Cannot create Public Certificates for App Service due to missing publicCertificateEnv property

[kelvinbroek]

Message when deploying to Azure: "Parameter publicCertificateEnv is null or empty."

When adding property to resource in Bicep file I get the following error: "The property "publicCertificateEnv" is not allowed on objects of type "Microsoft.Web/sites/publicCertificates"

[alex-frankel]

Can you share the full bicep code you are using to reproduce the issue?

Is the first error Azure: "Parameter publicCertificateEnv is null or empty. happening when you deploy the bicep code, or does it get caught by the VS code extension as well?

[kelvinbroek]

When the property is not added, the validation passes. Only when deploying I get the mentioned error. Here's my code

param siteName string

param certificateName string

param blobValue string

resource site 'Microsoft.Web/sites@2021-03-01' existing = {
  name: siteName
}

resource publicCertRoot 'Microsoft.Web/sites/publicCertificates@2021-03-01' = {
  name: certificateName
  parent: site
  properties: {
    blob: any(blobValue)
    publicCertificateLocation: 'CurrentUserMy'
  }
}

[alex-frankel]

This appears to be in issue in the Web Resource provider. I would recommend opening a support case and pointing the issue towards that team so they can take a deeper look.

Also including @seligj95 / @naveedaz as FYI

[seligj95]

Tagging certs and domain team: @panchagnula / @yutanglin16

[panchagnula]

@seligj95 if this an issue that needs PG involvement please create a support case/ ICM so this can be looked into. Thanks!

[aleksanderKopec]

Hello, do we have any ETA or anything about this? Currently encountering the same error.

[alex-frankel]

Per @panchagnula -- someone needs to open a support ticket to make more progress on this and make sure it is routed to the Certs and Domain team. @aleksanderKopec are you able to do that?

[panchagnula]

@alex-frankel in general yes creating an Incident / support case helps get this on our radar faster, otherwise these can get lost in emails.

@aleksanderKopec, I don't understand bicep so I can't speak for that - but for public certificates create or update API requires the following in the body of the payload (from the above I don't see "kind") https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-public-certificate#request-body

[renrutsirhc]

I ran into this issue today. In my case, the issue was solved by using the loadFileAsBase64Function on the certificate.

resource appleWWDRCACert 'Microsoft.Web/sites/publicCertificates@2021-03-01' = {
  name: 'AppleWWDRCA'
  parent: appServiceApp
  properties: {
    blob: any(loadFileAsBase64('./AppleWWDRCA.cer'))
    publicCertificateLocation: 'CurrentUserMy'
  }
}

[Trimatix]

I was previously supplying the certificate content directly into the blob property, and the above solution fixed this issue for me as well. It is odd that loading the certificate from a file works fine, but providing the content directly does not, this seems to be an ARM issue.

EDIT: I need to do some more testing with this, because though the deployment succeeds without errors, I have just realized that the change was not reflected in the certificate resource...

[Trimatix]

There appears to have been a change in the azure resource manager, because even though the resource is still not being updated, the deployment succeeds without errors. I'm following the same steps with the same code, and no longer getting the "Parameter publicCertificateEnv is null or empty" error, but no change is reflected on my function.

In the deployment page in azure, I can see the expected certificate content in the generated ARM template. Is this definitely a bicep issue and not ARM?

A few comments in here recommend opening a support ticket; my support ticket has been open for nearly 5 months now. Back-and-forth with support doesn't seem to be going anywhere.

[aclouvel]

Hello @Trimatix, working fine on my side uploading the certificate on webApp directly in base64 format:

resource contosoRootPublicCert 'Microsoft.Web/sites/publicCertificates@2022-09-01' = {
  name: 'contosoRootCert'
  kind: 'webApp'
  parent: appService
  properties: {
    blob: any(contosoRootCertBase64)
    publicCertificateLocation: 'CurrentUserMy'
  }
}

However, I have also encountered the not explicit error publicCertificateEnv due to a bad format of my base64 certificate, so please be sure to:

• Add the kind parameter in the bicep
• Encode correctly your certificate.cer in base64 (for example to put it in a secret AzureDevOps or GitHub secret):

  base64 -i contosoRootCert.cer < output.txt

• ⚠️ Correct the format of the base64 variable when you set it as a secret or after in your script/workflow before passing it to the bicep as parameter (this was my error for publicCertificateEnv):

  trimmedCertBase64=$(echo "${contosoRootCertBase64}" | tr -d ' \n\r')

[Trimatix]

It turns out we just didn't account for swapping deployment slots - we hadn't realized that public certificates were also swapped. One other issue remains that deploying a certificate with the same name as an existing certificate might not make any changes, but that's different to what this issue is about