New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access exception upon certificate renewal attempt #302
Comments
If you generate the client secret for the service principal from the portal should be aware that the default life-time is one year. So maybe the secret is simply expired. You can just lookup the service principal in azure ad (using the client id, if you forgot what you named it), and generate a new secret. This time set the life-time to non-expiring, then you wont have this problem later again. |
Yes, I ran into that a while back. Since then I've always generated them as non-expiring: @Tsaukpaetra seems to feel that the Service Principal no longer has the role required to access that resource group, but I'm struggling to figure out how to check on that (official documentation is frustrating, to say the least). Would you concur? |
How does one do this? |
Check that the service principal still have access to the resource group? |
Yes, that's what I'm trying to figure out how to do ;-) Anyway... I opened a support ticket. Expensive, I know, but this is a must-have. Hopefully I'll be receiving a phone call shortly. |
Well shucky darn, that seems to have been it. I'd come upon this same page in all my searching, but I didn't realize you could search for an application by name. It didn't appear in the pick list, so I figured I was at the wrong screen. So I added Thanks for the screen shot and the tip! |
NP |
It's set to run again in just over six hours. I'd run it manually, but I want to wait to see what it does under schedule. I'll report back here. Keep the issue open? |
Just close it when you have validated that it works :) |
Will do. |
OK, we have a new cert: ...but alas we only have partial success. Stack trace below. This is a different error. Is it an Azure issue or a LEWS issue?
|
Looks like it was trying to delete the old certs but failed? I assume this may have happened because the cert was still associated with a site. |
Maybe so... I replayed it and it succeeded this time. I also noticed that |
letsencrypt-siteextension/LetsEncrypt.SiteExtension.Core/Services/WebAppCertificateService.cs Lines 102 to 105 in 9660b42
|
I think in theory it should have skipped any certs that were still in use (see link 92 above your reference) but somehow it found a letsencrypt cert that was associated but it didn't know about. 🤷♂️ |
That makes sense... that's a little bit of why I'm leaving the issue open for the time being. Simon may want to have a look at that part of it. It'd be hard to reproduce this one, I think. |
Yeah, it'll take three months now to repro (since I assume you didn't export the expired cert).
In this case, I thought there was some standalone multi-site thing that was added, but I never got around to setting it up. That would probably be a better solution in the long run if multiple sites need to be certed. |
I'm getting an error when the webjob attempts to renew a certificate:
The full stack report is below.
I've reviewed documentation here and here, but I'm afraid I'm still at a loss.
I've found the
Microsoft.Web/sites/config/list/action
provider here, but it's not listed in the available roles and there's no indication as to how to give it access to this:/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials
All has been working well for the past year, but it only started failing within the past month or so. I have two websites on which I'm running the job, and suddenly both are failing with like errors. I've changed nothing in my Azure configuration.
The text was updated successfully, but these errors were encountered: