How does the new SSL support in app service custom host bindings work?

cpdohert · November 12, 2019, 10:42pm

On October 2, a community PR added support for SSL certificate provisioning and assignign for app services in the Azure provider (and thanks to Joakim for that!)

I’m having trouble figuring out how to get it to work, though.

To begin with, I have to work with wildcard ssl certificates that already exist and have been created with the Azure Portal under App Service Certificates. It looks like that obviates the need for creating the azurerm_app_service_certificate resource and the relevant sections of the azurerm_key_vault resource - the cert already exists, right?

So that leaves me with:

resource "azurerm_app_service_custom_hostname_binding" "appsvc" {
  hostname = "${azurerm_dns_cname_record.appsvc.name}.${local.dns_zone_name}"
  app_service_name = azurerm_app_service.appsvc.name
  resource_group_name = azurerm_app_service.appsvc.resource_group_name
  ssl_state = "SniEnabled"
  thumbprint = local.ssl_thumbprint
}

…where local.ssl_thumbprint is the 40-char text string representing the thumbprint of the existing wildcard SSL certificate.

When I terraform apply, however, I get the following error:

Error: web.AppsClient#CreateOrUpdateHostNameBinding: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="NotFound" Message="Certificate 284....E7 was not found." Details=[{"Message":"Certificate 284....E7 was not found."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"04031","Message":"Certificate 284....E7 was not found.","MessageTemplate":"Certificate {0} was not found.","Parameters":["284....E7"]}}]

(Thumbprint partially redacted for posting purposes)

The secret for the certificate is contained within a keyvault in the same subscription, and I have added the Terraform Service Principal I’m using to a Secret (Get, List) access policy for that keyvault, in case that was necessary. My understanding is that it shouldn’t be as it’s the generic app service service principal that reads the keyvault, and that access policy appears to have been properly created by the Azure Portal.

I tried digging around in the API reference for the Azure Go SDK and AFAICT there’s no other parameters expected, just the thumbprint.

I’ve tried creating an azurerm_app_service_certificate resource, and then referring to that resource for the thumbprint:

# Import the app service certificate
resource "azurerm_app_service_certificate" "foo" {
  name                = "foo-net"
  resource_group_name = var.appsvc_resource_group_name
  location            = var.location
  key_vault_secret_id = "https://foo-ca-dvlp-kv.vault.azure.net/secrets/wc-test-foo-net[guid]/[more guid]"

# Hostname binding
resource "azurerm_app_service_custom_hostname_binding" "appsvc" {
  hostname            = "${azurerm_dns_cname_record.appsvc.name}.${local.dns_zone_name}"
  app_service_name    = azurerm_app_service.appsvc.name
  resource_group_name = azurerm_app_service.appsvc.resource_group_name
  ssl_state           = "SniEnabled"
  thumbprint          = azurerm_app_service_certificate.foo.thumbprint
}

…but I get a similar error:

Error: Error creating/updating App Service Certificate "foo-net" (Resource Group "foo-services-ca-bar-dvlp-rg"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. 
Status=404 Code="NotFound" Message="Certificate 284...E7 was not found." Details=[{"Message":"Certificate 284...E7 was not found."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"04031","Message":"Certificate 284...E7 was not found.","MessageTemplate":"Certificate {0} was not found.","Parameters":["284...E7"]}}]

Interestingly, if I run terraform apply until the SSL host binding fails, and then go into the Azure portal and manually add the SSL host binding to any one of the app services hosted on the same app service plan, and then run terraform apply again, terraform will create the SSL host bindings for all the other app services on the same app service plan successfully. So something is getting set or configured by that action in the Portal that’s missing in azurerm.

Does anyone know how to get this to work?

rikkiprince · December 17, 2019, 8:52pm

Did you get any further with this? I also have this question!

RussellMaycock · February 17, 2020, 11:25am

Just wondered if you had managed to get a solution to this problem, I’m in the same boat as yourself.

Thanks
Russ

MaxPetretta · April 6, 2020, 3:28pm

Still seeing this issue, is there any resolution yet?

-Max

mattduguid · September 2, 2020, 2:36am

We finally got this working today, our scenario is slightly different in that we request a certificate from letsencrypt and store it in an azure keyvault but i think the rest of the plumbing is the same, some of the things we required were,

the objectID of the web_app_resource_provider needed to be on the keyvault access policy of the keyvault containing the certificate, see this article for further details -> https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html
for us our “app service plan” and “app service” are created in different resource groups, when creating the resource “azurerm_app_service_certificate” that links to the certificate in the keyvault it had to be created in the same resource group as the “app service plan” or we received an http 404.
we made good use of “depends_on” for all resources to ensure all prerequisites were in place before each step as we had custom DNS entries/etc

ChanduReddy123 · July 8, 2021, 4:24pm

Thanks for the fix matt it really helped me fix the issue

sahitya12 · September 20, 2022, 8:56am

I am getting same error as above though have added appservice object id in keyvault access policies