无法将自定义主机名证书设置为使用密钥保管库 [英] Cannot set Custom Hostname Certificate to use Key Vault

问题描述

我正在尝试将自定义主机名切换为使用存储在azure密钥保管库中的SSL证书与直接上传到服务的SSL证书以帮助证书轮换。

门户网站和网关都已配置好并且正在使用最初手动上传的证书（pfx）。

我已完成以下操作：

• 在我的APIM实例上启用托管服务标识（MSI）。
• 在"访问策略"中将此标识（通过APIM资源名称）添加到我的密钥保管库。具有以下权限的部分：证书（获取）
• 转到APIM实例并选择自定义域> {门户网站|网关}
• 将证书切换为"密钥保管库"
• 从下拉列表中选择正确的证书。 （目前这适用于azure网站，所以我知道它很好。）
• 点击"保存"。按钮。

点击保存时出现以下错误：

无法更新API管理服务主机名

请求资源'https：// {vaultname} .vault.azure.net / secrets / {certname} /?api-version=7.0'失败，StatusCode：Forbidden for RequestId ：。异常消息：操作返回了无效的状态代码'禁止'

我是否做错了或需要在keyvault中设置其他权限才能使其正常工作？

解决方案

如果你使用Azure用于管理自定义域SSL证书的密钥保管库，确保将证书插入密钥保管库
作为  证书 ，
not a  secret 。

你也可以用ARM试试这个。  此处描述了使用ARM的场景。 

https://docs.microsoft.com/ en-us / azure / api-management / api-management-howto-use-managed-service-identity＃use-the-managed-service-identity-to-access-other-resources

以下示例显示Azure Resource Manager模板，其中包含以下步骤：

1. 创建具有托管标识的API Management实例。
2. 更新Azure Key Vault实例的访问策略，并允许API Management实例从中获取秘密。
3. 通过Key Vault实例中的证书设置自定义域名来更新API Management实例。

 {
" 

schema"：" https：// schema .management.azure.com / schemas / 2015-01-01 / deploymentTemplate.json＃"，
" contentVersion"：" 1.0.0.0"，
" parameters"：{
" publisherEmail" ;: {
" type"：" string"，
" minLength"：1，
" metadata"：{
" description"："服务所有者的电子邮件地址"
}
}，
" publisherName"：{
" type"：" string"，
" defaultValue"：&quo t; Contoso"，
" minLength"：1，
" metadata"：{
" description"："服务所有者的名称"
}
}，
" sku"：{
" type"：" string"，
" allowedValues"：[" Developer"，
" Standard"，
" Premium"]，
" defaultValue"：" Developer"，
" metadata"：{
" description" ;："此API管理服务的定价层"
}
}，
" skuCount"：{
" type"：" int"，
" defaultValue"：1，
"metadata"：{
" description"："此API Management Service的实例大小。"
}
}，
" keyVaultName" ;: {
" type"：" string"，
" metadata"：{
" ;描述""保险库的名称"
}
}，
" proxyCustomHostname1" ;: {
" type"：" string"，
" metadata"：{
" ; description"："Proxy Custom hostname。"
}
}，
" keyVaultIdToCertificate" ;: {
" type"：" string"，
" metadata"：{
" ; description"：" KeyVault证书的引用。 https://contoso.vault.azure.net/secrets/contosogatewaycertificate."
}
}
}，
" variables" ;: {
" apiManagementServiceName"：" [concat（'apiservice'，uniqueString（resourceGroup（）。 id））]"，
" apimServiceIdentityResourceId"：" [concat（resourceId（'Microsoft.ApiManagement / service'，variables（'apiManagementServiceName'）），'/ providers / Microsoft.ManagedIdentity / Identities / default "）]"
}，
" resources" ;: [{
" apiVersion"：" 2017-03-01"，
" name"：" [variables（' apiManagementServiceName'）]"，
" type"：" Microsoft.ApiManagement / service"，
" location"：" [resourceGroup（）。location]"，
"tags"：{
}，
" sku"：{
" name"：" [parameters（'sku'）]"，
" capacity"：" [parameters（'skuCount'）]"
}，
" properties" ;: {
" publisherEmail"：" [parameters（'publisherEmail'）]"，
" publisherName"：" [参数（ 'PUBLISHERNAME'）]"
}，
" identity" ;: {
" type"：" systemAssigned"
}
}，
{
" type"：" Microsoft.KeyVault / vaults / accessPolicies"，
" name"：" [concat（参数（'keyVaultName'），'/ add'）]"，
" apiVersion"：" 2015-06-01"，
" dependsOn"：[
" [resourceId（'Microsoft.ApiManagement / service'，variables（'apiManagementServiceName'））]"
]，
" properties"：{
" accessPolicies"：[{
" tenantId"：" [reference（'（'apimServiceIdentityResourceId'）'，'2015 -08-31-PREVIEW'）。tenantId]"，
" objectId"：" [reference（'（'apimServiceIdentityResourceId'），'2015-08-31-PREVIEW'）。principalId]" ，
" permissions" ;: {
" secrets"：[" get"]
}
}]
}
}，
{
" apiVersion"：" 2017-05-10"，
" name"：" apimWithKeyVault"，
" type"：" Microsoft.Resources / deployments"，
" dependsOn"：[
" [resourceId（'Microsoft.ApiManagement / service'，variables（'apiManagementServiceName'））]"
]，
" properties" ;: {
" mode"：" incremental"，
" templateLink"：{
" uri"：" ; https://raw.githubusercontent.com/solankisamir/arm-templates/master/basicapim.keyvault.json" ;,
" contentVersion"：" 1.0.0.0"
}，
" parameters" ;: {
" publisherEmail"：{" value"：" [parameters（'publisherEmail'）]"}，
" ; publisherName"：{" value"：" [parameters（'publisherName'）]"}，
" sku"：{" value"：" [parameters（'sku'）]" ;}，
" skuCount"：{" value"：" [parameters（'skuCount'）]"}，
" proxyCustomHostname1"：{" value" ："[parameters（'proxyCustomHostname1'）]"}，
" keyVaultIdToCertificate"：{" value" ：" [parameters（'keyVaultIdToCertificate'）]"}
}
}
}]
}

I am attempting to switch my custom hostnames over to use a SSL certificate stored in azure key vault vs one that is uploaded to the service directly to help in certificate rotation.

Both the portal and gateway are already configured and working correctly with a certificate that was manually uploaded (pfx) originally.

I have done the following:

• Enabled the managed service identity (MSI) on my APIM instance.
• Added this identity (via APIM resource name) to my Key vault in the "access policies" section with the following permission: Certificates (Get)
• Go to APIM instance and select Custom Domains > {Portal | Gateway}
• Switch Certificate to "Key Vault"
• Select the correct certificate from the drop-downs. (This currently is working for azure websites, so I know it is good.)
• Hit the "Save" button.

I get the following error when hitting save:

Failed to update API Management service hostnames
Request to resource 'https://{vaultname}.vault.azure.net/secrets/{certname}/?api-version=7.0' failed with StatusCode: Forbidden for RequestId: . Exception message: Operation returned an invalid status code 'Forbidden'

Is there something I am doing wrong or additional permissions that need to be setup in the keyvault for this to work?

解决方案

If you use Azure Key Vault to manage the custom domain SSL certificate, make sure the certificate is inserted into Key Vault as a certificate, not a secret.

Also can you try this using ARM. This scenario using ARM is described here. 

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity#use-the-managed-service-identity-to-access-other-resources

The following example shows an Azure Resource Manager template that contains the following steps:

1. Create an API Management instance with a managed identity.
2. Update the access policies of an Azure Key Vault instance and allow the API Management instance to obtain secrets from it.
3. Update the API Management instance by setting a custom domain name through a certificate from the Key Vault instance.

{
	"

schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "publisherEmail": { "type": "string", "minLength": 1, "metadata": { "description": "The email address of the owner of the service" } }, "publisherName": { "type": "string", "defaultValue": "Contoso", "minLength": 1, "metadata": { "description": "The name of the owner of the service" } }, "sku": { "type": "string", "allowedValues": ["Developer", "Standard", "Premium"], "defaultValue": "Developer", "metadata": { "description": "The pricing tier of this API Management service" } }, "skuCount": { "type": "int", "defaultValue": 1, "metadata": { "description": "The instance size of this API Management service." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Name of the vault" } }, "proxyCustomHostname1": { "type": "string", "metadata": { "description": "Proxy Custom hostname." } }, "keyVaultIdToCertificate": { "type": "string", "metadata": { "description": "Reference to the KeyVault certificate. https://contoso.vault.azure.net/secrets/contosogatewaycertificate." } } }, "variables": { "apiManagementServiceName": "[concat('apiservice', uniqueString(resourceGroup().id))]", "apimServiceIdentityResourceId": "[concat(resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName')),'/providers/Microsoft.ManagedIdentity/Identities/default')]" }, "resources": [{ "apiVersion": "2017-03-01", "name": "[variables('apiManagementServiceName')]", "type": "Microsoft.ApiManagement/service", "location": "[resourceGroup().location]", "tags": { }, "sku": { "name": "[parameters('sku')]", "capacity": "[parameters('skuCount')]" }, "properties": { "publisherEmail": "[parameters('publisherEmail')]", "publisherName": "[parameters('publisherName')]" }, "identity": { "type": "systemAssigned" } }, { "type": "Microsoft.KeyVault/vaults/accessPolicies", "name": "[concat(parameters('keyVaultName'), '/add')]", "apiVersion": "2015-06-01", "dependsOn": [ "[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]" ], "properties": { "accessPolicies": [{ "tenantId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').tenantId]", "objectId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').principalId]", "permissions": { "secrets": ["get"] } }] } }, { "apiVersion": "2017-05-10", "name": "apimWithKeyVault", "type": "Microsoft.Resources/deployments", "dependsOn": [ "[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]" ], "properties": { "mode": "incremental", "templateLink": { "uri": "https://raw.githubusercontent.com/solankisamir/arm-templates/master/basicapim.keyvault.json", "contentVersion": "1.0.0.0" }, "parameters": { "publisherEmail": { "value": "[parameters('publisherEmail')]"}, "publisherName": { "value": "[parameters('publisherName')]"}, "sku": { "value": "[parameters('sku')]"}, "skuCount": { "value": "[parameters('skuCount')]"}, "proxyCustomHostname1": {"value" : "[parameters('proxyCustomHostname1')]"}, "keyVaultIdToCertificate": {"value" : "[parameters('keyVaultIdToCertificate')]"} } } }] }

这篇关于无法将自定义主机名证书设置为使用密钥保管库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！