尝试从Key Vault向VM添加证书时,Azure Cloud Shell中引用的保管库机密不正确 [英] Incorrect vault secret being referenced in Azure Cloud Shell when trying to Add a certificate to VM from Key Vault

查看:86
本文介绍了尝试从Key Vault向VM添加证书时,Azure Cloud Shell中引用的保管库机密不正确的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我遵循本教程中的步骤,称为"教程:使用存储在密钥保管库中的SSL证书保护Azure中Windows虚拟机上的Web服务器"。 (我现在还不能发布链接)。

I am following the steps in this tutorial called "Tutorial: Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault" ( I can't post the link yet apparently).

当我在"从Key Vault向VM添加证书"中运行最后一步时部分:

When I run the last step in the "Add a certificate to VM from Key Vault" section:

更新-AzVM -ResourceGroupName $ resourceGroup -VM $ vm

Update-AzVM -ResourceGroupName $resourceGroup -VM $vm

我收到一条错误消息,引用一个不再存在的旧保管库秘密(我已经编辑了一些隐藏个人信息的回复):

I get an error message that references an old vault secret that no longer exists (I have edited some of the response as to hide personal info):

PS Azure:\> Update-AzVM -ResourceGroupName $ resourceGroup -VM $ vm

Update-AzVM:长时间运行操作失败,状态为"Failed"。附加信息:'使用URL https://< Incorrectvaultname> .vault.azure.net / secrets /< NonExistentCertificateName> /< NonExistentSecretId>引用的密钥保管库密码不存在
。'¥
ErrorCode:KeyVaultSecretDoesNotExist

ErrorMessage:使用URL https://< Incorrectvaultname> .vault.azure引用的密钥保管库密码达网络/秘密/< NonExistentCertificateName> /< NonExistentSecretId>不存在。

ErrorTarget:

StartTime:5/30/19 5:47:10 PM

结束时间:5/30/19 5:47:11 PM

操作ID:23007814-d68b-45c8-8120-97ef61ee67e3

状态:失败

行:1字符: 1

+更新-AzVM -ResourceGroupName $ resourceGroup -VM $ vm

+ ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo  &NBSP; &NBSP; &NBSP; &NBSP; :CloseError:(:) [Update-AzVM],ComputeCloudException

+ FullyQualifiedErrorId:Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand

PS Azure:\> Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
Update-AzVM : Long running operation failed with status 'Failed'. Additional Info:'The Key Vault secret referenced with the URL https://<Incorrectvaultname>.vault.azure.net/secrets/<NonExistentCertificateName>/<NonExistentSecretId> does not exist.'
ErrorCode: KeyVaultSecretDoesNotExist
ErrorMessage: The Key Vault secret referenced with the URL https://<Incorrectvaultname>.vault.azure.net/secrets/<NonExistentCertificateName>/<NonExistentSecretId> does not exist.
ErrorTarget:
StartTime: 5/30/19 5:47:10 PM
EndTime: 5/30/19 5:47:11 PM
OperationID: 23007814-d68b-45c8-8120-97ef61ee67e3
Status: Failed
At line:1 char:1
+ Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [Update-AzVM], ComputeCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand

这是整个脚本。请注意我正在创建新的保管库,新证书,然后尝试将此新证书添加到现有虚拟机,但错误消息引用了先前在其他保管库中删除的证书。无论我是否使用错误中引用的原始保管库或新保险库尝试此工作流
,我总是收到此消息:

Here's the entire script. Notice I am creating a new vault, a new certificate, and then attempting to add this new cert to an existing vm, yet the error message references a previously deleted certificate in a different vault. No matter if I try this workflow using the original vault referenced in the error or a new vault, I always get this message:

VERBOSE:对Azure进行身份验证...

VERBOSE:构建Azure驱动器...



PS Azure:\> $ keyvaultName ="< newvaultname>"

Azure:/
$
PS Azure:\> New-AzKeyVault -VaultName $ keyvaultName`

>>  &NBSP;   - 位置$ location`

>>  &NBSP;   -EnabledForDeployment



保险柜名称  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :< newvaultname>

资源组名称  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :培训

位置  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   ;:美国中北部地区
资源ID  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :/ subscriptions / etc /< newvaultname>

保险柜URI  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :https://< newvaultname> .vault.azure.net /
$
租户ID  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :< tenantid>

SKU  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :标准

是否支持部署?  &NBSP; &NBSP; &NBSP; &NBSP; :正确
是否支持模板部署? :False

启用磁盘加密?  &NBSP;  :False

软删除已启用?  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :

访问政策  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
网络规则集  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  默认操作  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :允许

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;旁路&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;
 :AzureServices

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   IP规则  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  虚拟网络规则  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
标签  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :

警告:未设置访问策略。没有用户或应用程序具有使用此保管库的访问权限。如果保管库是由服务主体创建的,则会发生这种情况。请使用Set-AzKeyVaultAccessPolicy设置访问策略。

VERBOSE: Authenticating to Azure ...
VERBOSE: Building your Azure drive ...

PS Azure:\> $keyvaultName="<newvaultname>"
Azure:/
PS Azure:\> New-AzKeyVault -VaultName $keyvaultName `
>>     -Location $location `
>>     -EnabledForDeployment

Vault Name                       : <newvaultname>
Resource Group Name              : Training
Location                         : North Central US
Resource ID                      : /subscriptions/etc/<newvaultname>
Vault URI                        : https://<newvaultname>.vault.azure.net/
Tenant ID                        : <tenantid>
SKU                              : Standard
Enabled For Deployment?          : True
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
Network Rule Set                 :
                                   Default Action                             : Allow
                                   Bypass                                     : AzureServices
                                   IP Rules                                   :
                                   Virtual Network Rules                      :
Tags                             :
WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.

(此处通过Azure Portal添加了用户访问策略,然后继续)

(Added user access policy here via Azure Portal then proceeded)

Azure:/
$
PS Azure:\> $ policy = New-AzureKeyVaultCertificatePolicy`

>>  &NBSP;   -SubjectName" CN = www.website.com" `
$
>>  &NBSP;   -SecretContentType" application / x-pkcs12" `
$
>>  &NBSP;   -IssuerName Self`

>>  &NBSP;   -ValidityInMonths 12

Azure:/
$
PS Azure:\>
$


PS Azure: \> Add-AzureKeyVaultCertificate`

>>  &NBSP;   -VaultName $ keyvaultName`

>>  &NBSP;   -Name" testcert3" `
$
>>  &NBSP;   -CertificatePolicy $ policy



Id  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :https://< newvaultname> .vault.azure.net / certificates / testcert3 / pending

状态  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :inProgress

状态详细信息  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :创建待定证书。证书申请正在进行中。这可能需要一些b
  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;基于发行人提供者的时间。请稍后再检查。

RequestId  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :6befc90b7cec4e169cbb58075b88d832

目标  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
发行人  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :自我$
取消请求  &NBSP;  :False

CertificateSigningRequest:< certsigningrequest>

  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; <证书回复信息>

ErrorCode  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :

ErrorMessage  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
姓名  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
VaultName  &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;  :





Azure:/
$
PS Azure:\> $ certURL =(Get-AzureKeyVaultSecret -VaultName $ keyvaultName -Name" testcert3")。id

Azure:/
$
PS Azure:\>

Azure:/
$
PS Azure:\> $ vm = Get-AzVM -ResourceGroupName $ resourceGroup -Name"< vm name>"
$
Azure:/
$
PS Azure:\> $ vaultId =(Get-AzKeyVault -ResourceGroupName $ resourceGroup -VaultName $ keyVaultName).ResourceId

Azure:/
$
PS Azure:\> $ vm = Add-AzVMSecret -VM $ vm -SourceVaultId $ vaultId -CertificateStore"< certstorename>" -CertificateUrl $ certUR

L
$
Azure:/
$
PS Azure:\> Update-AzVM -ResourceGroupName $ resourceGroup -VM $ vm

Azure:/
PS Azure:\> $policy = New-AzureKeyVaultCertificatePolicy `
>>     -SubjectName "CN=www.website.com" `
>>     -SecretContentType "application/x-pkcs12" `
>>     -IssuerName Self `
>>     -ValidityInMonths 12
Azure:/
PS Azure:\>

PS Azure:\> Add-AzureKeyVaultCertificate `
>>     -VaultName $keyvaultName `
>>     -Name "testcert3" `
>>     -CertificatePolicy $policy

Id                        : https://<newvaultname>.vault.azure.net/certificates/testcert3/pending
Status                    : inProgress
StatusDetails             : Pending certificate created. Certificate request is in progress. This may take some
                            time based on the issuer provider. Please check again later.
RequestId                 : 6befc90b7cec4e169cbb58075b88d832
Target                    :
Issuer                    : Self
CancellationRequested     : False
CertificateSigningRequest : <certsigningrequest>
                            <cert response info>
ErrorCode                 :
ErrorMessage              :
Name                      :
VaultName                 :


Azure:/
PS Azure:\> $certURL=(Get-AzureKeyVaultSecret -VaultName $keyvaultName -Name "testcert3").id
Azure:/
PS Azure:\>
Azure:/
PS Azure:\> $vm=Get-AzVM -ResourceGroupName $resourceGroup -Name "<vm name>"
Azure:/
PS Azure:\> $vaultId=(Get-AzKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
Azure:/
PS Azure:\> $vm = Add-AzVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "<certstorename>" -CertificateUrl $certUR
L
Azure:/
PS Azure:\> Update-AzVM -ResourceGroupName $resourceGroup -VM $vm

谢谢

推荐答案

您是否完全按照步骤配置目录权限?

Have you followed the steps exactly to configure the directory permissions?


1。使用PowerShell  运行下一个命令:

1. Using PowerShell Run next command:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey



2.使用Azure门户



  1. Open Key Vaults

  2. 选择  访问策略

  3. 单击刀片顶部的[+ Add new]按钮

  4. 点击  选择Principal  以选择您之前创建的应用程序

  5. 从密钥权限下拉列表中,选择"解密","签名","获取","取消关键"权限

  6. 保存更改
  1. Open Key Vaults
  2. Select Access Policies from the Key Vault resource blade
  3. Click the [+ Add new] button at the top of the blade
  4. Click Select Principal to select the application you created earlier
  5. From the Key permissions drop down, select "Decrypt", "Sign", "Get", "UnwrapKey" permissions
  6. Save changes


这篇关于尝试从Key Vault向VM添加证书时,Azure Cloud Shell中引用的保管库机密不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆