将 Key Vault 证书(自签名)部署到 Web 应用程序时出现“错误请求”错误或“NoRegisteredProviderFound”

Posted

技术标签:

【中文标题】将 Key Vault 证书(自签名)部署到 Web 应用程序时出现“错误请求”错误或“NoRegisteredProviderFound”【英文标题】:Getting "Bad request" error or "NoRegisteredProviderFound" while deploying Key Vault Certificate (self signed) into Web App 【发布时间】:2018-03-06 10:40:56 【问题描述】:

创建 Key-Vault 并通过执行 Power Shell 命令向 RP 服务主体(在 AzureAD 注册的应用程序)提供授权。 Key-Vault 详细信息如下 -

Vault Name : MyKeyVaultTest

资源 ID:/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY- ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest 访问策略: 租户 ID:d29bcd12-3280-4f37-b8f2-6e9e2f581472 对象 ID:daccd2fd-835a-4c03-8336-c5fcf481f3cc 应用程序 ID:172f36fc-a098-47a1-9c83-04016d3e9781 密钥权限:获取、列出、更新、创建、导入、删除、恢复、备份、还原、解密、加密、UnwrapKey、WrapKey、验证、签名、清除 机密权限:获取、列出、设置、删除、恢复、备份、还原、清除 证书权限:获取、列出、更新、创建、导入、删除、ManageContacts、ManageIssuers、GetIssuers、ListIssuers、SetIssuers、DeleteIssuers (Key Vault 托管)存储的权限:

使用下面提到的 Power Shell 脚本创建了一个自签名证书 -

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname XXXXXXXtechmahindra.onmicrosoft.com
$pwd = ConvertTo-SecureString -String ‘XXXXXX@1234@’ -Force -AsPlainText
$path = 'cert:\localmachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

将相同的证书添加到 Key-Vault 并获得名为“mykeyvaulttestwebappPK”且内容类型为“application/x-pkcs12”的 Secret。

然后启用 ARM 客户端并执行下面提到的脚本以将 Key Vault 证书部署到名为“MyKeyVaultTestWebApp”的 Web 应用程序中,这会出错。脚本和错误如下 -

1. Script without changing the API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "'Location':'SouthCentralUS','Properties':'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

2. Script with the Serverfarm’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-09-01 "'Location':'SouthCentralUS','Properties':'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'"

"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'SouthCentralUS' and API version '2016-09-01' for type 'certificates'.


3. Script with the Key-Vault’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2015-06-01 "'Location':'SouthCentralUS','Properties':'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

[注:引用“https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/”用于实施更改]

【问题讨论】:

【参考方案1】:

根据您的错误信息,我猜您可能没有启用“Microsoft.Web”资源提供程序直接访问 azure key Vault。

所以你将面临你可能有足够的权限来访问密钥库错误。

我建议你可以按照下面的 powershell 代码来启用权限。

然后你可以在 azure web app 中设置证书。

这样的代码:

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

然后你可以调用这个代码来添加证书:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "'Location':'SouthCentralUS','Properties':'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'"

结果:

【讨论】:

我已经尝试过了,但仍然出现同样的错误... PS C:\Windows\system32> $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId 172f36fc-a098-47a1-9c83-04016d3e9781 PS C:\Windows \system32> Set-AzureRmKeyVaultAccessPolicy -VaultName MyKeyVaultTest -ObjectId $servicePrincipal.Id -PermissionsToKeys all -PermissionsToSecrets all 警告:“全部”权限已被弃用,不包括“清除”权限。必须明确设置“清除”权限。 PS C:\Windows\system32> $ServicePrincipal.ApplicationId #Outputs the ServicePrincipalName/AppPrincipalId 不要更改我的 PS 代码,ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd 表示 azure web 应用服务。请复制我的代码(只需更改密钥库名称)并重试。跨度>

以上是关于将 Key Vault 证书(自签名)部署到 Web 应用程序时出现“错误请求”错误或“NoRegisteredProviderFound”的主要内容,如果未能解决你的问题,请参考以下文章

Azure Key Vault 证书 - 创建基本约束 CA:True

自签名证书颁发及验证

Linux实战之SSL自签名证书

如何创建一个自签名的SSL证书

如何创建一个自签名的SSL证书

openssl生成自签名证书