Azure-cli: enable-https for custom domain doesn't work with own certificate

Created on 9 Jul 2019  路  11Comments  路  Source: Azure/azure-cli

Command:
az cdn custom-domain enable-https --resource-group <resource_group> --profile-name <profile_name> --name <name> --endpoint-name <endpoint_name> --custom-domain-https-parameters '{"certificateSource":"AzureKeyVault", "protocolType":"ServerNameIndication"}'

throws exception.

No documentation is provided on custom-domain-https-parameters, so it is impossible to understand what is correct input here.

Network - CDN Service Attention bug
Source
picture degivan
👍4

Most helpful comment

I'm working on adding support to PowerShell and CLI for enabling HTTPS on custom domains using a certificate in KeyVault. I should have it ready by the end of the month.

Hi, any updates regarding this?

picture dmitrykarnitski on 30 Oct 2019
👍6

All 11 comments

Command output:

The command failed with an unexpected error. Here is the traceback:

Unable to build a model: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get', DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object hasno attribute 'get'
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1288, in _deserialize
found_value = key_extractor(attr, attr_desc, data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1078, in rest_key_case_insensitive_extractor
return attribute_key_case_insensitive_extractor(key, None, working_data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1101, in attribute_key_case_insensitive_extractor
return data.get(found_key)
AttributeError: 'str' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 571, in body
data = deserializer._deserialize(data_type, data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1298, in _deserialize
raise_with_traceback(DeserializationError, msg, err)
File "/opt/az/lib/python3.6/site-packages/msrest/exceptions.py", line 51, in raise_with_traceback
raise error.with_traceback(exc_traceback)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1288, in _deserialize
found_value = key_extractor(attr, attr_desc, data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1078, in rest_key_case_insensitive_extractor
return attribute_key_case_insensitive_extractor(key, None, working_data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1101, in attribute_key_case_insensitive_extractor
return data.get(found_key)
msrest.exceptions.DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 575, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 633, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 624, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/cdn/commands.py", line 23, in _inner_not_found
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 603, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 305, in __call__
return self.handler(*args, kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 470, in default_command_handler
return op(command_args)
File "/opt/az/lib/python3.6/site-packages/azure/mgmt/cdn/operations/custom_domains_operations.py", line 541, in enable_custom_https
body_content = self._serialize.body(custom_domain_https_parameters, 'CustomDomainHttpsParameters')
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 574, in body
SerializationError, "Unable to build a model: "+str(err), err)
File "/opt/az/lib/python3.6/site-packages/msrest/exceptions.py", line 51, in raise_with_traceback
raise error.with_traceback(exc_traceback)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 571, in body
data = deserializer._deserialize(data_type, data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1298, in _deserialize
raise_with_traceback(DeserializationError, msg, err)
File "/opt/az/lib/python3.6/site-packages/msrest/exceptions.py", line 51, in raise_with_traceback
raise error.with_traceback(exc_traceback)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1288, in _deserialize
found_value = key_extractor(attr, attr_desc, data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1078, in rest_key_case_insensitive_extractor
return attribute_key_case_insensitive_extractor(key, None, working_data)
File "/opt/az/lib/python3.6/site-packages/msrest/serialization.py", line 1101, in attribute_key_case_insensitive_extractor
return data.get(found_key)
msrest.exceptions.SerializationError: Unable to build a model: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get', DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'

degivan picture degivan on 9 Jul 2019

You can follow the API documentation to understand the parameters -
https://docs.microsoft.com/en-us/rest/api/cdn/customdomains/enablecustomhttps#usermanagedhttpsparameters

We'll take an action item on our side to add some samples.

ravindp picture ravindp on 7 Aug 2019

I was facing the same issue, couldn't find other alternative other than REST.
I've tried terraform, arm, az-cli, powershell, and nothing supports this feature yet, the closest one is az-cli that accepts the parameters but whatever you pass to it will fail with the error mentioned in this issue above.

I managed to make it work using the following REST api call in bash with CURL:

It assumes the custom-domain has been already created previously.
This will only enable HTTPs with your own certificate stored in key vault.
Make sure the CDN is set as a valid app in your AD account and also set access policies in keyvault where the certificate is stored to allow CDN to get secrets and certificates.

curl -X POST \
"https://management.azure.com/subscriptions/$subscriptionId/resourcegroups/$resourceGroupName/providers/Microsoft.Cdn/profiles/$cdnProfileName/endpoints/$cdnEndpointName/customdomains/$cdnCustomDomainName/enableCustomHttps?api-version=2017-10-12" \
-H "Accept: */*" \
-H "Host: management.azure.com" \
-H "Accept-Encoding: gzip, deflate" \
-H "Authorization: Bearer $azureApiToken" \
-H "Cache-Control: no-cache" \
-H "Connection: keep-alive" \
-H "Content-Type: application/json" \
-H "cache-control: no-cache" \
-d "{
    'certificateSource': 'AzureKeyVault',
    'protocolType': 'ServerNameIndication',
    'certificateSourceParameters': {
        '@odata.type': '#Microsoft.Azure.Cdn.Models.KeyVaultCertificateSourceParameters',
        'subscriptionId': '$subscriptionId',
        'resourceGroupName': '$resourceGroupName',
        'vaultName': '$vaultName',
        'secretName': '$secretName',
        'secretVersion': '$secretVersion',
        'updateRule': 'NoAction',
        'deleteRule': 'NoAction'
    },
}";

before calling the command above, please set the below variables in bash:

subscriptionId=****
resourceGroupName=****
cdnProfileName=****
cdnEndpointName=****
cdnCustomDomainName=****
vaultResourceGroupName=****
vaultName=****
secretName=****
secretVersion=****
azureApiToken=****
guibirow picture guibirow on 9 Oct 2019

I'm working on adding support to PowerShell and CLI for enabling HTTPS on custom domains using a certificate in KeyVault. I should have it ready by the end of the month.

lsmith130 picture lsmith130 on 18 Oct 2019

I'm working on adding support to PowerShell and CLI for enabling HTTPS on custom domains using a certificate in KeyVault. I should have it ready by the end of the month.

Hi, any updates regarding this?

dmitrykarnitski picture dmitrykarnitski on 30 Oct 2019
👍6

The implementation of this is nearly finished, and I'll be reprioritizing it next week.

lsmith130 picture lsmith130 on 30 Jan 2020

I see that this issue has been open for a while. Is there any ETA on when it will be resolved? Thanks

stuartleeks picture stuartleeks on 4 Feb 2020
👍4

This will be fixed by #12648 which will hopefully be merged in time for the next release.

lsmith130 picture lsmith130 on 21 Mar 2020
👍1

@ravindp Hi Ravi, do you have some samples ready now? I have one customer wants to enable CDN https with keyvault using powershell or Az CLI+REST API. Appreciate if you can provide us some samples for that.

yinoa picture yinoa on 7 May 2020
👍1

@ravindp Hi Ravi, do you have some samples ready now? I have one customer wants to enable CDN https with keyvault using powershell or Az CLI+REST API. Appreciate if you can provide us some samples for that.

REST API is working, please refer to guibirow's reply: https://github.com/Azure/azure-cli/issues/9894#issuecomment-539916667

liualexiang picture liualexiang on 11 May 2020

Fixed in #12648.

lsmith130 picture lsmith130 on 10 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ahmetb picture ahmetb  路  3Comments
seanknox picture seanknox  路  3Comments
FumiakiNagano picture FumiakiNagano  路  3Comments
cicorias picture cicorias  路  3Comments
williexu picture williexu  路  3Comments