search

Azure / Azure-Spring-Apps

Azure Spring Cloud
MIT License
8 stars 5 forks source link

Can't import Key Vault Certificate into Spring Apps as both a Public and Private Certificate #46

Closed bryandx closed 1 year ago

bryandx commented 1 year ago

We have our DigiCert Certificate in the Azure Key Vault. We need to utilize this certificate in all of our Azure Spring Apps in 2 different ways:

  1. Load the certificate into each Spring App's trust store which requires the certificate to be imported as a Public Certificate into Azure Spring apps certificates. We are using this terraform resource to do this: https://learn.microsoft.com/en-us/azure/templates/microsoft.appplatform/spring/apps?pivots=deployment-language-terraform - this json: 
    loadedCertificates = [
    { 
      resourceId = var.spring_service_simon_certificate_id
      loadTrustStore = true 
    }
  ]
  2. Use the certificate to bind to the app's custom domain name. We are using the Azure App Gateway and we need to have end-to-end TLS support from the Gateway to our Spring app. In order to do this the certificate needs to be imported as a Private Certificate into Azure Spring Apps certificates.

We can successfully import the certificate into Azure Spring Apps certificates as either a Public or Private certificate. However, when you try to import as the other one (so if you have it imported as Public and want to import it as Private), the import fails because the fingerprint already exists. An example of the error is:

Failed to import key vault cert: simon-wildcard-exp-7-23-2023.Reason: {"id":"subscriptions/xxx/resourceGroups/rg-lzcorpspring-prod-cus-01/providers/Microsoft.AppPlatform/locations/centralus/operationStatus/spring-lzcorpspring-prod-cus-01/operationId/844634b7-95b1-4eb5-82e6-e2abd5c616e1","name":"844634b7-95b1-4eb5-82e6-e2abd5c616e1","status":"Failed","startTime":"2023-05-02T12:38:21.7696125Z","endTime":"2023-05-02T12:38:28.1696948Z","error":{"code":"InternalServerError","message":"111077: Certificate with thumbprint 'e36e70ece24782ced93139dd8239f3ab70c24538' already existed"}}

To Reproduce Steps to reproduce the behavior: Using the Azure Portal:

  1. Import a certificate into a Key Vault
  2. Go into an Azure Spring Apps service and import that certificate as a Private Certificate
  3. Then try to import the same key vault certificate as a Public Certificate and you will receive the error

Expected behavior The same Key Vault certificate should be able to be imported twice so they can be used for the 2 different use cases.

Can we contact you for additional details? Y

Descatles commented 1 year ago

Hi, @bryandx Thanks for your comment! You are right, it does not make sense to restrict this kind of scenario. We are planning to fix it these days and the release will be finished at the end of May.

bryandx commented 1 year ago

I was curious about the status of this. Did it get in the release by the end of May? I'm assuming it didn't since the issue is still open. This is a blocker preventing us from being able to finalize our Test environment for our first app deployed to Azure Spring Apps.

Descatles commented 1 year ago

Hi, @bryandx The fix has already been released. You could have a try.