Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webapp slot won't deploy as clone if SSL cert has multiple Subject Alternate Names #4564

Closed
Ben424242 opened this issue Sep 23, 2021 · 7 comments
Closed

Webapp slot won't deploy as clone if SSL cert has multiple Subject Alternate Names #4564

Ben424242 opened this issue Sep 23, 2021 · 7 comments
Labels
investigate Needs: Author Feedback Awaiting feedback from the author of the issue Needs: Triage 🔍 revisit

Comments

@Ben424242
Copy link

Bicep version
Bicep CLI version 0.4.613

Describe the bug
We are deploying a Web App with a staging slot cloned from the site. The web app has a custom host name binding using a cert from our enterprise PKI. The cert has a subject alternate name in addition to the common name.

The app deploys fine, but fails trying to deploy the slot resource. The error is "Cannot find Certificate with name application.company.org."

We were able to work around the error by re-issuing the cert with no SAN. Once it has only one name in the cert the deployment succeeded.

I think what's happening is that instead of looking for the cert in the clone by thumbprint or by its common name, it's looking for the subject name. In the san cert the subject name comes accross like this: "application.company.org,application"

To Reproduce
Here is the code we are using.

resource webapp 'Microsoft.Web/sites@2020-10-01' = {
  name: fullAppName
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${manid.id}': {}
    }
  }
  properties: {
    httpsOnly: true
    hostingEnvironmentProfile: {
      id: ase.id
    }
    serverFarmId: asp.id
    hostNameSslStates: [
      {
        name: '${hostName}.${hostSuffix}'
        sslState: 'SniEnabled'
        hostType: 'Standard'
      }
    ]
    siteConfig: {
      netFrameworkVersion: 'v5.0'
      use32BitWorkerProcess: false
      http20Enabled: true
      ftpsState: 'Disabled'
      appSettings: [
        {
          name: 'WEBSITE_LOAD_ROOT_CERTIFICATES'
          value: 'caa068433b8436ddda2a857a8f2a599d9611bf6a'
        }
        {
          name: 'WEBSITE_NODE_DEFAULT_VERSION'
          value: '6.9.1'
        }
        {
          name: 'WEBSITE_RUN_FROM_PACKAGE'
          value: '1'
        }
        {
          name: 'WEBSITE_VNET_ROUTE_ALL'
          value: '1'
        }
        {
          name: 'WEBSITE_TIME_ZONE'
          value: 'US Mountain Standard Time'
        }
      ]
    }
  }
}

// Web app slot
resource webappslot 'Microsoft.Web/sites/slots@2020-12-01' = {
  name: '${webapp.name}/stagingtest'
  location: location
  dependsOn: [
    binding
  ]
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${manid.id}': {}
	}
  }
  properties: {
    cloningInfo: {
      sourceWebAppId: webapp.id
    }	
  }
}

resource cert 'Microsoft.Web/certificates@2021-01-15' = {
  name: '${hostName}.${hostSuffix}'
  location: location
  properties: {
    keyVaultId: kv.id
    keyVaultSecretName: certSecretName
    serverFarmId: asp.id
  }
}

resource binding 'Microsoft.Web/sites/hostNameBindings@2021-01-15' = {
  name: '${webapp.name}/${hostName}.${hostSuffix}'
  properties: {
    azureResourceName: webapp.name
    azureResourceType: 'Website'
    siteName: '${hostName}.${hostSuffix}'
    sslState: 'SniEnabled'
    thumbprint: cert.properties.thumbprint
  }
}
@ghost ghost added the Needs: Triage 🔍 label Sep 23, 2021
@Ben424242
Copy link
Author

Update: The deployment works with the new cert only on the initial deployment. On subsequent deployments, even if there have been no changes to the app service or the slot, we get the cert not found error again.

@Ben424242
Copy link
Author

Ben424242 commented Sep 27, 2021
edited
Loading

This my not be slot related at all. Further troubleshooting has revealed that the problem happens when the app service is being updated in the deployment, even if we've removed all references to adding a slot.

I have a ticket open with Azure. Let me know if you want me to close this ticket in the meantime.

@alex-frankel
Copy link
Collaborator

It would be great if you can let us know how that support ticket gets resolved. It's ok to leave it open while we wait.

@alex-frankel
Copy link
Collaborator

@Ben424242 -- do you mind sharing the support ticket number? We will follow up with the web team.

@Ben424242
Copy link
Author

As I suspected, it was only an issue with the cert resource, and had nothing to do with adding a slot. We got the same error on re-deployments even after removing all of the slot resources.

The solution was to use an earlier API for the certificate resource (Microsoft.Web/certificates@2018-11-01 instead of Microsoft.Web/certificates@2021-01-15). That worked and we no longer get the error on a re-deploy.

Our support case # was 2109270010002207

@alex-frankel
Copy link
Collaborator

cc @naveedaz / @seligj95 -- this was the support ticket we discussed. Can you take a look?

@ghost
Copy link

ghost commented May 24, 2023

Hi Ben424242, this issue has been marked as stale because it was labeled as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thanks for contributing to bicep! 😄 🦾

@ghost ghost closed this as completed Jun 3, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Jul 3, 2023
@StephenWeatherford StephenWeatherford added Needs: Author Feedback Awaiting feedback from the author of the issue and removed awaiting response labels Oct 13, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
investigate Needs: Author Feedback Awaiting feedback from the author of the issue Needs: Triage 🔍 revisit
Projects
Bicep
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@StephenWeatherford @alex-frankel @Ben424242