My ultimate goal is to automate this process in a Python script so I'm first familiarizing myself with the required workflow in the Azure portal.
Step 1 is to create an App Service certificate. In code, the call I make is: https://management.azure.com/subscriptions/aaaa-bbbb-cccc-dddd/resourceGroups/my-rg/providers/Microsoft.CertificateRegistration/certificateOrders/my-cert-order?api-version=2015-08-01
with a payload of:
{
"location": "global",
"properties": {
"productType": "StandardDomainValidatedSsl",
"autoRenew": true,
"distinguishedName":"CN=mydomain.com"
}
}
Step 2 is to associate it with a specific keyvault. Again, in code the call is: https://management.azure.com/subscriptions/aaaa-bbbb-cccc-dddd/resourceGroups/my-rg/providers/Microsoft.CertificateRegistration/certificateOrders/my-cert-order/certificates/my-cert?api-version=2015-08-01
with a payload of
{
"location":"global",
"properties": {
"keyVaultId":"/subscriptions/aaaa-bbbb-cccc-dddd/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-keyvault",
"keyVaultSecretName":"my-secret-name"
}
}
Step 3 is to verify the domain associated with the ceritificate that was just created. The instructions in the portal say to create a TXT entry at the root of my domain using the supplied domain verification token. I've done this but Azure doesn't like something as it never reports the certificate as being verified, even after several hours. I've tried doing a manual lookup of the TXT record I created and it is definitely available now, so I don't think that's what Azure is complaining about.
I know the REST call that the portal uses is verify-domain-ownership, as documented here:
I tried making this call explicitly in code and I can see that it is returning a 400 error, along with the following JSON blob:
{
"Code": "CertificateResellerWebService_NOT_FOUND_TOKEN",
"Message": "All remaining domain control tokens were not found",
"Target": null,
"Details": [
{
"Message": "All remaining domain control tokens were not found"
},
{
"Code": "CertificateResellerWebService_NOT_FOUND_TOKEN"
},
{
"ErrorEntity": null
}
],
"Innererror": null
}
Is the domain control token that it's complaining about here the same as a domain verification token? Whatever the case, the call is consistently failing with this same error. It's unclear to me what's causing this issue. Any suggestions would be appreciated.
Update: This is the main algorithm I'm using for the process:
token = get_auth_token()
# First, put in a certificate request
cert_order = create_cert_order(token, CERT_NAME)
while cert_order.status_code == 201:
cert_order = get_cert_order(token, CERT_NAME)
cert_order = cert_order.json()
# Then assign it to a specific key vault
cert = update_cert(token, CERT_NAME, KEY_VAULT_ID, KEY_VAULT_SECRET_NAME)
while cert.status_code == 201:
cert = get_cert(token, CERT_NAME)
# Next, create a TXT entry in the root domain matching the
# domain verification token and wait for that record to be
# discoverable by nslookup.
domain_verification_token = cert_order["properties"]["domainVerificationToken"]
create_txt_record(domain_verification_token)
waitfor_txt_record(domain_verification_token)
# Finally, ask to have to domain ownersip verified.
response = verify_domain_ownership(token, CERT_NAME)
if response.status_code != 204:
print("Domain ownership verification failed")
The functions create_cert_order, update_cert, and verify_domain_ownership referenced here represent the REST calls I've mentioned above. I'm pretty sure this workflow is correct, but I don't know why the final call is failing.
