问题描述
在App Service的TLS/SSL settings页面,切换到Private Key Certificates (.pfx),通过Import Key Vault Certificate方式上传证书,提示成功,实际没有上传成功。通过Upload Certificate的方式上传证书,输入正确的密码,提示失败。使用Import Key Vault Certificate,导入Key Vault中的证书,也无法成功。
问题解答
在查看App Service的操作日志后,发现问题原因是当前的App Service执行过Move Resource Group的操作,而上传证书的绑定到新的Resource Group所在的WebSpace,而不是App Service所在的WebSpace,因为WebSpace在最开始创建后,就无法修改。移动到其他资源组的时候也不会修改App Service的WebSpace。
英文解释如下:
Site 'app service name' was originally created in 'old group name xxx' resource group, but later moved to 'new group name ***' resource group. If you are trying to import certificate to this site, then the certificate will be in the WebSpace of 'new group name ***' resource group. But your website will still be in 'old group name xxx' resource group and hence will not be able to use the imported certificate.
Recommendation:
Try importing certificate from another site that is still in the original 'old group name xxx' resource group. Or upload this certificate to right WebSpace using this below CLI command:
• az webapp config ssl import --name WebsiteName --resource-group WebsiteRGName --key-vault MyKeyVault --key-vault-certificate-name MyCertificateName
• az webapp config ssl upload --name WebsiteName --resource-group WebsiteRGName --certificate-file MyPfx.pfx --certificate-password Mypassword
如果不使用上面的指令,则可以使用如下的步骤来导入证书:
- 在旧的Resource Group 中新建一个App Service, 位于同样的区域中,并且和目标App Service使用同样的Operating System
- 在新建的App Service中上传 Key Vault中的证书
- 在目标App Service中确认可以看到证书
- 删除新建的Web app
- 再次在目标App Service中确认可以看到证书并正常使用
[END]
