question

ChrisYoon-7176 avatar image
0 Votes"
ChrisYoon-7176 asked ryanchill commented

Certificates created by "Create App Service Managed Certificate" has invalid time value

Hello,

  1. I've created a managed certificate on my app service using "Create App Service Managed Certificate" button below.

    132047-image.png


  2. However, after the certificate is created, it is missing Expiration and Thumbprint as shown below.

    132059-image.png

  3. Upon clicking on the certificate, I see an error saying "Invalid time value"

    132132-image.png


Why would this happen?




azure-webapps-ssl-certificates
image.png (81.4 KiB)
image.png (18.8 KiB)
image.png (98.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrisYoon-7176 This is likely part of a known platform issue that is taking place.

I am researching the matter to see what the latest status is. We will update you shortly with our findings.

0 Votes 0 ·
brtrachMSFT-0711 avatar image
0 Votes"
brtrachMSFT-0711 answered ryanchill commented

@ChrisYoon-7176 Thank you for your patience on this matter. We located the latest update on the matter.

The product group is aware of the issue and issued a hot fix to the canary portal. We suggest you use this portal until the full fix is released.

Canary portal: https://aka.ms/canary

There is no ETA to share right now as to when the fix will go into production. Please use the workaround for the meantime and we will update you with an ETA when hear something. We will reply to this answer via a comment with the ETA update.

Let us know if there are any questions or concerns in the meantime.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Canary portal fixed the issue for me, thanks

1 Vote 1 ·

The main portal (https://portal.azure.com) has been fixed as well now.

I also want to take this time to callout a recent change, which has removed the thumbprint of the certificate. This was done as customers were misusing the certificate and hard coding the thumbprint into their code. Since this is a managed certificate, Microsoft reserves the right to renew the certificate when necessary, which was causing issues for those who hard coded. This was called out in the GA announcement, which can be found here.

Please see JonasAebersold-9368's response below for a REST API call if you do not use the portal.


1 Vote 1 ·
Stefan-7887 avatar image Stefan-7887 brtrachMSFT-0711 ·

I can understand that people abusing the thumbprint by hard coding it is not something you want. But removing it from the API breaks the current environment automation for one of our clients.

We use the Azure CLI to provision an Azure Web App, add a custom domain, add an App Service managed certificated and bind that certificate to the dns name.
In order for us to use the command "az webapp config ssl bind" we need the thumbprint because that is a required argument. Up until recently we got that thumbprint by executing "az webapp config ssl list" (and "az webapp config ssl create" if it didn't exist yet).

Is there another way to automate this process without the thumbprint or did the free App Service managed certificates just become a no-go if you want to automate the provisioning of your environments?

1 Vote 1 ·
Show more comments
JonasAebersold-9368 avatar image
0 Votes"
JonasAebersold-9368 answered JonasAebersold-9368 converted comment to answer

We use azure automation and powershell and running in the same issue at the moment. We cannot use the portal, because the users don't have access to the portal.

Our script use the command New-AzWebAppSSLBinding, which needs the thumbprint of the certificate. Do you have any workaround, how we can get the thumbprint?

As a developer myself, I can understand that you cannot give an ETA. But I really hope that you are aware, that our hole workflow is broken and that we have customers asking us the same thing. This is a bad way to start a day.

132226-image.png
132227-image.png



image.png (273.6 KiB)
image.png (177.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonasAebersold-9368 avatar image
0 Votes"
JonasAebersold-9368 answered

The day is getting better. I was in the "Help + support" section in the Azure Portal and a chat window opened up. It gave me the hint to this REST call:

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-host-name-binding

example.com}}?api-version=2019-08-01
{
"id": "/subscriptions/{<!-- -->{}}/resourceGroups/{<!-- -->{}}/providers/Microsoft.Web/sites/{<!-- -->{appname}}",
"kind": "app",
"location": "{<!-- -->{location}}",
"name": "{<!-- -->{appname}}",
"type": "Microsoft.Web/sites ",
"properties": {
"hostname": "{<!-- -->{example.com}}",
"sslState": "SniEnabled",
"ipBasedSslResult": null,
"virtualIP": null,
"thumbprint": "",
"toUpdate": true,
"toUpdateIpBasedSsl": null,
"iPBasedSslState": "Configured",
"hostType": "Standard"
},
"tags": null
}

I tried the call and it really worked.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.