如何让 AzureRM 应用程序网关在 AGW SSL 端到端配置中将 ACME .PEM 证书作为 trusted_root_certificates?

How do I get AzureRM Application Gateway to take ACME .PEM cert as trusted_root_certificates in AGW SSL end-to-end config?

我正在尝试通过 ACME 提供商使用 Terraform 和 Letsencrypt 在 Azure Application Gateway v2.0 中创建 azurerm backend_http_settings。

我可以成功创建证书并将 .pfx 导入前端 https 侦听器,acme 和 azurerm 提供商提供处理 pkcs12 所需的一切。

不幸的是,后端需要一个 .cer 文件,大概是用 base64 编码的,而不是 DER,无论我尝试什么,我都无法让它工作。我的理解是 letsencrypt .pem 文件应该没问题,但是当我尝试使用 acme 提供商的 certificate_pem 作为 trusted_root_certificate 时,我收到以下错误:

Error: Error Creating/Updating Application Gateway "agw-frontproxy" (Resource Group "rg-mir"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayTrustedRootCertificateInvalidData" Message="Data for certificate .../providers/Microsoft.Network/applicationGateways/agw-frontproxy/trustedRootCertificates/vnet-mir-be-cert is invalid." Details=[]

terraform 计划工作正常,上述错误发生在 terraform 应用期间,当 azurerm 提供者对证书数据无效感到生气时。我已将证书写入磁盘,它们看起来和我预期的一样。这是包含相关代码的代码片段:

locals {
  https_setting_name             = "${azurerm_virtual_network.vnet-mir.name}-be-tls-htst"
  https_frontend_cert_name       = "${azurerm_virtual_network.vnet-mir.name}-fe-cert"
  https_backend_cert_name        = "${azurerm_virtual_network.vnet-mir.name}-be-cert"
}
provider "azurerm" {
    version = "~>2.7"
    features {
      key_vault {
          purge_soft_delete_on_destroy = true
        }
    }
}
provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}
resource "acme_certificate" "certificate" {
  account_key_pem           = acme_registration.reg.account_key_pem
  common_name               = "cert-test.example.com"
  subject_alternative_names = ["cert-test2.example.com", "cert-test3.example.com"]
  certificate_p12_password  = "<your password here>"
  dns_challenge {
    provider          = "cloudflare"

    config = {
      CF_API_EMAIL      = "<your email here>"
      CF_DNS_API_TOKEN  = "<your token here>"
      CF_ZONE_API_TOKEN = "<your token here>"
    }
  }
}
resource "azurerm_application_gateway" "agw-frontproxy" {
 name                = "agw-frontproxy"
 location            = azurerm_resource_group.rg-mir.location
 resource_group_name = azurerm_resource_group.rg-mir.name

 sku {
     name     = "Standard_v2"
     tier     = "Standard_v2"
     capacity = 2
 }
   trusted_root_certificate {
    name = local.https_backend_cert_name
    data = acme_certificate.certificate.certificate_pem
  }
    ssl_certificate {
    name     = local.https_frontend_cert_name
    data     = acme_certificate.certificate.certificate_p12
    password = "<your password here>"
  }
  #  Create HTTPS listener and backend
  backend_http_settings {
   name                  = local.https_setting_name
   cookie_based_affinity = "Disabled"
   port                  = 443
   protocol              = "Https"
   request_timeout       = 20
   trusted_root_certificate_names = [local.https_backend_cert_name]
  }

如何让 AzureRM 应用程序网关在 AGW SSL 端到端配置中将 ACME .PEM 证书作为 trusted_root_certificates?

对我来说,唯一有用的是使用紧密耦合的 Windows 工具。如果您遵循以下文档,它将起作用。花 2 天时间解决同一个问题 :)

Microsoft Docs

如果您未指定任何 证书,Azure v2 应用程序网关将默认使用将流量定向到的后端Web 服务器中的证书。这消除了证书的冗余安装,一个在 Web 服务器(在本例中为 Traefik 边缘路由器),一个在 AGW 后端。

这解决了如何完全正确格式化证书的问题。不幸的是,即使 phone 上有 Microsoft 支持工程师,我也永远无法安装证书。他就像 "yeah, it looks good, it should work, don't know why it doesn't, can you just avoid it by using a v2 gateway and not installing a cert at all on the backend?"

v2 网关需要静态 public IP 和 "Standard_v2" sku 类型和等级才能如上所示工作。

似乎如果您将密码设置为空字符串,如下所示:https://github.com/vancluever/terraform-provider-acme/issues/135

它突然起作用了。这是因为证书格式已经包含了密码。不幸的是,它没有写在文档中。我现在要尝试并给出我的反馈。