使用 ARM 在 Azure Web App 上配置 SSL。参数 {0} 的值无效。扩展代码 51008,
Configure SSL on Azure Web App using ARM. The parameter {0} has an invalid value. ExtendedCode 51008,
我正在尝试使用此配置 SSL 和自定义域名 ARM Template。
完整错误信息:
New-AzureRmResourceGroupDeployment : 4:03:36 AM - Resource Microsoft.Web/certificates '<certificateName>' failed with message '{
"Code": "BadRequest",
"Message": "The parameter httpResponseMessage has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter httpResponseMessage has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"httpResponseMessage"
],
"Code": "BadRequest",
"Message": "The parameter httpResponseMessage has an invalid value."
}
}
],
"Innererror": null
}'
ARM模板中的错误信息提示微软Web/certificates
{
"type":"Microsoft.Web/certificates",
"name":"[parameters('certificateName')]",
"apiVersion":"2016-03-01",
"location":"[parameters('existingAppLocation')]",
"properties":{
"keyVaultId":"[parameters('existingKeyVaultId')]",
"keyVaultSecretName":"[parameters('existingKeyVaultSecretName')]",
"serverFarmId":"[parameters('existingServerFarmId')]"
}
},
这些参数的值为:
certificateName: 16charstring
existingKeyVaultId: /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.KeyVault/vaults/<VaultName>
existingKeyVaultSecretName: https://<VaultName>.vault.azure.net:443/secrets/<certificateName>/12345678901234567890
existingServerFarmId: /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.Web/serverFarms/<AppServicePlanName>
我正在使用 RPHelper 库中的 Invoke-AddCertToKeyVault cmdlet 将证书添加到保管库
Write-Host "Reading pfx file from $ExistingPfxFilePath"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $ExistingPfxFilePath, $Password
$bytes = [System.IO.File]::ReadAllBytes($ExistingPfxFilePath)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
data = $base64
dataType = 'pfx'
password = $Password
} | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)
$secretValue = ConvertTo-SecureString -String $content -AsPlainText -Force
Write-Host "Writing secret to $CertificateName in vault $VaultName. Secret value " $secretValue
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $CertificateName -SecretValue $secretValue
$output = @{};
$output.SourceVault = $resourceId;
$output.CertificateURL = $secret.Id;
$output.CertificateThumbprint = $cert.Thumbprint;
你能告诉我哪里出了问题吗?
根据你的描述,我猜你的模板证书参数有问题。
由于无法访问您发布的link。我写了一个测试臂模板,效果很好。
我建议您可以按照以下模板创建网络应用程序。
通知:
我使用 powershell 启用 'Microsoft.Web' 资源提供程序直接访问 azure key Vault。
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
结果:
然后您可以使用下面的 powershell 命令将证书插入 KeyVault。
$pfxFilePath = "PFX_CERTIFICATE_FILE_PATH" # Change this path
$pwd = "PFX_CERTIFICATE_PASSWORD" # Change this password
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName KEY_VAULT_NAME -Name KEY_VAULT_SECRET_NAME -SecretValue $Secret -ContentType $secretContentType # Change Key Vault name and Secret name
完成此操作后,您可以直接使用KeyVaultSecretName直接访问KeyVault获取值。
模板总数:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"type": "string",
"metadata": {
"description": "The name of the web app that you wish to create."
}
},
"customHostname": {
"type": "string",
"metadata": {
"description": "The custom hostname that you wish to add."
}
},
"existingKeyVaultId": {
"type": "string",
"metadata": {
"description": "Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)"
}
},
"existingKeyVaultSecretName": {
"type": "string",
"metadata": {
"description": "Key Vault Secret that contains a PFX certificate"
}
}
},
"variables": {
"appServicePlanName": "[concat(parameters('webAppName'),'-asp-', uniquestring(resourceGroup().id))]",
"certificateName": "[concat(parameters('webAppName'),'-cert-', uniquestring(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2016-03-01",
"name": "[variables('appServicePlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"properties": {
"name": "[variables('appServicePlanName')]"
},
"sku": {
"name": "P1",
"tier": "Premium",
"size": "1",
"family": "P",
"capacity": "1"
}
},
{
"apiVersion": "2016-03-01",
"name": "[parameters('webAppName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
},
"dependsOn": [
"[concat('Microsoft.Web/serverFarms/',variables('appServicePlanName'))]"
]
},
{
"type": "Microsoft.Web/certificates",
"name": "[variables('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
},
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('webAppName'))]"
]
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(parameters('webAppName'), '/', parameters('customHostname'))]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId('Microsoft.Web/certificates', variables('certificateName'))).Thumbprint]"
},
"dependsOn": [
"[concat('Microsoft.Web/certificates/',variables('certificateName'))]"
]
}
]
}
WebSite.parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2015-08-01/deploymentParameters.json",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"value": "yourwebappname"
},
"customHostname": {
"value": "yourcustomdomianname"
},
"existingKeyVaultId": {
"value": "/subscriptions/subscriptionsID/resourceGroups/resourceGroupsName/providers/Microsoft.KeyVault/vaults/vaultsName"
},
"existingKeyVaultSecretName": {
"value": "The key vaults SecretName"
}
}
}
结果:
我正在尝试使用此配置 SSL 和自定义域名 ARM Template。
完整错误信息:
New-AzureRmResourceGroupDeployment : 4:03:36 AM - Resource Microsoft.Web/certificates '<certificateName>' failed with message '{
"Code": "BadRequest",
"Message": "The parameter httpResponseMessage has an invalid value.",
"Target": null,
"Details": [
{
"Message": "The parameter httpResponseMessage has an invalid value."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "51008",
"MessageTemplate": "The parameter {0} has an invalid value.",
"Parameters": [
"httpResponseMessage"
],
"Code": "BadRequest",
"Message": "The parameter httpResponseMessage has an invalid value."
}
}
],
"Innererror": null
}'
ARM模板中的错误信息提示微软Web/certificates
{
"type":"Microsoft.Web/certificates",
"name":"[parameters('certificateName')]",
"apiVersion":"2016-03-01",
"location":"[parameters('existingAppLocation')]",
"properties":{
"keyVaultId":"[parameters('existingKeyVaultId')]",
"keyVaultSecretName":"[parameters('existingKeyVaultSecretName')]",
"serverFarmId":"[parameters('existingServerFarmId')]"
}
},
这些参数的值为:
certificateName: 16charstring
existingKeyVaultId: /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.KeyVault/vaults/<VaultName>
existingKeyVaultSecretName: https://<VaultName>.vault.azure.net:443/secrets/<certificateName>/12345678901234567890
existingServerFarmId: /subscriptions/<subscriptionid>/resourceGroups/<ressourcegroupname>/providers/Microsoft.Web/serverFarms/<AppServicePlanName>
我正在使用 RPHelper 库中的 Invoke-AddCertToKeyVault cmdlet 将证书添加到保管库
Write-Host "Reading pfx file from $ExistingPfxFilePath"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $ExistingPfxFilePath, $Password
$bytes = [System.IO.File]::ReadAllBytes($ExistingPfxFilePath)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
data = $base64
dataType = 'pfx'
password = $Password
} | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)
$secretValue = ConvertTo-SecureString -String $content -AsPlainText -Force
Write-Host "Writing secret to $CertificateName in vault $VaultName. Secret value " $secretValue
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $CertificateName -SecretValue $secretValue
$output = @{};
$output.SourceVault = $resourceId;
$output.CertificateURL = $secret.Id;
$output.CertificateThumbprint = $cert.Thumbprint;
你能告诉我哪里出了问题吗?
根据你的描述,我猜你的模板证书参数有问题。
由于无法访问您发布的link。我写了一个测试臂模板,效果很好。
我建议您可以按照以下模板创建网络应用程序。
通知:
我使用 powershell 启用 'Microsoft.Web' 资源提供程序直接访问 azure key Vault。
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
结果:
然后您可以使用下面的 powershell 命令将证书插入 KeyVault。
$pfxFilePath = "PFX_CERTIFICATE_FILE_PATH" # Change this path
$pwd = "PFX_CERTIFICATE_PASSWORD" # Change this password
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName KEY_VAULT_NAME -Name KEY_VAULT_SECRET_NAME -SecretValue $Secret -ContentType $secretContentType # Change Key Vault name and Secret name
完成此操作后,您可以直接使用KeyVaultSecretName直接访问KeyVault获取值。
模板总数:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"type": "string",
"metadata": {
"description": "The name of the web app that you wish to create."
}
},
"customHostname": {
"type": "string",
"metadata": {
"description": "The custom hostname that you wish to add."
}
},
"existingKeyVaultId": {
"type": "string",
"metadata": {
"description": "Existing Key Vault resource Id with an access policy to allow Microsoft.Web RP to read Key Vault secrets (Checkout README.md for more information)"
}
},
"existingKeyVaultSecretName": {
"type": "string",
"metadata": {
"description": "Key Vault Secret that contains a PFX certificate"
}
}
},
"variables": {
"appServicePlanName": "[concat(parameters('webAppName'),'-asp-', uniquestring(resourceGroup().id))]",
"certificateName": "[concat(parameters('webAppName'),'-cert-', uniquestring(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2016-03-01",
"name": "[variables('appServicePlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"properties": {
"name": "[variables('appServicePlanName')]"
},
"sku": {
"name": "P1",
"tier": "Premium",
"size": "1",
"family": "P",
"capacity": "1"
}
},
{
"apiVersion": "2016-03-01",
"name": "[parameters('webAppName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('webAppName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
},
"dependsOn": [
"[concat('Microsoft.Web/serverFarms/',variables('appServicePlanName'))]"
]
},
{
"type": "Microsoft.Web/certificates",
"name": "[variables('certificateName')]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[parameters('existingKeyVaultId')]",
"keyVaultSecretName": "[parameters('existingKeyVaultSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverFarms',variables('appServicePlanName'))]"
},
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('webAppName'))]"
]
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(parameters('webAppName'), '/', parameters('customHostname'))]",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId('Microsoft.Web/certificates', variables('certificateName'))).Thumbprint]"
},
"dependsOn": [
"[concat('Microsoft.Web/certificates/',variables('certificateName'))]"
]
}
]
}
WebSite.parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2015-08-01/deploymentParameters.json",
"contentVersion": "1.0.0.0",
"parameters": {
"webAppName": {
"value": "yourwebappname"
},
"customHostname": {
"value": "yourcustomdomianname"
},
"existingKeyVaultId": {
"value": "/subscriptions/subscriptionsID/resourceGroups/resourceGroupsName/providers/Microsoft.KeyVault/vaults/vaultsName"
},
"existingKeyVaultSecretName": {
"value": "The key vaults SecretName"
}
}
}
结果: