azure - 使用 ARM 在 Azure Web App 上配置 SSL。参数 {0} 的值无效。扩展代码 51008,

Question

我正在尝试使用此 ARM Template 配置 SSL 和自定义域名。

完整错误消息:

New-AzureRmResourceGroupDeployment : 4:03:36 AM - Resource Microsoft.Web/certificates '<certificateName>' failed with message '{
  "Code": "BadRequest",
  "Message": "The parameter httpResponseMessage has an invalid value.",
  "Target": null,
  "Details": [
    {
      "Message": "The parameter httpResponseMessage has an invalid value."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "ExtendedCode": "51008",
        "MessageTemplate": "The parameter {0} has an invalid value.",
        "Parameters": [
          "httpResponseMessage"
        ],
        "Code": "BadRequest",
        "Message": "The parameter httpResponseMessage has an invalid value."
      }
    }
  ],
  "Innererror": null
}'

错误消息提示ARM模板中的Microsoft.Web/certificates

{
     "type":"Microsoft.Web/certificates",
     "name":"[parameters('certificateName')]",
     "apiVersion":"2016-03-01",
     "location":"[parameters('existingAppLocation')]",
     "properties":{
        "keyVaultId":"[parameters('existingKeyVaultId')]",
        "keyVaultSecretName":"[parameters('existingKeyVaultSecretName')]",
        "serverFarmId":"[parameters('existingServerFarmId')]"
     }
  },

这些参数的值为:

certificateName:  16charstring
existingKeyVaultId:  /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.KeyVault/vaults/<VaultName>
existingKeyVaultSecretName:  https://<VaultName>.vault.azure.net:443/secrets/<certificateName>/12345678901234567890
existingServerFarmId:  /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.Web/serverFarms/<AppServicePlanName>

我正在使用 RPHelper 库中的 Invoke-AddCertToKeyVault cmdlet 将证书添加到保管库

Write-Host "Reading pfx file from $ExistingPfxFilePath"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $ExistingPfxFilePath, $Password

$bytes = [System.IO.File]::ReadAllBytes($ExistingPfxFilePath)
$base64 = [System.Convert]::ToBase64String($bytes)

$jsonBlob = @{
   data = $base64
   dataType = 'pfx'
   password = $Password
   } | ConvertTo-Json

$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)

$secretValue = ConvertTo-SecureString -String $content -AsPlainText -Force

Write-Host "Writing secret to $CertificateName in vault $VaultName. Secret value " $secretValue
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $CertificateName -SecretValue $secretValue

$output = @{};
$output.SourceVault = $resourceId;
$output.CertificateURL = $secret.Id;
$output.CertificateThumbprint = $cert.Thumbprint;

你能告诉我出了什么问题吗？

Answer 1

根据您的描述，我猜测您的模板证书参数有问题。

由于您发布的链接无法访问。我编写了一个测试臂模板，效果很好。

我建议您可以按照下面的模板来创建网络应用程序。

注意:

我使用 powershell 使“Microsoft.Web”资源提供程序能够直接访问 azure key Vault。

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get 

结果:

然后您可以使用下面的 powershell 命令将证书插入 KeyVault。

$pfxFilePath = "PFX_CERTIFICATE_FILE_PATH" # Change this path 
$pwd = "PFX_CERTIFICATE_PASSWORD" # Change this password 
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable 
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection 
$collection.Import($pfxFilePath, $pwd, $flag) 
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12 
$clearBytes = $collection.Export($pkcs12ContentType) 
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes) 
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force 
$secretContentType = 'application/x-pkcs12' 
Set-AzureKeyVaultSecret -VaultName KEY_VAULT_NAME -Name KEY_VAULT_SECRET_NAME -SecretValue $Secret -ContentType $secretContentType # Change Key Vault name and Secret name 

完成此操作后，您可以使用KeyVaultSecretName直接访问KeyVault来获取值。

总模板:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "webAppName": {
      "type": "string",
      "metadata": {
        "description": "The name of the web app that you wish to create."
      }
    },
    "customHostname": {
      "type": "string",
      "metadata": {
        "description": "The custom hostname that you wish to add."
      }
    },
    "existingKeyVaultId": {
      "type": "string",
      "metadata": {
        "description": "Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)"
      }
    },
    "existingKeyVaultSecretName": {
      "type": "string",
      "metadata": {
        "description": "Key Vault Secret that contains a PFX certificate"
      }
    }
  },
  "variables": {
    "appServicePlanName": "[concat(parameters('webAppName'),'-asp-', uniquestring(resourceGroup().id))]",
    "certificateName": "[concat(parameters('webAppName'),'-cert-', uniquestring(resourceGroup().id))]"
  },
  "resources": [
    {
      "apiVersion": "2016-03-01",
      "name": "[variables('appServicePlanName')]",
      "type": "Microsoft.Web/serverfarms",
      "location": "[resourceGroup().location]",
      "properties": {
        "name": "[variables('appServicePlanName')]"
      },
      "sku": {
        "name": "P1",
        "tier": "Premium",
        "size": "1",
        "family": "P",
        "capacity": "1"
      }
    },
    {
      "apiVersion": "2016-03-01",
      "name": "[parameters('webAppName')]",
      "type": "Microsoft.Web/sites",
      "location": "[resourceGroup().location]",
      "properties": {
        "name": "[parameters('webAppName')]",
        "serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
      },
      "dependsOn": [
        "[concat('Microsoft.Web/serverFarms/',variables('appServicePlanName'))]"
      ]
    },
    {
      "type": "Microsoft.Web/certificates",
      "name": "[variables('certificateName')]",
      "apiVersion": "2016-03-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "keyVaultId": "[parameters('existingKeyVaultId')]",
        "keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]",
        "serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
      },
      "dependsOn": [
        "[concat('Microsoft.Web/sites/',parameters('webAppName'))]"
      ]
    },
    {
      "type": "Microsoft.Web/sites/hostnameBindings",
      "name": "[concat(parameters('webAppName'), '/', parameters('customHostname'))]",
      "apiVersion": "2016-03-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "sslState": "SniEnabled",
        "thumbprint": "[reference(resourceId('Microsoft.Web/certificates', variables('certificateName'))).Thumbprint]"
      },
      "dependsOn": [
        "[concat('Microsoft.Web/certificates/',variables('certificateName'))]"
      ]
    }
  ]
}

网站参数:

 {
  "$schema": "https://schema.management.azure.com/schemas/2015-08-01/deploymentParameters.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "webAppName": {
      "value": "yourwebappname"
    },
    "customHostname": {
      "value": "yourcustomdomianname"
    },
    "existingKeyVaultId": {
      "value": "/subscriptions/subscriptionsID/resourceGroups/resourceGroupsName/providers/Microsoft.KeyVault/vaults/vaultsName"
    },
    "existingKeyVaultSecretName": {
      "value": "The key vaults SecretName"
    }
  }
}

结果: