Azure-cli: az webapp config ssl bind fails for slot

Created on 25 May 2018 · 8Comments · Source: Azure/azure-cli

Describe the bug
This command fails:

az webapp config ssl bind --certificate-thumbprint $thumbprint --resource-group $rg --ssl-type SNI --name $name --slot $slot
Can not perform requested operation on nested resource. Parent resource '[name]([slot])' not found.

With valid name=foo; slot=bar, that would read: Parent resource 'foo(bar)' not found. With an invalid (nonexistent) slot=baz, the message instead reads: Parent resource 'foo/baz' not found. I can confirm with az webapp show --resource-group $rg --name $name --slot $slot that the slot does exist.

Running az webapp config ssl bind without the --slot also works as expected, as does manually creating the binding in the Azure Portal.

Running with the --slot in --debug mode shows a plausible-looking PUT request, with the correct custom domain having been found and specified in the hostNameSsslStates array:

{"location": "xxx", "properties": {"hostNameSslStates": [{"name": "xxx", "sslState": "SniEnabled", "thumbprint": "xxx", "toUpdate": true}], "reserved": false, "scmSiteAlsoStopped": false}}

To Reproduce

Create a web app foo.
Add a slot bar.
Upload a certificate to foo.
Run az webapp config ssl bind with --slot bar.
Observe the above error message.

Expected behavior
The SSL binding should be added to the slot, as documented:
https://docs.microsoft.com/en-us/cli/azure/webapp/config/ssl?view=azure-cli-latest#az-webapp-config-ssl-bind

Environment summary
azure-cli 2.0.32 / Ubuntu 16.04 / apt respository [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ xenial main / version 2.0.32-1~xenial

Web Apps bug

Source

sseveringhaus-newclassrooms

All 8 comments

@sseveringhaus-newclassrooms i haven't tried to repro this myself yet, however had a few follow-up questions on the behavior you are seeing. Do you have a default name or resourcegroup set on CLI (using az configure --defaults ?Also are you running the command with az webapp config ssl bind with -n & -g explicitly set? This could still be a bug on our end but wanted to confirm with you. Thanks!

panchagnula on 25 May 2018

Hi, @panchagnula; thanks for following up! I have nothing in my ~/.azure/config, so I don't think that's affecting it. Yes, I'm explicitly passing --resource-group and --name. I thought it was interesting that the error message is slightly different when the --slot is different (detailed in the initial report). It does seem to know when I'm passing it a valid slot (particularly because it does appear to identify the correct custom domain). I believe I saw somewhere that there could be issues when the slot was in a different RG than the production slot, but that's definitely not the case here. I have not yet tried passing --ids instead, since that doesn't fit into my workflow very well yet.

sseveringhaus-newclassrooms on 25 May 2018

@sseveringhaus-newclassrooms thanks for the quick response, I will investigate this further.

panchagnula on 25 May 2018

I can confirm this behavior. I experience the same. With the debug flag, I see the following:

urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com
urllib3.connectionpool : https://management.azure.com:443 "PUT /subscriptions/xxxx-xxxx-xxxx-xxxx/resourceGroups/sprint-eu/providers/Microsoft.Web/sites/fcwb-sprint-eu-appservice%28feature%29/slots/feature?api-version=2016-08-01 HTTP/1.1" 404 175
msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions/xxxx-xxxx-xxxx-xxxx/resourceGroups/sprint-eu/providers/Microsoft.Web/sites/fcwb-sprint-eu-appservice%28feature%29/slots/feature?api-version=2016-08-01'
msrest.http_logger : Request method: 'PUT'
msrest.http_logger : Request headers:
msrest.http_logger :     'User-Agent': 'python/3.6.1 (Linux-4.13.0-32-generic-x86_64-with-debian-stretch-sid) requests/2.18.4 msrest/0.4.29 msrest_azure/0.4.31 azure-mgmt-web/0.35.0 Azure-SDK-For-Python AZURECLI/2.0.33'
msrest.http_logger :     'Accept-Encoding': 'gzip, deflate'

The CLI is trying to locate the slot at : /Microsoft.Web/sites/fcwb-sprint-eu-appservice%28feature%29/slots/feature?

which in reality should be /Microsoft.Web/sites/fcwb-sprint-eu-appservice/slots/feature? without the extra %28feature%29

kishorebasisth on 28 May 2018

Assigning to myself to investigate this further.

panchagnula on 7 Jun 2018

This patch has fixed the issue for me:

--- a/src/command_modules/azure-cli-appservice/azure/cli/command_modules/appservice/custom.py
+++ b/src/command_modules/azure-cli-appservice/azure/cli/command_modules/appservice/custom.py
@@ -1473,8 +1473,7 @@ def _update_host_name_ssl_state(cli_ctx, resource_group_name, webapp_name, locat
                                                                  thumbprint=thumbprint,
                                                                  to_update=True)],
                           location=location)
-    name = '{}({})'.format(webapp_name, slot) if slot else webapp_name
-    return _generic_site_operation(cli_ctx, resource_group_name, name, 'create_or_update',
+    return _generic_site_operation(cli_ctx, resource_group_name, webapp_name, 'create_or_update',
                                    slot, updated_webapp)

I have somewhat low confidence in it beyond "works for me", because it's not clear why the name would have been passed in that format in the first place.

sseveringhaus-newclassrooms on 13 Dec 2018

👍1

The code above also fix the issue for me. I think there 2 type of naming scheme for the slot