Comments (7)
Hi, the Azure Key Vault export definitely does work currently, we have a task doing exactly that. Can you review your managed certificate log to see if more error detail is logged? Key Vault requires specific naming rules. Are you setting a password or leaving the default (blank)?
Generally a certificate export would not export the root certificate because the root is for the client to trust, it is not something you serve. We do have a PEM export option for the chain that does include the root if you want it, but our PFX does not.
from certify.
Hey Chris, thanks for getting back to me so quickly. When trying to upload the exported certificate to Azure Key Vault (either using a normal export task and with the Azure Portal, or directly with the Azure Key Vault upload task), we get this exception:
2023-10-27 16:21:47.962 +02:00 [INF] ---- Performing Task [On-Demand or Manual Execution] :: devdomaincom----
2023-10-27 16:21:47.965 +02:00 [INF] Task [devdomaincom] :: Task is enabled and primary request was successful.
2023-10-27 16:21:48.349 +02:00 [ERR] Failed to deploy certificate [devdomaincom] to Azure Key Vault :Azure.RequestFailedException: Unable to parse X5c certificate chain and locate leaf certificate
Status: 400 (Bad Request)
ErrorCode: BadParameter
Content:
{"error":{"code":"BadParameter","message":"Unable to parse X5c certificate chain and locate leaf certificate"}}
Headers:
Pragma: no-cache
x-ms-keyvault-region: westeurope
x-ms-client-request-id: a125bbd3-273a-4a85-9b6c-c27b0a9fd216
x-ms-request-id: 598eda67-57ae-44aa-bf95-8cdcf538478c
x-ms-keyvault-service-version: 1.9.1036.1
x-ms-keyvault-network-info: conn_type=Ipv4;addr=212.3.231.129;act_addr_fam=InterNetwork;
x-ms-keyvault-rbac-assignment-id: REDACTED
x-ms-keyvault-rbac-cache: REDACTED
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Content-Length: 111
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 27 Oct 2023 14:21:48 GMT
Expires: -1
at Azure.Security.KeyVault.KeyVaultPipeline.<SendRequestAsync>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Security.KeyVault.KeyVaultPipeline.<SendRequestAsync>d__19`2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Security.KeyVault.Certificates.CertificateClient.<ImportCertificateAsync>d__35.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Plugin.DeploymentTasks.Azure.AzureKeyVault.<Execute>d__6.MoveNext()
2023-10-27 16:21:48.349 +02:00 [ERR] Key Vault Deployment Failed```
from certify.
Thanks @Thijs5 sorry I missed your reply.
Just for info, for actual support tickets it's best to log a ticket with support {at} certifytheweb.com as github isn't our ticketing system.
We have not been able to reproduce this issue yet, in all our tests the certs are uploading to keyvault OK. Is the task trying to replace an existing certificate in keyvault? There's a possibility that's causing some kind of conflict on their side if so. You could try uploading the cert with a different cert name so it doesn't try to upload over an existing cert.
Otherwise you would need microsoft to tell you why their system is rejecting the PFX in this case.
from certify.
It's also worth adding that the "leaf certificate" is your actual domain certificate, not the root/issuer.
from certify.
I'm also assuming that you're not using a custom CSR: https://learn.microsoft.com/en-us/answers/questions/1314131/unable-to-parse-x5c-certificate-chain-and-locate-l
from certify.
Good to know I better use the email address as helpdesk in the future.
We tried both. Both as a new certificate and as an update to the existing certificate. Neither one works in our case. It's a good suggestion to take this up with Microsoft. I'm going to try that route. Thanks for the responses and thank you for the work you did on the product. It's a great product!
Thijs
from certify.
Thanks @Thijs5 if you don't get anywhere with microsoft we can investigate this further via support {at} certifytheweb.com - we would need to examine the pfx the app generates etc.
from certify.
Related Issues (20)
- Deploy to Apache has unnecessary CA certs in full chain HOT 1
- Application constantly creating/exiting threads, bogomips (ApplicationInsightsDiagnostics.json)? HOT 8
- Mark Certify.Web service depends on HTTP service HOT 1
- Certify the Web does not send a request to the ACME server to deactivate the account when an account is deleted HOT 1
- Deployment Task - Stop Start or Restart a Service not able to restart service on remote machine HOT 1
- Certify.Core-1.0.0: 1 vulnerabilities (highest severity is: 7.5)
- How to run development environment? HOT 5
- Deployment Tasks - Run a program, batch file or custom script on windows HOT 1
- add support for Vultr DNS API HOT 1
- AutoUpdate.ps1 script is broken HOT 4
- DNS Validation Fails for IONOS DNS API HOT 2
- acme-dns DNS API failed HOT 2
- Propagation timer not being preserved when using Constellix API (posh-acme) script HOT 1
- Save button abnormalities HOT 3
- AcmeDNS Provider Error for API Update HOT 4
- Feature Request: ARM64 Support HOT 5
- Export to .pfx with password HOT 5
- PowerShell script - with space in path / new process HOT 4
- azure.identity.1.7.0.nupkg: 1 vulnerabilities (highest severity is: 8.8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certify.