Error uploading .pfx certificate to Azure Web app using ARM template from VSTS

2
votes

I'm using a Azure Resource Manager(ARM) template to create and update a resource group in a release definition in Visual Studio Team Services(VSTS). I'm using the same template to upload the .pfx certificate to the web app.

For the first deployment the certificate got uploaded perfectly, but from the next deployment the deployment fails with the error "Another certificate exists with same thumbprint ******** at location West US in the Resource Group MyResourceGroup".

I tried recreating the webapp, but to my surprise the deployment fails for the first time itself. Looks like the certificate got uploaded to the resource group.

Is there a way to overwrite the existing .pfx certificate for every deployment.

3
azureazure-devopsazure-web-app-serviceazure-resource-managerazure-resource-group
This is a very valid problem. Creating other resources via ARM template is idempotent. Why isn't uploading a certificate the same?Attila Szasz

3 Answers

1
votes

You do not have to upload certificate for all deployments. The first certificate will become available to all deployments

0
votes

Certificates are exposed at the resource group level, so deploying the same certificate again will definitely error out.

However, I don't see a reason as to why you need to upload a certificate. Does your application need to read this certificate? if yes, then there is a different way to do this. See this article: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

0
votes

Until today I had never encountered this error. I have been able to redeploy my applications, certificates and all, with no issues. I believe in my case that someone had previously manually added the certificate using a different name, possibly through the portal, and then when my pipeline executed it attempted to add the certificate using a different name.

Certificates are child resources of Microsoft.Web under the resource group. There are likely a number of options for resolving but I am going to focus on removing the certificate using Resource Explorer. (I bet that there is a Azure CLI or Azure PowerShell command to do this too.)

In resource explorer, locate the certificates node associated with your resource group using the left hand navigation pane. This will likely be in something like subscriptions -> {subscription name} -> resourceGroups -> {resource group name} -> providers -> Microsoft.Web -> certificates -> {certificate name}

Once located, select your certificate and then can use the Actions (POST, DELETE) tab in the right hand pane to delete the certificate. You should then be able to redeploy.