Unable to import App Service Certificate after Subscription transfer

0
votes

I recently transferred an Azure Subscription to a new account owner in a new directory. After doing so, I am no longer able to import an App Service Certificate into my App Service, and am thus unable to create any TSL/SSL bindings.

When I click Import App Service Certificate, the certificate correctly shows up; when I click on the certificate it correctly displays Validated the App Service Certificate; but when I click OK, I get the following error:

Failed to add App Service certificate to the app, Check error for more details. Error Details: The service does not have access to 'MyKeyVault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

In addition, if I open my Certificate Key Vault, and click on Keys, Secrets, or Certificates, I receive the message:

Something went wrong. Please refresh and try again.

Finally, in the Activity Log for the Certificate Vault, I can see that I triggered an Update Key Vault event around the time of the migration, so I'm assuming this might be related, but it's unclear from the Activity Log what that event is.

Note that my account is assigned to the Owner role of the Subscription.

My Question: How do I import my App Service Certificate into an App Service given these conditions? Alternatively, how do I troubleshoot these issues to further isolate this issue?

2
azuresslssl-certificateazure-web-app-serviceazure-keyvault

2 Answers

1
votes

I was using the Azure App Certificates and, following a subscription move, the auto-renewal of the certificates failed, despite having moved the Key Vault to the new tenant, as per Change a Key Vault tenant ID after a subscription move.

Going in to my App Services and clicking Import App Service Certificate was letting me choose the latest certificate and validating it, but then it gave the following error:

Failed to add App Service certificate to the app, Check error for more details. Error Details: The parameter KeyVaultId & KeyVaultSecretName has an invalid value.

In my case, the solution was to remove all the bindings and all the instances of the App Service Certificate (i.e., remove the microsoft.web/certificates, not the App Service Certificate itself) and to then re-bind to the latest certificate.

1
votes

It is expected that you won't be able to import your App Service Certificate after transferring a Subscription to a new Directory—though you should be getting the following warning in your Key Vault:

The directory (XYZ) currently selected differs from this key vault's directory. Some actions will be disabled. Click this for more details.

When this happens, you will usually also get the following error message in your Key Vault's Keys, Secrets, and/or Certificates tabs:

The operation ‘List’ is not enabled in this key vault's access policy.

Those messages don't always show up immediately, presumably due to dependencies migrating between different data centers, which could be why you're receiving the less informative errors. My assumption is that the generic messages you're seeing will be replaced with these specific messages in time, but that they both stem from the same underlying issue.

Associate your Key Vault with your new Directory

Regardless, though, it's a good idea to ensure that your Key Vault is, in fact, associated with the new Directory after a Subscription transfer. As per the instructions linked from the Azure error, you can change the directory in the Azure PowerShell (Az) module using the following commands:

Select-AzSubscription -SubscriptionId <your-subscriptionId>
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = @()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties

Alternatively, see "Unable to access Key-Vault using Azure Portal", here on Stack Overflow, which provides similar instructions.

Note: It's useful to have Azure PowerShell (Az) module installed. If you don't, however, you can always use the Azure Cloud Shell, which is accessible in the Azure Portal via the shell icon to the right of the search bar. In that case, you may need to provision an Azure Storage account, if you haven't already.

Verifying the resolution

The above steps should resolve your issue. But there are two related conditions you should check to be safe.

App Service Certificate

First, go to your App Service Certificate in the Portal. There should be a link between your App Service Certificate and your Key Vault, which allows your private key to be stored in your Key Vault, and retrieved by applications with the appropriate Access Policy. Azure now has tooling built-in to detect when the App Service Certificate is not correctly linked to your Key Vault. To access this, click on Certificate Configuration, and make sure there is a checkmark next to Step 1: Store. If this is not the case, the portal will give you a warning which you can click to automatically reestablish this link.

Key Vault Access Policy

Second, return to your Key Vault, and click on Keys, Secrets, or Certificates. You should no longer be receiving any errors here. If you do, however, you may need to reconfigure or update your Microsoft Azure App Service Access Policy, which is normally created when you first create an Azure App Service Certificate.

Note: There are a lot of previous posts for troubleshooting and resolving access to the App Services via an Access Policy (e.g., here on Stack Overflow, but also on Microsoft Questions), so I'm not going to go into detail on those here. But I want to acknowledge that particular possibility just in case the App Service Certificate isn't properly registered after the Subscription migration.

With this all done, you should now be able to use the Import App Service Certificate from within your App Service.