Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate upload fails via cli but works via portal #305

Closed
1 of 3 tasks
tmcgannon opened this issue Jul 9, 2022 · 13 comments
Closed
1 of 3 tasks

Certificate upload fails via cli but works via portal #305

tmcgannon opened this issue Jul 9, 2022 · 13 comments
Assignees
Labels
bug Something isn't working investigating currently looking into the issue Needs: Attention 👋

Comments

@tmcgannon
Copy link

Please provide us with the following information:

This issue is a: (mark with an x)

  • bug report -> please search issues before submitting
  • documentation issue or request
  • regression (a behavior that used to work and stopped in a new release)

Issue description

I have obtained my certificate via LetsEncrypt and produced a valid pfx file which I can upload to KeyVault via azure cli but fails when adding to Azure Container App Environment using this command:

az containerapp env certificate upload \    
      --resource-group ${RESOURCE_GROUP} \
      --name ${CONTAINER_APP_ENV_NAME} \
      --certificate-file ${PFX_CERT_PATH} \
      --certificate-name ${CONTAINER_APP_CERTIFICATE_NAME} \
      --password ${PFX_PASSWORD}

The error is:

Certificate must contain one private key.

However, I can upload manually in the portal.azure.com without an issue:

image

I looked at the pfx file using Mac Keychain Access and it looks like it has a private key with an intermediate key:

image

Steps to reproduct

See above

Expected behavior

The az containerapp env certificate upload command should succeed.

Actual behavior

I get this error: Certificate must contain one private key.

@ghost ghost added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Jul 9, 2022
@StrawnSC
Copy link

@lil131 can you take a look at this? Thanks

@torosent torosent added investigating currently looking into the issue and removed Needs: triage 🔍 Pending a first pass to read, tag, and assign labels Jul 11, 2022
@Mathijs-Dijk
Copy link

after support from microsoft what helped in my case was adding the certificate (pfx) on the local machine (with mmc). After this the upload worked.

I had the exact same issues as in this thread (cli => "must contain one private key", portal => "password not correct"

@lil131
Copy link
Member

lil131 commented Jul 21, 2022

@Mathijs-Dijk thanks for reporting your case. Were you using a certificate obtained from LetsEncrypt as well?

@tmcgannon
Copy link
Author

@Mathijs-Dijk Regarding:

adding the certificate (pfx) on the local machine (with mmc).

How did you add the certificate? What commands were used? Did the pfx get changed during the process?

@panchagnula
Copy link

@tmcgannon are you still able to repro this only on CLI & not on portal. If so would you be willing to run the CLI command with --debug & share the details, after removing some PII info or send an email to us directly with the details? We can share our email address to send the debug info to. Thanks!

@Mathijs-Dijk
Copy link

Mathijs-Dijk commented Jul 22, 2022

@tmxgannon
I work on a Windows machine as developer. I used MMC to add the certificate on my local machine.

@lil131 no our certificate is from Sectigo. But I think this issue occurs with all third party certificates for Azure Container Apps. We had no problems uploading the certificate in KeyVault and App Services with the exact same certificate.. As I mentioned, after adding the certificate to my local machine it worked. * Only downside is that I cannot upload it a.t.m. through Bicep in our release pipeline on Azure.

@panchagnula
Copy link

@tmxgannon I work on a Windows machine as developer. I used MMC to add the certificate on my local machine.

@lil131 no our certificate is from Sectigo. But I think this issue occurs with all third party certificates for Azure Container Apps. We had no problems uploading the certificate in KeyVault and App Services with the exact same certificate.. As I mentioned, after adding the certificate to my local machine it worked. * Only downside is that I cannot upload it a.t.m. through Bicep in our release pipeline on Azure.

@vinisoto / @anthonychu , @tmcgannon 's issue doesn't seem be client specific, could you help here? Thanks!

@vinisoto
Copy link
Collaborator

Would like to hear from @tmcgannon: to confirm if the issue is still reproducible only on CLI but not on Portal

@tmcgannon
Copy link
Author

@vinisoto @panchagnula It still does not work and shows this message:

image

@kendallroden
Copy link
Contributor

@vinisoto do we know the status of this issue?

@kendallroden kendallroden added the bug Something isn't working label Sep 14, 2022
@tmcgannon
Copy link
Author

@kendallroden As of today, this is still a problem for me.

@panchagnula
Copy link

@kendallroden As of today, this is still a problem for me.

@tmcgannon sorry to hear this - have you checked this with the latest version of ACA CLI 0.3.11? You can check using az --version & do update to latest using az upgrade

@tmcgannon
Copy link
Author

@panchagnula I upgraded to 0.3.11 (from 0.3.9) and it worked. Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working investigating currently looking into the issue Needs: Attention 👋
Projects
None yet
Development

No branches or pull requests

8 participants