Unable to create SSL Certificate with Linux based App Service

[RichMercer]

This needs more investigation, but there seems to be an issue with installing the certificate to the app service when using a Linux App Service. It might even be an Azure/SDK issue, but logging for further investigation.

Essentially the issue seems to be that the certificate obtained from from LetsEncrypt won't upload or isn't visible to the app service, so when creating the hostname binding, the thumbprint results in a not found exception.

[n3wt0n]

I've just tried on a Linux AppService and it worked.

I've tried on both a "normal" App Service on Linux (aka Code) and an App Service for Containers on Linux.

Any special conditions on yours?

[RichMercer]

The only thing that comes to mind is the region. The app service I created was in North Europe and it didn’t support Insights either. I’ll try a couple of things when I get some time and see if I can reproduce.

[jtrotman10]

I'm running into this same issue with a Windows App Service (East US region). The PFX file gets created and is in the storage account but not in the PFXs for the Web app so the Update binding using the thumbprint fails. I can manually get the PFX file from the storage account and upload it to the Web App certificates location and manually update the bindings and that works.

I've stepped through and the .CreateAsync() call returns a certificate and the thumbprint is correct (same value I see when I manually upload), but the certificate isn't available in the web app.

I'm going to keep playing with it but wanted to let you know that it doesn't seem to be just a Linux issue.

BTW - Thanks for the great work. This is going to be very helpful.

[RichMercer]

So here's what I know.

1. The certificate upload is succeeding, shown by the fact that on subsequent runs the call to get old certificates will return the recently uploaded certificate. https://github.com/n3wt0n/AzureWebAppSSLManager/blob/530b8b66f9c1ae8dd1843a4dfab5e03c1c7cb360/src/WebAppSSLManager/AzureHelper.cs#L187
2. The certificate doesn't show up in the UI via the Portal even though the above query does return it (in my case as well as the actual certificate installed yesterday).
3. Downloaded certificates in blob storage can be be manually uploaded and used.

So the question is, why can't the App Service see the certificates that have been uploaded? I've double checked all resource groups/subscriptions etc. in case there's a mismatch, but I cannot see a reason for this. Anybody know who is best to contact about the API for support?

[n3wt0n]

Thanks guys for this investigation.

I can reach out to the App Service team, but I would need something that is reproducible... And at the moment I'm unfortunately not able to repro it.

We can also try to file this as Issue on the FluentSDK but idk if that would be effective unless we can show it's an SDK problem.

[jtrotman10]

FYI - I renewed my certificates today and didn't run into this problem again (even with the sites/certificates that gave this error 3 months ago.)

[n3wt0n]

CLosing this issue for the time being, since we can't replicate it anymore (and tbh I haven't been ever able to replicate it 🤯)

Feel free to reopen it if needed.