https://pulumi.com logo
Title
g

glamorous-helmet-50600

01/25/2021, 11:02 AM
Hi guys, is there any particular reason why creating a certificate resource using next-gen requires keyvault? The terraform provider allows to create based on a pfxblob (based64 encoded string), it didn't work for me tho
t

tall-librarian-49374

01/25/2021, 11:05 AM
It doesn’t require KeyVault, AFAIK. What’s your code and the error that you get?
g

glamorous-helmet-50600

01/25/2021, 11:08 AM
Using the terraform provider I've tried this:
var cert = new Azure.AppService.Certificate("cert-identityserver-dev", new Azure.AppService.CertificateArgs {
            ResourceGroupName = resourceGroup.Name,
            Name = "cert-identity-dev",
            Password = certificatePassword,
            PfxBlob = base64cert,
            
        }, new CustomResourceOptions { DependsOn = identityServerAppPlan });

        CertificateThumbprint = cert.Thumbprint;
Pulumi up detects the changes correctly but when applying it hangs for about 7minutes and then I'm given a generic error:
azure:appservice:Certificate (cert-identityserver-dev):
    error: Error creating/updating App Service Certificate "cert-identity-dev" (Resource Group "rg-test-dev244b9b58"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=500 -- Original Error: autorest/azure: Service returned an error. Status=500 Code="" Message="An error has occurred."
So I was wondering if I'd have better luck with next-gen. Looking at the docs (https://www.pulumi.com/docs/reference/pkg/azure-nextgen/appplatform/certificate/) it looks like the CertificateProperties don't have a pfxblob property like on the terraform counterpart
What I'm trying to do is associate a private key certificate to my app service (as it will use it to sign tokens)
t

tall-librarian-49374

01/25/2021, 11:16 AM
This is probably the resource you are looking for https://www.pulumi.com/docs/reference/pkg/azure-nextgen/web/certificate/
g

glamorous-helmet-50600

01/25/2021, 11:23 AM
Oh okay I see, thank you for that I'll give it a go. In the meantime, any idea why that code I shared hangs and then errors? Is there anything you can tell is wrong?
t

tall-librarian-49374

01/25/2021, 11:24 AM
Not really… 500 clearly comes from the Azure service and I don’t think that’s how it’s supposed to respond, doh. I don’t have much experience with this resource, unfortunately.
g

glamorous-helmet-50600

01/25/2021, 11:26 AM
No worries thank you very much. I'm quite new to pulumi so it's not always easy to tell what went wrong 😉 I'm going to try the next-gen and see how it goes.
p

prehistoric-nail-50687

01/25/2021, 11:28 AM
I was struggling with this kind of error too, the best way to debug it, was by looking at the activity log of the resource group
g

glamorous-helmet-50600

01/25/2021, 11:29 AM
That's a very good pointer, I'll have a look thank you 🙂
p

prehistoric-nail-50687

01/25/2021, 11:29 AM
the thing I had to realise, is that you must create the app service plan before adding any certificates, otherwise it did not work
g

glamorous-helmet-50600

01/25/2021, 11:33 AM
Were you using terraform based provider or the next-gen?
p

prehistoric-nail-50687

01/25/2021, 11:37 AM
next-gen
but you can also mix the two
b

brave-planet-10645

01/25/2021, 11:45 AM
Hi @glamorous-helmet-50600 I've just responded to your support email. I managed to create a pfx certificate and using your code create a (non-next gen) certificate resource. Can you check to make sure you've created your certificate correctly
g

glamorous-helmet-50600

01/25/2021, 11:51 AM
Hi @brave-planet-10645 Thank you for the response 🙂 I thought initially that it could be something with the certificate but I did try to manually upload it to the app service and worked just fine. Perhaps something wrong with how I'm converting to Base64:
var certificatePath = identityConfig.Require("certificatePath");
        var certificatePassword = identityConfig.RequireSecret("certPassword");
        var certFileBytes = File.ReadAllBytes(certificatePath);
        var base64cert = Convert.ToBase64String(certFileBytes);
b

brave-planet-10645

01/25/2021, 11:52 AM
I hard coded the path to my cert, but my code looks like this:
var certificatePath = "./key.pfx";
        var certificatePassword = config.RequireSecret("certPassword");
        var certFileBytes = File.ReadAllBytes(certificatePath);
        var base64cert = Convert.ToBase64String(certFileBytes);
And then the resource is exactly the same as yours:
var cert = new Azure.AppService.Certificate("cert-identityserver-dev", new Azure.AppService.CertificateArgs {
            ResourceGroupName = resourceGroup.Name,
            Name = "cert-identity-dev",
            Password = certificatePassword,
            PfxBlob = base64cert,
            
        }, new CustomResourceOptions { DependsOn = identityServerAppPlan });
One thing to note is that I didn't namespace my config, so it actually looks like this:
var config = new Pulumi.Config();
        var certificatePath = "./key.pfx";
        var certificatePassword = config.RequireSecret("certPassword");
        var certFileBytes = File.ReadAllBytes(certificatePath);
        var base64cert = Convert.ToBase64String(certFileBytes);
And my
Pulumi.dev.yaml
looks like this:
config:
  cert-test:certPassword:
    secure: AAABANsWEBjIeWzp6ol8wlKmPHfVjy53rk3KITdhp0wQjtKBcmA=
g

glamorous-helmet-50600

01/25/2021, 11:59 AM
Right, strange it didn't work for me. I'll give it another try soon with some tweaks to make it like yours. Thanks once again