I have a Certificate from Lets Encrypt in PEM format with a private key. I used OpenSSL to convert it to PFX format and then imported it in Azure Key Vault along with the password I used during conversion. I then deployed an application gateway and configured an HTTP listener to use the PFX certificate stored in the Key vault. When I send an HTTPS request to the domain name of the certificate I get SSL routines:ssl3_read_bytes:tlsv1 unrecognized name and from the browser I get ERR_SSL_UNRECOGNIZED_NAME_ALERT
Following Microsoft guidelines, I created a User assigned identity and gave permissions ["Get"] to the Key vault secret and certificate, and made sure there are no connectivity problems. I also don’t get any errors in the gateway itself. Still get the same error.
Configuring the Application Gateway to use the certificate directly from my local setup, the requests are successful and I don’t get the same error. Any ideas why this happens when I use the Azure Key Vault? I tried uploading the certificate directly in Azure portal, using the CLI and terraform (filebase64 function) but still get the error.
2
Answers
Adding
Microsoft.KeyVaultservice endpoint to the AppGW Subnet and adding the subnet to the Key Vault allowed subnets solved the issue.Application Gateway has many moving parts, making configuration generally quite laborious.
I did create an bicep Azure Quickstart Template that shows almost everything you need in a single end to end sample. The only part that is different is the certificate authority.
https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/deployment-script-azcli-agw-certificates/
I hope this helps.