从 Key Vault 向 Azure VM 添加证书
Adding a certificate to azure VM from Key Vault
我正在使用此 link - https://blogs.msdn.microsoft.com/appserviceteam/2017/10/26/configure-app-service-certificate-to-azure-virtual-machine/
中的步骤将应用服务证书配置到 Azure 虚拟机
我已经完成了第 1 步到第 6 步。我在尝试将证书从 Key Vault 添加到 VM 时遇到了困难。我使用了 link 中的步骤: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server
我在 Azure 门户上的云 shell 上使用了以下脚本。
$certUrl = (Get-AzureKeyVaultSecret -VaultName "xxxKeyVault" -Name "xxxcert").Id;
$vm=Get-AzureRmVM -ResourceGroupName "xxx_Group" -Name "XXX"
$vaultId=(Get-AzureRmKeyVault -VaultName "xxxKeyVault").ResourceId
$certStore = "MyCert";
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "xxx_Group" -VM $vm>
但是到了最后一个脚本,我得到了错误
Update-AzureRmVM : List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed.
ErrorCode: InvalidParameter
ErrorMessage: List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed.
ErrorTarget: vaultCertificates
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : 51078b39-72a0-4a6f-be02-e0fff12dff8b
At line:1 char:1
+ Update-AzureRmVM -ResourceGroupName "xxxx_Group" -VM $vm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Update-AzVM], ComputeCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand
我错过了什么吗?
我的 Vm window.
更新
我已经验证我在 Vm 上有多个相同的证书。请问,我到底要删除哪一个?
"secrets": [
{
"sourceVault": {
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.KeyVault/vaults/xxxKeyVault"
},
"vaultCertificates": [
{
"certificateUrl": "https://xxxkeyvault.vault.azure.net/secrets/xxxx/xxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxx/xxxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxxx/xxxxxxxx",
"certificateStore": "MyCert"
}
]
},
{
"sourceVault": {},
"vaultCertificates": {}
}
],
当您向 Azure VM 添加证书时,您应该首先确定 OS 类型的 VM。根据您遵循的文档 Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault 中的描述:
These SSL certificates can be stored in Azure Key Vault, and allow
secure deployments of certificates to Windows virtual machines (VMs)
in Azure.
好像只适用于Windows VM,我也做了测试。所以如果你想给Linux虚拟机添加证书,可以看看Secure a web server on a Linux virtual machine in Azure with SSL certificates stored in Key Vault。
另外,错误还显示:
Update-AzureRmVM : List vaultCertificates contains repeated instances
of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx,
mycert), which is disallowed.
我建议你最好检查一下虚拟机是否已经有相同的证书。在我这边,如果你两次添加相同的证书,第二次会给出这样的错误:
希望对您有所帮助。
你需要做的是:
- 打开resources.azure.com
- 导航到您的虚拟机
- 点击编辑,从 osProfile 中删除证书,点击补丁
- 重新运行脚本
Azure 的问题 - 它不知道(或关心)你的虚拟机是否真的有你要安装的那个证书,它抱怨的是虚拟机定义已经有那个证书,所以它不能添加它.
我正在使用此 link - https://blogs.msdn.microsoft.com/appserviceteam/2017/10/26/configure-app-service-certificate-to-azure-virtual-machine/
中的步骤将应用服务证书配置到 Azure 虚拟机我已经完成了第 1 步到第 6 步。我在尝试将证书从 Key Vault 添加到 VM 时遇到了困难。我使用了 link 中的步骤: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server
我在 Azure 门户上的云 shell 上使用了以下脚本。
$certUrl = (Get-AzureKeyVaultSecret -VaultName "xxxKeyVault" -Name "xxxcert").Id;
$vm=Get-AzureRmVM -ResourceGroupName "xxx_Group" -Name "XXX"
$vaultId=(Get-AzureRmKeyVault -VaultName "xxxKeyVault").ResourceId
$certStore = "MyCert";
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "xxx_Group" -VM $vm>
但是到了最后一个脚本,我得到了错误
Update-AzureRmVM : List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed. ErrorCode: InvalidParameter ErrorMessage: List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed. ErrorTarget: vaultCertificates StatusCode: 400 ReasonPhrase: Bad Request OperationID : 51078b39-72a0-4a6f-be02-e0fff12dff8b At line:1 char:1 + Update-AzureRmVM -ResourceGroupName "xxxx_Group" -VM $vm + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Update-AzVM], ComputeCloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand
我错过了什么吗? 我的 Vm window.
更新 我已经验证我在 Vm 上有多个相同的证书。请问,我到底要删除哪一个?
"secrets": [
{
"sourceVault": {
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.KeyVault/vaults/xxxKeyVault"
},
"vaultCertificates": [
{
"certificateUrl": "https://xxxkeyvault.vault.azure.net/secrets/xxxx/xxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxx/xxxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxxx",
"certificateStore": "My"
},
{
"certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxxx/xxxxxxxx",
"certificateStore": "MyCert"
}
]
},
{
"sourceVault": {},
"vaultCertificates": {}
}
],
当您向 Azure VM 添加证书时,您应该首先确定 OS 类型的 VM。根据您遵循的文档 Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault 中的描述:
These SSL certificates can be stored in Azure Key Vault, and allow secure deployments of certificates to Windows virtual machines (VMs) in Azure.
好像只适用于Windows VM,我也做了测试。所以如果你想给Linux虚拟机添加证书,可以看看Secure a web server on a Linux virtual machine in Azure with SSL certificates stored in Key Vault。
另外,错误还显示:
Update-AzureRmVM : List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed.
我建议你最好检查一下虚拟机是否已经有相同的证书。在我这边,如果你两次添加相同的证书,第二次会给出这样的错误:
希望对您有所帮助。
你需要做的是:
- 打开resources.azure.com
- 导航到您的虚拟机
- 点击编辑,从 osProfile 中删除证书,点击补丁
- 重新运行脚本
Azure 的问题 - 它不知道(或关心)你的虚拟机是否真的有你要安装的那个证书,它抱怨的是虚拟机定义已经有那个证书,所以它不能添加它.