从 Key Vault 向 Azure VM 添加证书

Adding a certificate to azure VM from Key Vault

我正在使用此 link - https://blogs.msdn.microsoft.com/appserviceteam/2017/10/26/configure-app-service-certificate-to-azure-virtual-machine/

中的步骤将应用服务证书配置到 Azure 虚拟机

我已经完成了第 1 步到第 6 步。我在尝试将证书从 Key Vault 添加到 VM 时遇到了困难。我使用了 link 中的步骤: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server

我在 Azure 门户上的云 shell 上使用了以下脚本。

$certUrl = (Get-AzureKeyVaultSecret -VaultName "xxxKeyVault" -Name "xxxcert").Id;

$vm=Get-AzureRmVM -ResourceGroupName "xxx_Group" -Name "XXX"

$vaultId=(Get-AzureRmKeyVault -VaultName "xxxKeyVault").ResourceId

$certStore = "MyCert";

$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL

Update-AzureRmVM -ResourceGroupName "xxx_Group" -VM $vm>

但是到了最后一个脚本,我得到了错误

Update-AzureRmVM : List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed. ErrorCode: InvalidParameter ErrorMessage: List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed. ErrorTarget: vaultCertificates StatusCode: 400 ReasonPhrase: Bad Request OperationID : 51078b39-72a0-4a6f-be02-e0fff12dff8b At line:1 char:1 + Update-AzureRmVM -ResourceGroupName "xxxx_Group" -VM $vm + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Update-AzVM], ComputeCloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand

我错过了什么吗? 我的 Vm window.

更新 我已经验证我在 Vm 上有多个相同的证书。请问,我到底要删除哪一个?

"secrets": [
        {
          "sourceVault": {
            "id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.KeyVault/vaults/xxxKeyVault"
          },
          "vaultCertificates": [
            {
              "certificateUrl": "https://xxxkeyvault.vault.azure.net/secrets/xxxx/xxxx",
              "certificateStore": "My"
            },
            {
              "certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxx/xxxxx",
              "certificateStore": "My"
            },
            {
              "certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxxx",
              "certificateStore": "My"
            },
            {
              "certificateUrl": "https://xxxxkeyvault.vault.azure.net/secrets/xxxxxxx/xxxxxxxx",
              "certificateStore": "MyCert"
            }
          ]
        },
         {
      "sourceVault": {},
      "vaultCertificates": {}
    }
  ],

当您向 Azure VM 添加证书时,您应该首先确定 OS 类型的 VM。根据您遵循的文档 Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault 中的描述:

These SSL certificates can be stored in Azure Key Vault, and allow secure deployments of certificates to Windows virtual machines (VMs) in Azure.

好像只适用于Windows VM,我也做了测试。所以如果你想给Linux虚拟机添加证书,可以看看Secure a web server on a Linux virtual machine in Azure with SSL certificates stored in Key Vault

另外,错误还显示:

Update-AzureRmVM : List vaultCertificates contains repeated instances of (https://xxxkeyvault.vault.azure.net/secrets/xxxxxx/xxxxxx, mycert), which is disallowed.

我建议你最好检查一下虚拟机是否已经有相同的证书。在我这边,如果你两次添加相同的证书,第二次会给出这样的错误:

希望对您有所帮助。

你需要做的是:

  1. 打开resources.azure.com
  2. 导航到您的虚拟机
  3. 点击编辑,从 osProfile 中删除证书,点击补丁
  4. 重新运行脚本

Azure 的问题 - 它不知道(或关心)你的虚拟机是否真的有你要安装的那个证书,它抱怨的是虚拟机定义已经有那个证书,所以它不能添加它.