https://pulumi.com logo
Title
c

careful-vase-44898

12/22/2021, 9:19 PM
Hello 🙂. I'm considering storing SSL certs as Pulumi secrets. Is this a very stupid idea?
l

little-cartoon-10569

12/22/2021, 9:21 PM
Not stupid, but not generally used. Generally certs get stored in your cloud providers' vault or keystore.
b

billowy-army-68599

12/22/2021, 9:23 PM
@careful-vase-44898 we have the TLS provider which will allow you to generate certs if needed as well. Pulumi's secrets management makes it fairly trivial, the private keys are encrypted in state
c

careful-vase-44898

12/22/2021, 9:24 PM
@little-cartoon-10569 thanks, that does make more sense. I'll have to keep looking at the Azure and AzureNative docs then to see how that might be done.
@billowy-army-68599 interesting - so I can use that to create self-signed certs for testing purposes then?
💯 1
Thanks, I'll give this a shot!
b

billowy-army-68599

12/22/2021, 9:52 PM
c

careful-vase-44898

12/22/2021, 11:33 PM
Got the self-signed certs working! Thanks @billowy-army-68599! Would have been real tough w/o that example. Still need to get the Azure KeyVault-based certs working, but that's for another day 😉
@little-cartoon-10569 hi there. A few weeks ago you mentioned using my providers vault to manage ssl certs. I've got a cert in Azure KeyVault now, but I'm having trouble referring to it via Pulumi.
My code looks like this:
var customDomainSslCert = new AzureNative.Web.Certificate("sslCertKv", new CertificateArgs
{
    ResourceGroupName = resourceGroup.Name,
    Location = resourceGroup.Location,
    CanonicalName = customDomain,
    HostNames = new InputList<string>() { customDomain },
    ServerFarmId = appServicePlan.Id,
    KeyVaultSecretName = "theNameOfTheCertificate",
    KeyVaultId = keyVault.Id
});

var certBinding = new AzureClassic.AppService.CertificateBinding("sslCertBindingKv", new AzureClassic.AppService.CertificateBindingArgs
{
    CertificateId = customDomainSslCert.Id,
    HostnameBindingId = customHostnameBinding.Id,
    SslState = "IpBasedEnabled"
});
and I'm getting an error like this:
Diagnostics:
  azure-native:web:Certificate (sslCertKv):
    error: autorest/azure: Service returned an error. Status=<nil> <nil>
l

little-cartoon-10569

01/06/2022, 11:19 PM
I'm afraid I don't know the specifics of Azure vaults. That error message is singularly unhelpful.. might as well tell you that your printer port is on fire.
c

careful-vase-44898

01/06/2022, 11:19 PM
And that's w/ verbose logging 🙂
l

little-cartoon-10569

01/06/2022, 11:20 PM
Did you add the cert via Pulumi? Has it been successfully added to the vault? Can you use the Azure cli tools to list it?
And does the app service handle retrieving certs from vaults? I can't imagine that it doesn't, but it would be worth checking in the Azure docs, I guess...
c

careful-vase-44898

01/06/2022, 11:23 PM
No, I didn't add the cert via Pulumi. I didn't think that'd be the best way to manage the cert long-term - it'll be easiest to allow one of our admins just log into Azure and swap the cert out. It's definitely been added to Azure though, and I can manually attach it to the App Service.
Yes, Azure AppService allows you to use a certificate from KeyVault
l

little-cartoon-10569

01/06/2022, 11:31 PM
If the certificate is being added externally, shouldn't there be an import opt in the Certificate? Otherwise, Pulumi will be trying to create a new certificate.
Pulumi can create a cycle certificates fine, at least in AWS. That's what the certificate manager is for. I presume Azure has something similar.
c

careful-vase-44898

01/06/2022, 11:35 PM
I think you're right. I must be misunderstanding what the "KeyVaultSecretName" and "KeyVaultId" options are for then when I'm creating my
AzureNative.Web.Certificate
Well, this isn't great. Can't figure it out. Gonna have to manage the SSL cert setup manually for now. Thanks for the help, though!
l

little-cartoon-10569

01/07/2022, 12:27 AM
This post suggests it's possible and not well documented... https://nexxai.dev/using-a-certificate-stored-in-key-vault-in-an-azure-app-service/
c

careful-vase-44898

01/07/2022, 2:23 PM
Oh wow, that's... miserable. A magic service principal id... great find! Thanks, I'll give that a shot this afternoon.