10

I'm trying to get the Azure Let's encrypt site plug in working for one of my Azure websites following the instructions at:

https://gooroo.io/GoorooTHINK/Article/16420/Lets-Encrypt-Azure-Web-Apps-the-Free-and-Easy-Way/20047#.VxUIbKgrKUl

but I'm getting an authorization error when I run it. I have no idea where to start looking to try and solve this and any help would be more than welcome.

The error is as follows:

Microsoft.Rest.Azure.CloudException: The client '{id}' with object id '{same id here??}' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/{subscription id} /resourceGroups/Default-Web-NorthEurope/providers/Microsoft.Web/sites/{sitename}'. at Microsoft.Azure.Management.WebSites.SitesOperations.d__29.MoveNext()

Update

It was an issue with the principles access to the web app.

I decided to follow through troy hunts walkthrough here: https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/

Which is pretty good - he uses the old azure portal to set up the active directory which I found a bit more useful as I could actually see what was going on.

Anyway I've got all the way through the process right up to the actual certificate request and now I am getting a 403 server error returned: 

The remote server returned an error: (403) Forbidden.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Net.WebException: The remote server returned an error: (403) Forbidden.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 


[WebException: The remote server returned an error: (403) Forbidden.]
   System.Net.HttpWebRequest.GetResponse() +1390
   ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message) +642

[AcmeWebException: Unexpected error]
   ACMESharp.AcmeClient.AuthorizeIdentifier(String dnsIdentifier) +435
   LetsEncrypt.SiteExtension.Core.CertificateManager.Authorize(Target target) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:518
   LetsEncrypt.SiteExtension.Core.CertificateManager.Auto(Target binding) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:441
   LetsEncrypt.SiteExtension.Core.CertificateManager.RequestAndInstallInternal(Target target) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:244
   LetsEncrypt.SiteExtension.Controllers.HomeController.Install(RequestAndInstallModel model) +604
   lambda_method(Closure , ControllerBase , Object[] ) +104
   System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +169
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
   System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
   System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
   System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225
   System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
   System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26
   System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
   System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36
   System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
   System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
   System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9644037
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Andy Roper
  • 403
  • 1
  • 5
  • 12
  • I haven't been able to solve this. Did you figure it out? – Judah Gabriel Himango Oct 31 '16 at 19:40
  • 1
    Sadly not - I was having all sorts of issues with Azure as I had the developer benefit program subscription and another subscription running side by side. I came to the conclusion that I had already spent more that the cost of purchasing a certificate in time trying to sort it out and wasn't keen to go through all this each time I had a new site that needed https (which is pretty much anything you want to get ranked in google now) As Troy mentions in his post the process needs automating big time. – Andy Roper Dec 04 '16 at 17:32
  • "It was an issue with the principles access to the web app." - Could you clarify? That might be the answer to the original question, which a lot of people will come here looking for (including me) – Stuart Dobson Mar 18 '17 at 12:19
  • Shameless plug, I wrote a WebJob that should be more reliable than the site extension: https://github.com/ohadschn/letsencrypt-webapp-renewer. – Ohad Schneider Aug 27 '17 at 01:13

6 Answers6

11

After adding the App Registration, it is necessary to add it as a Role Assignment to the Resource Group with the role "Contributer".

If you forget this, you will get the above error message.

After doing this, please restart the App Service before trying to run Lets encrypt extension again.

Andrew
  • 18,680
  • 13
  • 103
  • 118
Greg Gum
  • 33,478
  • 39
  • 162
  • 233
5

For me, this problem came up when my ResourceGroup was not the same as my ServicePlanResourceGroup.

So if those are not equal, you need to add the App registration you created (The clientId you created the secret key for) to the ServicePlanResourceGroup in addition to the ResourceGroup.

Neil.Work
  • 985
  • 7
  • 9
2

I ran into the exact same exception and followed these steps to resolve it

  1. Navigate to Subscriptions in Azure Portal
  2. Select the subscription in which the App Service is hosted
  3. Select Access Control (IAM)
  4. Add a new entity
  5. Select the role Contributor
  6. Search after the Service Principal
  7. Add the user

This immediately resolved the exception of insufficient access rights

Update Following the steps (5. Register Service Principal) be sure that you are signed in to the correct subscription. In my case I created the service principal in the wrong subscription hence the principal wasn't assigned correctly to the App Service in use

joacar
  • 891
  • 11
  • 28
1

I ran into the same issue for a new Azure App Service. Turned out I had to actually deploy a web app before running the Let's Encrypt wizard. When the default Azure App Service landing page for an empty site is the content, the wizard isn't able to do its job.

Eivind Gussiås Løkseth
  • 1,862
  • 2
  • 21
  • 35
0

it is the problem with the access. Please check 5. Register a Service Principal part of the article you mentioned. Do you have the same ApplicationId when that part was done with the ApplicationId on the LetsEncrypt page? The same secret? Check it, because it looks like something wrong with that step.

P.S. I have just checked that walkthrough without the error you mentioned.

Alex Belotserkovskiy
  • 4,012
  • 1
  • 13
  • 10
0

I ran into the same problem.

I solved it by not specifying the custom domain (e.g. lybecker.com) in the Azure Let's Encrypt site extension configuration, but using full lybecker.onmicrosoft.com

Lybecker
  • 618
  • 5
  • 16