Azure ARM SSL Binding using App service certificate

I have a site with custom hostnames configured with hostnameBindings in the ARM template. This deploys fine.

I have also the SSL certificate created and verified from Azure, with the corresponding thumbprint.

In the Azure site I am also able to bind the certificate to the app service.

But when I use the ARM template to assign the SSL from the template in the hostnameBindings it gives an error that the certificate was not found...

I don't understand what goes wrong...

My guesses:

  • the certificate is in a different resource group so it cannot be found, but in the template settings I cannot set the group.
  • in the Azure website before I can use the SSL I have to import, so maybe I am missing this step in the ARM template?
  • using wrong thumbprint?

In the hostnameBindings I am defining only the thumbprint and the sslState

Any idea which step I am missing?

thank you

UPDATE

My parameter json file:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.5.0.8",
"parameters": {
    "baseResourceName": {
        "value": "base-name"
    },
    "environments": {
        "value": [
            "preview"
        ]
    },
    "hostNames": {
        "value": [
            {
                "name": "myhostname.example.com",
                "sslState": "SniEnabled",
                "thumbprint": "9897LKJL88KHKJH8888KLJLJLJLKJLJLKL4545"
            },
            {
                "name": "myhostname2.example.com"
            }              
        ]
    }, 
    "ipSecurityRestrictions": {
        "value": []
    }
}

}

My template json file:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.5.0.8",
    "parameters": {
        "hostName": {
            "defaultValue": [],
            "type": "array",
            "metadata": {
                "description": "The custom hostnames of sites"
            }
        }
    },
    "variables": {
        "standardPlanMaxAdditionalSlots": 4,
        "appName": "[concat(parameters('baseResourceName'), '-private')]",
        "appServicePlanName": "[concat(parameters('baseResourceName'), '-appServicePlan')]",
        "appInsightName": "[concat(parameters('baseResourceName'), '-appInsight')]",
        "ipSecurityRestrictions": "[parameters('ipSecurityRestrictions')]"
    },
    "resources": [
        {
            "type": "Microsoft.Web/serverfarms",
            "comments": "AppPlan for app.",
            "sku": {
                "name": "[if(lessOrEquals(length(parameters('environments')), variables('standardPlanMaxAdditionalSlots')), 'S1', 'P1')]"
            },
            "tags": {
                "displayName": "AppServicePlan-Private"
            },
            "name": "[variables('appServicePlanName')]",
            "kind": "app",
            "apiVersion": "2016-09-01",
            "location": "[resourceGroup().location]",
            "properties": {},
            "dependsOn": []
        },
        {
            "type": "Microsoft.Web/sites",
            "comments": "This is the private web app.",
            "kind": "app",
            "apiVersion": "2016-03-01",
            "name": "[variables('appName')]",
            "location": "[resourceGroup().location]",
            "tags": {
                "displayName": "WebApp"
            },
            "properties": {
                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
                "siteConfig": {
                    "appSettings": [],
                    "phpVersion": "",
                    "ipSecurityRestrictions": "[variables('ipSecurityRestrictions')]",
                    "http20Enabled": true,
                    "minTlsVersion": "1.2"
                }
            },
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
                "[resourceId('microsoft.insights/components/', variables('appInsightName'))]"
            ]
        },
        {
            "type": "Microsoft.Web/sites/hostnameBindings",
            "name": "[concat(variables('appName'), '/', parameters('hostName')[copyIndex()].Name)]",
            "apiVersion": "2016-03-01",
            "location": "[resourceGroup().location]",
            "properties": "[parameters('hostName')[copyIndex()]]",
            "condition": "[greater(length(parameters('hostName')), 0)]",
            "copy": {
                "name": "hostnameCopy",
                "count": "[length(parameters('hostName'))]",
                "mode": "Serial"
            },
            "dependsOn": [
                "[concat('Microsoft.Web/sites/',variables('appName'))]"
            ]
        }
    ]
}

1 answer

  • answered 2018-07-11 07:29 4c74356b41

    completely unrelated, did you test your condition greater(..., 0) with zero length array? pretty sure it will blow up.

    on the subject. i think you can maybe make it work if you link your certificate resource to the app service plan. so this is an operation that is performed on the certificate resource. this is totally possible if you use keyvault to store the certificate

        {
            "apiVersion": "2016-03-01",
            "name": "[variables('certificateName')]",
            "location": "[resourceGroup().location]",
            "type": "Microsoft.Web/certificates",
            "dependsOn": [
                "[parameters('appServicePlan')]"
            ],
            "properties": {
                "keyVaultId": "kvResourceId",
                "keyVaultSecretName": "secretName",
                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlan'))]"
            }
        }