Open sanjaydebnath opened 3 years ago
network
Ok my certificate in AKV for root-cert is a chain certificate. I see that the app gty root cert has to be cer file for the root certificate of my chain cert. Is there a different way of enabling auto rotation for root-cert in that case.... rather than manually uploading? My app gty is WAF_v2.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
Author: | sanjaydebnath |
---|---|
Assignees: | msyyc |
Labels: | `Network`, `OKR3.2 Candidate`, `Service Attention`, `feature-request` |
Milestone: | S185 |
Hi@service team, according to the description, it seems need support from service to allow this kind of certificate.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub.
Author: | sanjaydebnath |
---|---|
Assignees: | msyyc |
Labels: | `Network - Application Gateway`, `Service Attention` |
Milestone: | Backlog |
Hi, I'm having the same issue. Adding regular ssl-certs from key vault works, but adding a root-cert does not. Maybe it's related to the fact that the root-cert cannot be added as "certificate" to key vault (because there is no key), but instead must be added as "secret"? In any case, the only way I found for me was to add the root cert to the gateway by direct upload instead of a key vault reference, which I consider an intermediate "workaround", but not a soluion.
same problem - the az cli has the --keyvault secret argument for az network application-gateway root-cert create command but I get Code: ApplicationGatewayTrustedRootCertificateInvalidData
If I use the file directly instead of the secret in keyvault it works
And I have to get it from a keyvault secret cause apparently you can't add trusted root certificates in Keyvaul certificates
So not sure how the format is once you have it the keyvault secret but I imagine something is not ok there
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
Author: | sanjaydebnath |
---|---|
Assignees: | kairu-ms |
Labels: | `Network`, `Service Attention`, `Network - Application Gateway` |
Milestone: | - |
I can confirm I'm having this issue too.
I'm able to upload .cer root certificates via clickOps on my App Gateway but cannot automate my deployment from key vault, resulting in:
{ "code": "ApplicationGatewayTrustedRootCertificateInvalidData", "message": "Data for certificate /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/trustedRootCertificates/<certname> is invalid." }
Facing the above issue when the root certificate is referenced from the keyvault
{
"code": "ApplicationGatewayTrustedRootCertificateInvalidData",
"message": "Data for certificate <full-resource-id>trustedRootCertificates/root-cert is invalid."
}
Hi All,
Today I successfully added a root-cert to an Application Gateway (WAF V2) from a secret stored in a Key Vault.
Add the secret to the key vault.
az keyvault secret set --name Internal-CA-Chain-base64 --vault-name My-KeyVault --subscription My-Sub --file Internal-CA-Chain.cer --encoding base64
Internal-CA-Chain.cer is a PEM file with Root and two Intermediates like so:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
In order like so: Issuer: RootCA Subject: RootCA Issuer: RootCA Subject: InterCA Issuer: InterCA Subject: IssuingCA
Once the secret is created retrieve the Secret ID.
$ az keyvault secret list --vault-name My-KeyVault --subscription My-Sub --output json --query "[].{Name:name,ID:id}"
[
{
"ID": "https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64",
"Name": "Internal-CA-Chain-base64"
}
]
Add the root-cert to the application gateway.
az network application-gateway root-cert create --keyvault-secret 'https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64' --name Internal-CA-Chain --gateway-name My-AppGW --resource-group My-ResGroup --subscription My-Sub
List the root-certs installed to the application gateway.
az network application-gateway root-cert list --gateway-name My-AppGW --resource-group My-ResGroup --subscription My-Sub --output json --query "[].{Name:name,ProvisioningState:provisioningState,KeyVaultSecretId:keyVaultSecretId}"
[
{
"KeyVaultSecretId": "https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64",
"Name": "Internal-CA-Chain",
"ProvisioningState": "Succeeded"
}
]
I'm still facing this despite trying the above steps. Any updates for this issue?
Describe the bug
Command Name
az network application-gateway root-cert create
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az network application-gateway ssl-cert create -n frontend-tls --gateway-name $APP_GTY_NAME -g $AKS_RG_NAME --key-vault-secret-id $unversionedSecretId
az network application-gateway root-cert create --gateway-name $APP_GTY_NAME -g $AKS_RG_NAME --name backend-tls --keyvault-secret $unversionedSecretId2
Expected Behavior
Should work fine & pull the cert from KV. Surprisingly the frontend cert works but the backend one fails to be created. I dont want to manually upload the cert as that breaks the auto rotation ideally.
Environment Summary
azure-cli 2.17.1 *
Extensions: account 0.2.1 aks-preview 0.4.72 application-insights 0.1.13 kusto 0.2.0