search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.95k stars 2.93k forks source link

"containerapp hostname bind" fails to find managed certificates by name #29119

Open 1TT-Chris opened 2 months ago

1TT-Chris commented 2 months ago

Describe the bug

The command fails saying that the cert cannot be found in the container apps environment when it does exist.

All the resources involved are in the same resource group. This is a managed certificate binding to a custom domain already created on the container app using the following commands:

az containerapp hostname add -n $CONTAINER_APP_NAME -g $RESOURCE_GROUP --hostname $CUSTOM_DOMAIN az containerapp env certificate create -g $RESOURCE_GROUP -n $CONTAINER_APP_ENV_NAME --hostname $CUSTOM_DOMAIN --validation-method CNAME

The reason for the issue can be seen when running the command with --debug, the request URL to find the certificate is Request URL: 'https://management.azure.com/subscriptions/***/resourceGroups/***/providers/Microsoft.App/managedEnvironments/***/certificates/***?api-version=2024-03-01'

However, the resource id for a managed certificate is of the form: /subscriptions//resourceGroups//providers/Microsoft.App/managedEnvironments//managedCertificates/

The workaround is to specify the full resource id for the certificate rather than just the name.

Related command

az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate $MANAGED_CERTIFICATE_NAME

Errors

The certificate '$MANAGED_CERTIFICATE_NAME' does not exist in Container app environment '$CONTAINER_APP_ENV_NAME'.

Issue script & Debug output

az containerapp hostname bind -g -n --hostname --environment --certificate --debug .... cli.azure.cli.core.util: Request URL: 'https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.App/managedEnvironments//certificates/?api-version=2024-03-01' cli.azure.cli.core.util: Request method: 'GET' cli.azure.cli.core.util: Request headers: cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Windows-10-10.0.22631-SP0) AZURECLI/2.61.0 (MSI)' cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate' cli.azure.cli.core.util: 'Accept': '/' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'x-ms-client-request-id': 'd92561db-81b7-40ce-a61b-d40c45a0d5af' cli.azure.cli.core.util: 'CommandName': 'containerapp hostname bind' cli.azure.cli.core.util: 'ParameterSetName': '-g -n --hostname --environment --certificate --debug' cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...' cli.azure.cli.core.util: Request body: cli.azure.cli.core.util: None urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions//resourceGroups//providers/Microsoft.App/managedEnvironments//certificates/?api-version=2024-03-01 HTTP/1.1" 404 321 cli.azure.cli.core.util: Response status: 404 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Cache-Control': 'no-cache' cli.azure.cli.core.util: 'Pragma': 'no-cache' cli.azure.cli.core.util: 'Content-Length': '321' cli.azure.cli.core.util: 'Content-Type': 'application/json; charset=utf-8' cli.azure.cli.core.util: 'Expires': '-1' cli.azure.cli.core.util: 'x-ms-failure-cause': 'gateway' cli.azure.cli.core.util: 'x-ms-request-id': 'eee5e6b2-e59e-4763-8781-cc062addfbbe' cli.azure.cli.core.util: 'x-ms-correlation-request-id': 'eee5e6b2-e59e-4763-8781-cc062addfbbe' cli.azure.cli.core.util: 'x-ms-routing-request-id': 'UKSOUTH:20240606T154437Z:eee5e6b2-e59e-4763-8781-cc062addfbbe' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.util: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.util: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.util: 'X-MSEdge-Ref': 'Ref A: CB3AA910CBA24C92A0A0532C8B8157BA Ref B: AMS231032607023 Ref C: 2024-06-06T15:44:37Z' cli.azure.cli.core.util: 'Date': 'Thu, 06 Jun 2024 15:44:37 GMT' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"ResourceNotFound","message":"The Resource 'Microsoft.App/managedEnvironments//certificates/' under resource group '' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"}} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 723, in _run_job File "C:\Users*.azure\cliextensions\containerapp\azext_containerapp_client_factory.py", line 28, in _polish_bad_errors raise ex File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "C:\Users*.azure\cliextensions\containerapp\azext_containerapp\custom.py", line 1338, in bind_hostname return bind_hostname_logic(cmd=cmd, resource_group_name=resource_group_name, name=name, hostname=hostname, thumbprint=thumbprint, certificate=certificate, location=location, environment=environment, validation_method=validation_method) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/containerapp/custom.py", line 3895, in bind_hostname_logic azure.cli.core.azclierror.ResourceNotFoundError: The certificate '' does not exist in Container app environment ''.

cli.azure.cli.core.azclierror: The certificate '' does not exist in Container app environment ''.

Expected behavior

The command should look for the certificate in both the certificates and managedCertificates endpoints.

Environment Summary

azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Extensions: containerapp 0.3.52

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Additional context

No response

yonzhan commented 2 months ago

Thank you for opening this issue, we will look into it.

microsoft-github-policy-service[bot] commented 2 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @calvinsID.

Greedygre commented 2 months ago

Hi @1TT-Chris

When execute command to bind an managed certificate, please specify cert id with -c/--certificate, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate ${cert-id}

Or if there is only one managed cert under the managed environment, you can use command without --certificate, it will look for or create a managed certificate if no certificate info provided, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME

Thanks

KevinIlPazzo commented 1 month ago

Hi @1TT-Chris

When execute command to bind an managed certificate, please specify cert id with -c/--certificate, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate ${cert-id}

Or if there is only one managed cert under the managed environment, you can use command without --certificate, it will look for or create a managed certificate if no certificate info provided, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME

Thanks

This helped a lot!!! But the first suggestion is not working in my setup with multiple certificates in status succeeded and failed. Getting the id would be a great solution, but the bind command pre-append my local path for some reason Error -> The certificate 'C:/Program Files/Git/subscriptions/...' does not exist in Container app environment 'xxx' I think this has something to do with bash on windows but didn't test through

You're second solution saved my day!!! But you first have to delete all you're failed attempts to get only one managed cert and then this will work like a charm :)