While the certificate should indeed be created in the App Service Plan resource group (found that out the hard way), the binding should use the App Service's resource group (so setting.ServicePlanResourceGroupName should be ignored in this line even if specified).
The error looks like this:
Microsoft.Rest.Azure.CloudException: Can not perform requested operation on nested resource. Parent resource 'my-web-app' not found.
at Microsoft.Azure.Management.AppService.Fluent.WebAppsOperations.<CreateOrUpdateHostNameBindingWithHttpMessagesAsync>d__73.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\9677551D-8B46-49FC-A1DE-7E37AB07CFED\69\7309f51a\WebAppsOperations.cs:line 10192
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.AppService.Fluent.WebAppsOperationsExtensions.<CreateOrUpdateHostNameBindingAsync>d__68.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\9677551D-8B46-49FC-A1DE-7E37AB07CFED\fb\a552699e\WebAppsOperationsExtensions.cs:line 863
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at LetsEncrypt.Azure.Core.V2.AzureWebAppService.<Install>d__3.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\637CC4BA-08DF-45DA-95C2-3C2D92591C70\b2\7f905cf5\AzureWebAppService.cs:line 98
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at LetsEncrypt.Azure.Core.V2.LetsencryptService.<Run>d__6.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\637CC4BA-08DF-45DA-95C2-3C2D92591C70\a7\575516a2\LetsencryptService.cs:line 73
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at OhadSoft.AzureLetsEncrypt.Renewal.Management.RenewalManager.<RenewCore>d__7.MoveNext() in G:\GitHub\letsencrypt-webapp-renewer\src\OhadSoft.AzureLetsEncrypt.Renewal\Management\RenewalManager.cs:line 60
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at OhadSoft.AzureLetsEncrypt.Renewal.WebJob.Cli.CliRenewer.Renew(String[] args) in G:\GitHub\letsencrypt-webapp-renewer\src\OhadSoft.AzureLetsEncrypt.Renewal.WebJob\Cli\CliRenewer.cs:line 21
at OhadSoft.AzureLetsEncrypt.Renewal.WebJob.Program.CliMain(String[] args) in G:\GitHub\letsencrypt-webapp-renewer\src\OhadSoft.AzureLetsEncrypt.Renewal.WebJob\Program.cs:line 88 (False)
AzureLetsEncryptRenewer.exe Error: 0 : Unexpected exception: Microsoft.Rest.Azure.CloudException: Can not perform requested operation on nested resource. Parent resource 'new-app-cert-renew-test' not found.
at Microsoft.Azure.Management.AppService.Fluent.WebAppsOperations.<CreateOrUpdateHostNameBindingWithHttpMessagesAsync>d__73.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\9677551D-8B46-49FC-A1DE-7E37AB07CFED\69\7309f51a\WebAppsOperations.cs:line 10192
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.AppService.Fluent.WebAppsOperationsExtensions.<CreateOrUpdateHostNameBindingAsync>d__68.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\9677551D-8B46-49FC-A1DE-7E37AB07CFED\fb\a552699e\WebAppsOperationsExtensions.cs:line 863
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at LetsEncrypt.Azure.Core.V2.AzureWebAppService.<Install>d__3.MoveNext() in C:\Users\ohad1\AppData\Local\JetBrains\Shared\vAny\DecompilerCache\decompiler\637CC4BA-08DF-45DA-95C2-3C2D92591C70\b2\7f905cf5\AzureWebAppService.cs:line 98
--- End of stack trace from previous location where exception was thrown ---
I believe the issue is here: https://github.com/sjkp/letsencrypt-azure/blob/bafb4267bf7880f5f69927befe62b6f14f128bbe/src/LetsEncrypt.Azure.Core.V2/CertificateConsumers/AzureWebAppService.cs#L73
While the certificate should indeed be created in the App Service Plan resource group (found that out the hard way), the binding should use the App Service's resource group (so
setting.ServicePlanResourceGroupNameshould be ignored in this line even if specified).The error looks like this: