Vault URL : failed
Closed this issue · 20 comments
Both the Marketplace and GitHub deployments complete successfully but the Web Dashboard has a "failed" status for Vault URL. I have verified the deployment set AppConfig:KeyVaultConfig:KeyVaultURL to the DNS name of the Vault and the app service has applicable access policies in the Vault.
This is most likely because the root certificate wasn't created yet.
Please use the button mentioned in the screenshot. This should solve the issue.
I had already attempted this but receive a popup message "Error occurred while creating root certificate. Please see logs for more details." I assumed this was occurring because it cannot store the root certificate in Key Vault due to the Vault URL failed message.
Even though Application Logging is enabled there is no Application folder under LogFiles in Kudu. Reviewing the contents of the others doesn't seem to provide any insight to either of these issues.
@bb-froggy any idea?
Seeing the same issue here too...
@bb-froggy looks like whatever fixed this issue in 2020 has not found it's solution into this ticket. Any help?
@bb-froggy looks like whatever fixed this issue in 2020 has not found it's solution into this ticket. Any help?
Any update on this error? Tried multiple reinstalls and no difference. Do you want logs or something?
I assume there is still no insight as to what is happening here.... the logs only complain about the URL for the vault, which is set correctly in the configuration tables.
Could you provide some details on how you've deployed SCEPman? Did you use Github or Marketplace deploy? I assume you've recently deployed the service?
Did you follow the instructions on how to collect the logs described in our documentation?
Hi Justin, I deployed thru the Marketplace and followed your guides online. I also tried thru the Github method.
Yes this has recently been deployed, and after several attempted installs it results in the same issue.
I've been watching the live logs thru Azure personally.
2021-02-10 23:23:34.415 +00:00 [Information] Scepman.Server.Controllers.HomeController: System is up: scepman-appxxxxxxxxxxxxx.azurewebsites.net :: V 1.6.465.500
2021-02-10 23:23:34.678 +00:00 [Error] Scepman.Core.Services.CertificateHelperService: Root certificate not found (may be initial)
2021-02-10 23:23:34.734 +00:00 [Critical] Scepman.Server.Controllers.HomeController: Error connecting to the Key vault url specified in the app settings
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'NotFound'
at Microsoft.Azure.KeyVault.KeyVaultClient.GetCertificateWithHttpMessagesAsync(String vaultBaseUrl, String certificateName, String certificateVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetCertificateAsync(IKeyVaultClient operations, String vaultBaseUrl, String certificateName, CancellationToken cancellationToken)
at Scepman.Core.CertificationAuthority.KeyVaultCA.GetCaCertificate() in /builds/gk-scepman/scepman/source/Scepman.Core/Model/CertificationAuthority/KeyVaultCA.cs:line 63
at Scepman.Core.CertificationAuthority.KeyVaultCA.get_CACertificate() in /builds/gk-scepman/scepman/source/Scepman.Core/Model/CertificationAuthority/KeyVaultCA.cs:line 67
at Scepman.Server.Controllers.HomeController.GetKeyVaultUrlConnectivityStatus() in /builds/gk-scepman/scepman/source/Scepman.Server/Controllers/HomeController.cs:line 188
The log entries are complaining that the root certificate is missing. Is there any error message when trying to create the root certificate?
Could you start a trace when trying to create the root certificate?
It's the same error when I attempt to create the root CA, as per the original issue in this post.
I get "Error occurred while creating root certificate. Please see logs for more details.".
And the logs only show what I pasted above, that it cannot connect to the key vault.
To be honest I don't have an idea why SCEPman fails when creating the root certificate. This behavior could be caused by insufficient permissions of the app service to the key vault. But this should be properly set up when deploying SCEPman with GitHub Deploy or Marketplace. Just to ensure there isn't something messed up during deployment, could you verify that the managed identity of the app service has access policies configured in the key vault?
Could you provide the Organization name you've set in the deployment dialog?
We could align a short remote session for troubleshooting if you like.
How can I contact you and perhaps send sensitive information?
To be honest I don't have an idea why SCEPman fails when creating the root certificate. This behavior could be caused by insufficient permissions of the app service to the key vault. But this should be properly set up when deploying SCEPman with GitHub Deploy or Marketplace. Just to ensure there isn't something messed up during deployment, could you verify that the managed identity of the app service has access policies configured in the key vault?
The access rights are: Key Permissions 12 (All except decrypt, encrypt, wrap key, and purge), Secret Permissions 7 (All except purge), Certificate Permissions 15 (All except purge)
Key Vault created by the installation only.
Had the same issue and figured out that for my install the value for O= in AppConfig:KeyVaultConfig:RootCertificateConfig:Subject had spaces that were not in quotes. Once I put in the quotes the root ca completed.
Thanks @tullid !
@JustinSchaffranek / @bb-froggy would you mind updating this ticket? If I remember correct this was really a similar issue and we need to take it into consideration to help not running into this issue anymore. Thanks!
GitHub-Deployment is updated now. Marketplace deployment is updated as well but needs some time until the change is active.
Howdy all. I'm not as familiar as you are with the wokrings, but I just downloaded (4 hors ago ) from the Marketplace, and went for the CE install and also got the failed root cert issue. Any possibility it has not been updated yet? Thanks!
from the log:
2021-03-12 03:01:24.386 +00:00 [Information] Scepman.Server.Controllers.HomeController: System is up: scepman-appomclkfzbjkkrq.azurewebsites.net :: V 1.6.465.500
2021-03-12 03:01:25.159 +00:00 [Error] Scepman.Core.Services.CertificateHelperService: Root certificate not found (may be initial)
2021-03-12 03:01:25.205 +00:00 [Critical] Scepman.Server.Controllers.HomeController: Error connecting to the Key vault url specified in the app settings
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'NotFound'
at Microsoft.Azure.KeyVault.KeyVaultClient.GetCertificateWithHttpMessagesAsync(String vaultBaseUrl, String certificateName, String certificateVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetCertificateAsync(IKeyVaultClient operations, String vaultBaseUrl, String certificateName, CancellationToken cancellationToken)
at Scepman.Core.CertificationAuthority.KeyVaultCA.GetCaCertificate() in /builds/gk-scepman/scepman/source/Scepman.Core/Model/CertificationAuthority/KeyVaultCA.cs:line 59
at Scepman.Core.CertificationAuthority.KeyVaultCA.get_CACertificate() in /builds/gk-scepman/scepman/source/Scepman.Core/Model/CertificationAuthority/KeyVaultCA.cs:line 67
at Scepman.Server.Controllers.HomeController.GetKeyVaultUrlConnectivityStatus() in /builds/gk-scepman/scepman/source/Scepman.Server/Controllers/HomeController.cs:line 171
2021-03-12 03:01:25.207 +00:00 [Information] Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Executed action method Scepman.Server.Controllers.HomeController.HomePage (Scepman.Server), returned result Microsoft.AspNetCore.Mvc.ViewResult in 821.6946ms.