yonzhan
commented
3 years ago network
Open sanjaydebnath opened 3 years ago
yonzhan
commented
3 years ago network
sanjaydebnath
commented
3 years ago Ok my certificate in AKV for root-cert is a chain certificate. I see that the app gty root cert has to be cer file for the root certificate of my chain cert. Is there a different way of enabling auto rotation for root-cert in that case.... rather than manually uploading? My app gty is WAF_v2.
ghost
commented
3 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
| Author: | sanjaydebnath |
|---|---|
| Assignees: | msyyc |
| Labels: | `Network`, `OKR3.2 Candidate`, `Service Attention`, `feature-request` |
| Milestone: | S185 |
msyyc
commented
3 years ago Hi@service team, according to the description, it seems need support from service to allow this kind of certificate.
ghost
commented
3 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @appgwsuppgithub.
| Author: | sanjaydebnath |
|---|---|
| Assignees: | msyyc |
| Labels: | `Network - Application Gateway`, `Service Attention` |
| Milestone: | Backlog |
Phrow
commented
3 years ago Hi, I'm having the same issue. Adding regular ssl-certs from key vault works, but adding a root-cert does not. Maybe it's related to the fact that the root-cert cannot be added as "certificate" to key vault (because there is no key), but instead must be added as "secret"? In any case, the only way I found for me was to add the root cert to the gateway by direct upload instead of a key vault reference, which I consider an intermediate "workaround", but not a soluion.
adin3d
commented
2 years ago same problem - the az cli has the --keyvault secret argument for az network application-gateway root-cert create command but I get Code: ApplicationGatewayTrustedRootCertificateInvalidData
If I use the file directly instead of the secret in keyvault it works
And I have to get it from a keyvault secret cause apparently you can't add trusted root certificates in Keyvaul certificates
So not sure how the format is once you have it the keyvault secret but I imagine something is not ok there
ghost
commented
2 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
| Author: | sanjaydebnath |
|---|---|
| Assignees: | kairu-ms |
| Labels: | `Network`, `Service Attention`, `Network - Application Gateway` |
| Milestone: | - |
pmontanaro
commented
2 years ago I can confirm I'm having this issue too.
I'm able to upload .cer root certificates via clickOps on my App Gateway but cannot automate my deployment from key vault, resulting in:
{ "code": "ApplicationGatewayTrustedRootCertificateInvalidData", "message": "Data for certificate /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/applicationGateways/<app_gateway_name>/trustedRootCertificates/<certname> is invalid." }
rahul-presidio
commented
2 years ago Facing the above issue when the root certificate is referenced from the keyvault
{
"code": "ApplicationGatewayTrustedRootCertificateInvalidData",
"message": "Data for certificate <full-resource-id>trustedRootCertificates/root-cert is invalid."
}
larwood
commented
2 years ago Hi All,
Today I successfully added a root-cert to an Application Gateway (WAF V2) from a secret stored in a Key Vault.
Add the secret to the key vault.
az keyvault secret set --name Internal-CA-Chain-base64 --vault-name My-KeyVault --subscription My-Sub --file Internal-CA-Chain.cer --encoding base64
Internal-CA-Chain.cer is a PEM file with Root and two Intermediates like so:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----In order like so: Issuer: RootCA Subject: RootCA Issuer: RootCA Subject: InterCA Issuer: InterCA Subject: IssuingCA
Once the secret is created retrieve the Secret ID.
$ az keyvault secret list --vault-name My-KeyVault --subscription My-Sub --output json --query "[].{Name:name,ID:id}"
[
{
"ID": "https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64",
"Name": "Internal-CA-Chain-base64"
}
]Add the root-cert to the application gateway.
az network application-gateway root-cert create --keyvault-secret 'https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64' --name Internal-CA-Chain --gateway-name My-AppGW --resource-group My-ResGroup --subscription My-Sub
List the root-certs installed to the application gateway.
az network application-gateway root-cert list --gateway-name My-AppGW --resource-group My-ResGroup --subscription My-Sub --output json --query "[].{Name:name,ProvisioningState:provisioningState,KeyVaultSecretId:keyVaultSecretId}"
[
{
"KeyVaultSecretId": "https://my-keyvault.vault.azure.net/secrets/Internal-CA-Chain-base64",
"Name": "Internal-CA-Chain",
"ProvisioningState": "Succeeded"
}
]
toddmacintyre
commented
10 months ago I'm still facing this despite trying the above steps. Any updates for this issue?
Describe the bug
Command Name
az network application-gateway root-cert createErrors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az network application-gateway ssl-cert create -n frontend-tls --gateway-name $APP_GTY_NAME -g $AKS_RG_NAME --key-vault-secret-id $unversionedSecretIdaz network application-gateway root-cert create --gateway-name $APP_GTY_NAME -g $AKS_RG_NAME --name backend-tls --keyvault-secret $unversionedSecretId2Expected Behavior
Should work fine & pull the cert from KV. Surprisingly the frontend cert works but the backend one fails to be created. I dont want to manually upload the cert as that breaks the auto rotation ideally.
Environment Summary
azure-cli 2.17.1 *
Extensions: account 0.2.1 aks-preview 0.4.72 application-insights 0.1.13 kusto 0.2.0