question

jeancrien-8237 avatar image
1 Vote"
jeancrien-8237 asked DenisPitcher-9645 commented

Go to "Access policies" in your Key Vault account to give Azure CDN permission to get secrets-but it was done already...

I'm getting the following when I try to add a custom certificate to custom domain for a CDN:


Failed to update custom domain properties
We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Azure CDN permission to get secrets.

Before that I did:

New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

And then I added CDN in my access policies and pressed save.

Any idea why I am still getting this error? I've been troubleshoting for hours to finally arrive here with a custom certificate and I am stuck at this last step

azure-cdn
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LandonVeitch-3312 avatar image
0 Votes"
LandonVeitch-3312 answered DenisPitcher-9645 commented

Has anyone come across an answer for this issue by chance? I am also having this issue. I have a running CDN that works fine with our current test setup with the Azure controlled certificate but we recently purchased our own (for use when we complete our final setup to transition over to) and I have uploaded the certificate to the certificate store in the key vault that has the same subscription as the CDN. I ran the powershell command and I was able to add 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 and even gave it full permissions to the key vault to be sure and I get the same error as the 2 gentlemen above.

It just appears like it does not like using our own cert...

Now i will say that I do not have anything uploaded in secrets; only under certificates but that should be fine. I'm just confused

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My key vault has a firewall configured to limit the IP addresses that can access it. For some completely non-obvious reason I had to add my workstation's IP address (not that of the storage account, as I couldn't figure out what that would be running under anyway) for it to be able to access the certificates and configure them.

0 Votes 0 ·
Samy-7511 avatar image
0 Votes"
Samy-7511 answered

Hello,

I have exactly the same issue. I am trying to add https to azure cdn.

When registering my own certificate from azure Key Vault, there is an infinite loader on "select version" and it's not possible to save.

There is an error message displayed at the top telling to "add get-secret" authorization but it's already done (even if the sp has all authorizations for secrets, keys, certificates ). In fact, secrets can be listed but not the version.

Any idea why it's still not working ?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered

@jeancrien-8237 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

Just for clarification: Under "Add a Access Policy", search for a Service Principal with ID "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8". it should show as Microsoft.Azure.CDN

Can you try the below mentioned isolated steps again and let me know the status :

  • Azure Key Vault: You must have a running Azure Key Vault account under the same subscription as the Azure CDN profile and CDN endpoints that you want to enable custom HTTPS.

  • Create an Azure Key Vault account if you don’t have one.

  • Azure Key Vault certificates: If you already have a certificate, you can upload it directly to your Azure Key Vault account or you can create a new certificate directly through Azure Key Vault from one of the partner CAs that Azure Key Vault integrates with.

You can use your own certificate to enable the HTTPS feature. This process is done through an integration with Azure Key Vault, which allows you to store your certificates securely. Azure CDN uses this secure mechanism to get your certificate and it requires a few additional steps. When you create your SSL certificate, you must create it with an allowed certificate authority (CA). Otherwise, if you use a non-allowed CA, your request will be rejected. For a list of allowed CAs, see Allowed certificate authorities for enabling custom HTTPS on Azure CDN.For Azure CDN from Verizon, any valid CA will be accepted.

Prepare your Azure Key vault account and certificate
Azure Key Vault: You must have a running Azure Key Vault account under the same subscription as the Azure CDN profile and CDN endpoints that you want to enable custom HTTPS. Create an Azure Key Vault account if you don’t have one.

Azure Key Vault certificates: If you already have a certificate, you can upload it directly to your Azure Key Vault account or you can create a new certificate directly through Azure Key Vault from one of the partner CAs that Azure Key Vault integrates with.

Register Azure CDN
Register Azure CDN as an app in your Azure Active Directory via PowerShell.

If needed, install Azure PowerShell on your local machine.

When you use your own certificate, domain validation is not required. Proceed to Wait for propagation.
- Also please make sure you have one of the following certificate authorities resources: https://docs.microsoft.com/en-us/azure/cdn/cdn-troubleshoot-allowed-ca

To register that service principal to the account you will need to be either global admin or have Application Administrator added to your account: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator

Also: Add IP address under KeyVault firewall.

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.