[BUG] Using an App Service Certificate to bind to a hostname is causing a validation error with CertificateInner, which is looking for a password which is null

[mikeruhl]

Describe the bug Using an App Service Certificate to bind to a hostname is causing a validation error with CertificateInner, which is looking for a password which is null

Exception or Stack Trace at Microsoft.Azure.Management.AppService.Fluent.Models.CertificateInner.Validate() at Microsoft.Azure.Management.AppService.Fluent.CertificatesOperations.d8.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.Management.AppService.Fluent.CertificatesOperationsExtensions.d3.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.AppService.Fluent.AppServiceCertificateImpl.<CreateResourceAsync>d__12.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator<IResourceT>-CreateResourceAsync>d__15.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem1.<ExecuteAsync>d__6.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.d14.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.AppService.Fluent.HostNameSslBindingImpl5.<>cDisplayClass42_0.<b0>d.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.AppService.Fluent.HostNameSslBindingImpl5.<b40_0>d.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.AppService.Fluent.WebAppBaseImpl5.d279.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.AppService.Fluent.WebAppBaseImpl5.d280.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator-CreateResourceAsync>d15.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem1.d6.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.<ExecuteNodeTaskAsync>d__14.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.CreatableUpdatable5.<ApplyAsync>d__3.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at MigrateDomains.AppDomainManager.d5.MoveNext() in \repos\MigrateDomains\MigrateDomains\AppDomainManager.cs:line 44 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.GetResult() at MigrateDomains.DomainMigrator.d9.MoveNext() in \repos\MigrateDomains\MigrateDomains\DomainMigrator.cs:line 58 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.GetResult() at MigrateDomains.DomainMigrator.d8.MoveNext() in \repos\MigrateDomains\MigrateDomains\DomainMigrator.cs:line 37 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.GetResult() at MigrateDomains.Program.

d1.MoveNext() in \repos\MigrateDomains\MigrateDomains\Program.cs:line 35

To Reproduce

1. Create or get a reference to a deployment slot:

   var azure = Azure.Configure().Authenticate(credentials).WithDefaultSubscription();
   var slot = _azure.WebApps.GetByResourceGroup(resourceGroupName, resourceName)
   .DeploymentSlots.GetByName(slotName)

2. Get certificate order:

   var certificate = await azure.AppServices.AppServiceCertificateOrders.GetByResourceGroupAsync(certResourceGroup, certResourceName);

3. (Code not shown but done via Azure Libraries for .NET) Create CNAME record in DNS Zone and then create hostname binding on web app slot.
4. Attempt to create ssl binding, as shown below.

Got exception message: 'Password' cannot be null.

Code Snippet

await slot.Update()                
    .DefineSslBinding()
    .ForHostname($"{subDomain}.{domainName}")
    .WithExistingAppServiceCertificateOrder(certificate)                
    .WithSniBasedSsl()
    .Attach()
    .ApplyAsync();

Expected behavior Expected SSL Binding to occur. If done through Azure portal, there are no requirements for Password.

Setup (please complete the following information):

• OS: Windows 10
• IDE : Visual Studio Professional 2019
• Nugets:
  • Microsoft.Azure.Management.AppService.Fluent Version=1.34.0
  • Microsoft.Azure.Management.Dns.Fluent Version=1.34.0
  • Microsoft.Azure.Management.Fluent Version=1.34.0
  • Microsoft.IdentityModel.Clients.ActiveDirectory Version=5.2.8

Additional context In digging through the source, it looks like CertificateInner is expected to have a Password property set, however, there is no way to do that via the methods available above because they create an internal class AppServiceCertificateImpl, which represents an App Service Certificate. Because this is an App Service Certificate, Password is not applicable.

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• [x] Bug Description Added
• [x] Repro Steps Added
• [x] Setup information Added

[weidongxu-microsoft]

One can try set an empty password to the field, i.e. "", to try circumvent the incorrectly specified validation. Spec that says "password" is required https://github.com/Azure/azure-rest-api-specs/blob/master/specification/web/resource-manager/Microsoft.Web/stable/2020-06-01/Certificates.json#L303-L316

This SDK is in maintenance mode. Next generation of .NET SDK will be available here https://azure.github.io/azure-sdk/releases/latest/mgmt/dotnet.html