Remove-AzureCertificate Fails Do Delete Expired Certificate

[barakAtSoluto]

Description

The "Remove-AzureCertificate" command fails to delete certificates with status "Expired" from Cloud Services. It says it's used in a deployment but this is wrong.

The error thrown:

Remove-AzureCertificate : ConflictError : Certificate deletion is not allowed when it is being used in a deployment.
At C:\Users\barak\projects\ssl\cert_deleter.ps1:34 char:1
+ Remove-AzureCertificate -ServiceName  "<service_name>"  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Remove-AzureCertificate], ComputeCloudException
    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.Certificates.RemoveAzureCertificate

Steps to reproduce

1. Log into your account Connect-AzAccount
2. Select the proper subscription Select-AzureSubscription -SubscriptionName <subscription_name>
3. Make sure have a service with an expired certificate which IS NOT in use.
4. Remove-AzureCertificate -ServiceName <name> -Thumbprint <thumb> -ThumbprintAlgorithm "sha1"

Environment data

Name                           Value                                                                                                                   
----                           -----                                                                                                                   
PSVersion                      5.1.17134.407                                                                                                           
PSEdition                      Desktop                                                                                                                 
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                 
BuildVersion                   10.0.17134.407                                                                                                          
CLRVersion                     4.0.30319.42000                                                                                                         
WSManStackVersion              3.0                                                                                                                     
PSRemotingProtocolVersion      2.3                                                                                                                     
SerializationVersion           1.1.0.1                                                                                                                 

Module versions

Executing Get-Module -Name Az.* -ListAvailable has no output.

Debug output

PS C:\Users\barak\projects\ssl> C:\Users\barak\projects\ssl\cert_deleter.ps1
DEBUG: 14:54:15 - SelectAzureSubscriptionCommand begin processing with ParameterSet 'SelectSubscriptionByNameParameterSet'.
DEBUG: 14:54:15 - using account id '<id>'...
DEBUG: AzureQoSEvent: CommandName - Select-AzureSubscription; IsSuccess - True; Duration - 00:00:00.0075543; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 14:54:15 - SelectAzureSubscriptionCommand end processing.
DEBUG: 14:54:15 - SelectAzureSubscriptionCommand end processing.
DEBUG: 14:54:15 - RemoveAzureCertificate begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 14:54:15 - using account id '<id>'...
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
DELETE

Absolute Uri:
https://management.core.windows.net/<id_removed>/services/hostedservices/<service_name>/certificates/<cert_algo_and_hash>

Headers:
x-ms-version                  : 2017-01-01

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Accepted

Headers:
x-ms-servedbyregion           : ussouth3
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : <id_of_something>
Cache-Control                 : no-cache
Date                          : Sun, 03 Mar 2019 12:54:13 GMT
Server                        : 67.2.1.79/release2,(e74af8a),Microsoft-HTTPAPI/2.0

Body:

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.core.windows.net/<id>/operations/<other_id>

Headers:
x-ms-version                  : 2017-01-01

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
x-ms-servedbyregion           : ussouth3
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : <id>
Cache-Control                 : no-cache
Date                          : Sun, 03 Mar 2019 12:54:13 GMT
Server                        : 67.2.1.79/release2,(e74af8a),Microsoft-HTTPAPI/2.0

Body:
<Operation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <ID><id></ID>
  <Status>InProgress</Status>
</Operation>

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.core.windows.net/<id>/operations/<other_id>

Headers:
x-ms-version                  : 2017-01-01

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
x-ms-servedbyregion           : ussouth3
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : <id>
Cache-Control                 : no-cache
Date                          : Sun, 03 Mar 2019 12:54:43 GMT
Server                        : 67.2.1.79/release2,(e74af8a),Microsoft-HTTPAPI/2.0

Body:
<Operation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <ID><other_id></ID>
  <Status>Failed</Status>
  <HttpStatusCode>409</HttpStatusCode>
  <Error>
    <Code>ConflictError</Code>
    <Message>Certificate deletion is not allowed when it is being used in a deployment.</Message>
  </Error>
</Operation>

Remove-AzureCertificate : ConflictError : Certificate deletion is not allowed when it is being used in a deployment.
At C:\Users\barak\projects\ssl\cert_deleter.ps1:34 char:1
+ Remove-AzureCertificate -ServiceName  "analyticsprocessor-ofertest2"  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Remove-AzureCertificate], ComputeCloudException
    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.Certificates.RemoveAzureCertificate

DEBUG: AzureQoSEvent: CommandName - Remove-AzureCertificate; IsSuccess - False; Duration - 00:00:32.2735691; Exception - Microsoft.WindowsAzure.Commands
.Common.ComputeCloudException: ConflictError : Certificate deletion is not allowed when it is being used in a deployment. ---> Hyak.Common.CloudExceptio
n: ConflictError : Certificate deletion is not allowed when it is being used in a deployment.
   at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at Microsoft.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccess(Task task)
   at Microsoft.WindowsAzure.Management.Compute.ServiceCertificateOperationsExtensions.Delete(IServiceCertificateOperations operations, ServiceCertifica
teDeleteParameters parameters)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.ServiceManagementBaseCmdlet.ExecuteClientActionNewSM[TResult](Object input, String operationDescr
iption, Func`1 action, Func`3 contextFactory)
   --- End of inner exception stack trace ---
   at Microsoft.WindowsAzure.Commands.Utilities.Common.ServiceManagementBaseCmdlet.ExecuteClientActionNewSM[TResult](Object input, String operationDescr
iption, Func`1 action, Func`3 contextFactory);
DEBUG: Finish sending metric.
DEBUG: 14:54:48 - RemoveAzureCertificate end processing.
DEBUG: 14:54:48 - RemoveAzureCertificate end processing.

Error output

   HistoryId: 1

RequestId      : 
Message        : ConflictError : Certificate deletion is not allowed when it is being used in a deployment.
ServerMessage  : 
ServerResponse : 
RequestMessage : 
InvocationInfo : {Remove-AzureCertificate}
Line           : Remove-AzureCertificate -ServiceName  "<service_name>" -Thumbprint "<thumb>" 
                 -ThumbprintAlgorithm "<algo>"

Position       : At C:\Users\barak\projects\ssl\cert_deleter.ps1:34 char:1
                 + Remove-AzureCertificate -ServiceName  "<service_name>"  ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace     :    at Microsoft.WindowsAzure.Commands.Utilities.Common.ServiceManagementBaseCmdlet.ExecuteClientActionNewSM[TResult](Object input, 
                 String operationDescription, Func`1 action, Func`3 contextFactory)
HistoryId      : 1

[Drewm3]

@barakAtSoluto, I apologize for missing this earlier this summer when I started tracking these issues. The error you are seeing is due to the fact that the certificate is still in use by a deployment. You will need to remove this certificate from the deployment, and then you will be able to delete the certificate.