOrUpdateCertificateWithHttpMessagesAsync>d__7.MoveNext() +3426 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 Microsoft.Azure.Management.WebSites.<CreateOrUpdateCertificateAsync>d__5.MoveNext() +237 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58 Microsoft.Azure.Management.WebSites.CertificatesOperationsExtensions.CreateOrUpdateCertificate(ICertificatesOperations operations, String resourceGroupName, String name, Certificate certificateEnvelope) +168 LetsEncrypt.SiteExtension.Core.CertificateManager.Install(Target target, String pfxFilename, X509Certificate2 certificate) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:466 LetsEncrypt.SiteExtension.Core.CertificateManager.Auto(Target binding) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:450 LetsEncrypt.SiteExtension.Core.CertificateManager.RequestAndInstallInternal(Target target) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:244 LetsEncrypt.SiteExtension.Controllers.HomeController.Install(RequestAndInstallModel model) +604 lambda_method(Closure , ControllerBase , Object[] ) +104

ephraimm avatar Jun 09 '16 15:06 ephraimm

Did you assign permission to the azure ad service pricipal (the ad application) to the azure resource group?

sjkp avatar Jun 10 '16 09:06 sjkp

Great, thank you, I assigned permission to the app and not the resource group. I noticed it only issues a 90 day certificate. is it possible to get a longer expiry issued?

Ephraim Moss C+27 72 679 6838 T+27 11 728 2047 [email protected] _W_www.goseamless.co.za

The information contained in this email is confidential and may contain proprietary information. It is meant solely for the intended recipient. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. No liability or responsibility is accepted if information or data is, for whatever reason corrupted or does not reach its intended recipient. No warranty is given that this email is free of viruses.

On 10 June 2016 at 11:41, Simon J.K. Pedersen [email protected] wrote:

Did you assign permission to the azure ad service pricipal (the ad application) to the azure resource group?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sjkp/letsencrypt-siteextension/issues/49#issuecomment-225139681, or mute the thread https://github.com/notifications/unsubscribe/ACrH1UlxXhXlDX5ghItLrK4ZMHawCcV4ks5qKTFbgaJpZM4IyE94 .

ephraimm avatar Jun 11 '16 16:06 ephraimm

on first load after entering permission detail: 'authority' Uri should have at least one segment in the path (i.e. https:////...) Parameter name: authority One of my sites is a nodejs app, I get hte following error: The Lets Encrypt ACME server was probably unable to reach http://xxxx.xxxxxss.co.za/.well-known/acme-challenge/xxxxxxxxxxxx_E-RlrYgX4zY1HTvla4l3zo_M0 http://xxxx.xxxxxss.co.za/.well-known/acme-challenge/xxxxxxxxxxxx_E-RlrYgX4zY1HTvla4l3zo_M0 view error report from Lets Encrypt at https://acme-staging.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxx7eDhCHPnKICeMECIDgMKAA https://acme-staging.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxx7eDhCHPnKICeMECIDgMKAA for more information

Ephraim Moss C+27 72 679 6838 T+27 11 728 2047 [email protected] _W_www.goseamless.co.za

The information contained in this email is confidential and may contain proprietary information. It is meant solely for the intended recipient. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. No liability or responsibility is accepted if information or data is, for whatever reason corrupted or does not reach its intended recipient. No warranty is given that this email is free of viruses.

On 10 June 2016 at 11:41, Simon J.K. Pedersen [email protected] wrote:

Did you assign permission to the azure ad service pricipal (the ad application) to the azure resource group?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sjkp/letsencrypt-siteextension/issues/49#issuecomment-225139681, or mute the thread https://github.com/notifications/unsubscribe/ACrH1UlxXhXlDX5ghItLrK4ZMHawCcV4ks5qKTFbgaJpZM4IyE94 .

ephraimm avatar Jun 11 '16 16:06 ephraimm

The app doesn't automatically fix node.js apps to make the challenge file browsable. You have to make the path http://xxxx.xxxxxss.co.za/.well-known/acme-challenge/xxxxxxxxxxxx_E-RlrYgX4zY1HTvla4l3zo_M0 browsable, how you do so depends on the node framework you are using.

sjkp avatar Jun 12 '16 19:06 sjkp

Just in case anyone else has this issue (like I just did), after you add it to the resource group like @sjkp says, and also to the app, go have a coffee or something. It took about an hour for the permissions to update.

WreckedAvent avatar Jul 04 '16 02:07 WreckedAvent

Same issue as @WreckedAvent but it was about ~15 mins until the call auth'd successfully.

cottsak avatar Jul 18 '18 08:07 cottsak

@cottsak thanks for reporting, I don't think this should happen, will have to investigate. Can you provide info about whether you use one or multiple resource groups then I can better reproduce.

sjkp avatar Jul 18 '18 08:07 sjkp

@sjkp I initially tried by only making the app a Contributor role on a single resource group and Read on the subscription. But when I got the auth failures I then make it Contributor on the subscription too. So prob not good data to reproduce with. Sorry

cottsak avatar Jul 18 '18 08:07 cottsak

I landed here from a google search. If you apply some roles to a principal wait a couple hours before using it. I went to bed, next day it disappeared the issue. I was able to do it. @sjkp , maybe if you may add to the docs: "Wait a little bit if error X happens if you are sure you given permission etc etc"

regisbsb avatar Oct 20 '19 09:10 regisbsb

Due to a long story... I didn't have the right role in my Azure resource group. I got to the last step to request keys and was getting errors. During troubleshooting I made the request about 4 or 5 times.

Once I fixed it, I'm now getting: Error creating new order :: too many certificates already issued for exact set of domains... UGH

I get I need to wait a week to get more certs, but is there a way now that the certificates were issued that I can manually load them into Azure? Would REALLY appreciate help with this.

mileaminute avatar Nov 12 '19 00:11 mileaminute