Channels
#general
Title
c
careful-vase-44898
12/22/2021, 9:19 PMHello 🙂. I'm considering storing SSL certs as Pulumi secrets. Is this a very stupid idea?
l
little-cartoon-10569
12/22/2021, 9:21 PMNot stupid, but not generally used. Generally certs get stored in your cloud providers' vault or keystore.
b
billowy-army-68599
12/22/2021, 9:23 PM
@careful-vase-44898 we have the TLS provider which will allow you to generate certs if needed as well. Pulumi's secrets management makes it fairly trivial, the private keys are encrypted in state
c
careful-vase-44898
12/22/2021, 9:24 PM@little-cartoon-10569 thanks, that does make more sense. I'll have to keep looking at the Azure and AzureNative docs then to see how that might be done.
@billowy-army-68599 interesting - so I can use that to create self-signed certs for testing purposes then?
💯 1
Thanks, I'll give this a shot!
b
billowy-army-68599
12/22/2021, 9:52 PM
@careful-vase-44898 yes, here's an example in typescript:
https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/misc/self_signed_cert/index.ts
c
careful-vase-44898
12/22/2021, 11:33 PMGot the self-signed certs working! Thanks @billowy-army-68599! Would have been real tough w/o that example. Still need to get the Azure KeyVault-based certs working, but that's for another day 😉
@little-cartoon-10569 hi there. A few weeks ago you mentioned using my providers vault to manage ssl certs. I've got a cert in Azure KeyVault now, but I'm having trouble referring to it via Pulumi.
My code looks like this:
Copy code
var customDomainSslCert = new AzureNative.Web.Certificate("sslCertKv", new CertificateArgs
{
ResourceGroupName = resourceGroup.Name,
Location = resourceGroup.Location,
CanonicalName = customDomain,
HostNames = new InputList<string>() { customDomain },
ServerFarmId = appServicePlan.Id,
KeyVaultSecretName = "theNameOfTheCertificate",
KeyVaultId = keyVault.Id
});
var certBinding = new AzureClassic.AppService.CertificateBinding("sslCertBindingKv", new AzureClassic.AppService.CertificateBindingArgs
{
CertificateId = customDomainSslCert.Id,
HostnameBindingId = customHostnameBinding.Id,
SslState = "IpBasedEnabled"
}); Copy code
Diagnostics:
azure-native:web:Certificate (sslCertKv):
error: autorest/azure: Service returned an error. Status=<nil> <nil>l
little-cartoon-10569
01/06/2022, 11:19 PMI'm afraid I don't know the specifics of Azure vaults. That error message is singularly unhelpful.. might as well tell you that your printer port is on fire.
c
careful-vase-44898
01/06/2022, 11:19 PMAnd that's w/ verbose logging 🙂
l
little-cartoon-10569
01/06/2022, 11:20 PMDid you add the cert via Pulumi? Has it been successfully added to the vault? Can you use the Azure cli tools to list it?
And does the app service handle retrieving certs from vaults? I can't imagine that it doesn't, but it would be worth checking in the Azure docs, I guess...
c
careful-vase-44898
01/06/2022, 11:23 PMNo, I didn't add the cert via Pulumi. I didn't think that'd be the best way to manage the cert long-term - it'll be easiest to allow one of our admins just log into Azure and swap the cert out. It's definitely been added to Azure though, and I can manually attach it to the App Service.
Yes, Azure AppService allows you to use a certificate from KeyVault
l
little-cartoon-10569
01/06/2022, 11:31 PMIf the certificate is being added externally, shouldn't there be an import opt in the Certificate? Otherwise, Pulumi will be trying to create a new certificate.
Pulumi can create a cycle certificates fine, at least in AWS. That's what the certificate manager is for. I presume Azure has something similar.
c
careful-vase-44898
01/06/2022, 11:35 PMI think you're right. I must be misunderstanding what the "KeyVaultSecretName" and "KeyVaultId" options are for then when I'm creating my
AzureNative.Web.CertificateWell, this isn't great. Can't figure it out. Gonna have to manage the SSL cert setup manually for now. Thanks for the help, though!
l
little-cartoon-10569
01/07/2022, 12:27 AMThis post suggests it's possible and not well documented... https://nexxai.dev/using-a-certificate-stored-in-key-vault-in-an-azure-app-service/
c
careful-vase-44898
01/07/2022, 2:23 PMOh wow, that's... miserable. A magic service principal id... great find! Thanks, I'll give that a shot this afternoon.