Custom Domain Certificate not updated after KV update certificate rotation
ezYakaEagle442 opened this issue · 3 comments
https://learn.microsoft.com/en-us/azure/spring-apps/tutorial-custom-domain?tabs=Azure-portal#import-certificate show how to import a Certificate from KV when setting up Custom Domain in KV. However While KV supports certificate rotation, the Certificate is not updated then in ASA.
To Reproduce
Steps to reproduce the behavior:
- Deploy ASA
- Setup custom Domain following the above doc, usin,g a certificate expiring after 1 day
- Wait the 2 days and check the Certificate self rotation in KV
- Verify in ASA that the certificate used for the custom domain is still the old one, not the renewed one.
Expected behavior
The Custom Domain Certificate should be updated in ASA
Screenshots
N/A
Additional context
None
Currently, asa does not support cert auto renewal. Since the cert is stored in user's keyvault, asa does not know the status of the cert and may also cannot access to the resource. We've backlog this request and may plan it in future.
Customer need to manual update the cert. Firstly, import the cert "newcert", then update the cert by
"az spring-cloud app custom-domain update -s {serviceName} -g {resourceGroup} --app {appName} --domain-name {domainName} --certificate newcert"
Hi,
Even if asa isn't aware of the original certificate in the keyvault, we should be able to update the certificate which is stored in asa under the same name, at least, with a command like:
az spring certificate add -g resourcegroup -s asaname --name cert-name-in-asa --vault-uri https://kv-name.vault.azure.net --vault-certificate-name cert-name-in-kv
But, as the certificate already exists with the name cert-name-in-asa in the azure spring apps it will fail with the message:
ERROR: Certificate with name 'cert-name-in-asa' already exists, even if the certificate in the keyvault has changed, it won't update it
But it would of course be great that asa autmatically update his certificate from the original one from the keyvault :)