0

I have been working on the deployment of an azure api management with a self signed certificate and private key.

Goes without saying that I tested my terraform code a couple of days ago and everything worked just fine and I was able to deploy my infra using terraform, so I deleted the resources group from the portal. Today I wanted to spin up the infra once again but I got the following error:

Error: creating/updating API Management Service "demo-apim-testing" (Resource Group "rg-testing-apim"): apimanagement.ServiceClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameters" Message="Invalid parameter: Certificate 'XXXXXXXX' must have a Private Key."

And the error points to this resource:


resource "azurerm_api_management" "demo-apim" {
  name     = "demo-apim-test"
  sku_name = "Developer_1"

  hostname_configuration {
    proxy {
      host_name                    = "apim.test.com"
      certificate                  = filebase64(var.ssl_certificate_path)
      certificate_password         = var.ssl_certificate_password
      default_ssl_binding          = true
      negotiate_client_certificate = false
    }
  }

I did generated the certificate .cer and the .pfx as set them as variables:

variable "ssl_certificate_path" {
  default = "./certificate.cer"
}

variable "pfx_certificate" {
  default = "./certificate.pfx"
  
}

variable "ssl_certificate_password" {
  default = "XXXXX"
}

while in my application gateway I set the same configuration. as follow:

  ssl_certificate {
    data     = filebase64(var.pfx_certificate)
    name     = "demo-app-gateway-certificate"
    password = var.ssl_certificate_password
    

  }

  trusted_root_certificate {
    data = filebase64(var.ssl_certificate_path)
    name = "demo-trusted-root-ca-certificate"
  }

This same configuration returned successful on my latest deployment and was able to test the connection and everything. But today it just does not recognise my certificate anymore.

Can please anyone enlighten me about what am I doing wrong here?

Please if you need more details or you have any question, don't hesitate to ask. thank you so much

Nayden Van
  • 1,133
  • 1
  • 23
  • 70
  • What does `pfx_certificate` point to? If TF worked yesterday and doesn't work today, someone's made a manual change to the system most likely – Ermiya Eskandary Oct 31 '21 at 12:53
  • it points to a `.pfx` certificate that I am hosting on the same folder. Nobody touched anything because I am the only one working on this. And all what I did yesterday, was to delete the entire infra from azure portal. And today just stopped recognising the ssl cert – Nayden Van Oct 31 '21 at 12:55
  • Ah you deleted the infra without using Terraform? Can you afford to reinstate everything from scratch? If so, run `terraform destroy` and then try applying again – Ermiya Eskandary Oct 31 '21 at 13:19
  • I can just delete the terraform start and deploy again a clean deployment. Will that help? – Nayden Van Oct 31 '21 at 13:21
  • No no - the first (unofficial) rule of Terraform is that once it is managed by TF, keep it managed by TF (unless in rare cases). Run `terraform destroy` to tear everything down and then run `terraform apply` – Ermiya Eskandary Oct 31 '21 at 13:25
  • 1
    Perfect. Thank you, I destroyed the resource using terraform. I am deploying again, will take about 1 hr to finish and I will be back here with an answer – Nayden Van Oct 31 '21 at 13:45
  • I tried to apply again terraform but it fails with the same error. but this time I have this error too, which I believe is related to the private key failing `Error: creating/updating Subnet: (Name "apim-subnets" / Virtual Network Name "out-virtual-network" / Resource Group "rg-hri-testing-apim"): network.SubnetsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded` – Nayden Van Oct 31 '21 at 14:20
  • Can you try with certificate = filebase64(var.pfx_certificate) instead of certificate = filebase64(var.ssl_certificate_path) – RamaraoAdapa Oct 31 '21 at 19:58
  • @RamaraoAdapa-MT I tried with the pfx and indeed it worked just fine. But I don't understand how come the other day it was working just fine even with the wrong configuration. Mystery of life I guess. Thank you so much for your help guys – Nayden Van Oct 31 '21 at 20:40

1 Answers1

0

As the certificate block supports the base 64 encoded PFX or base 64 encoded X.509 certificate,

You can use the below code:

certificate = filebase64(var.pfx_certificate)

Instead of

certificate = filebase64(var.ssl_certificate_path)

So the final code should like below:

resource "azurerm_api_management" "demo-apim" {
  name     = "demo-apim-test"
  sku_name = "Developer_1"

  hostname_configuration {
    proxy {
      host_name                    = "apim.test.com"
      certificate                  = filebase64(var.pfx_certificate)
      certificate_password         = var.ssl_certificate_password
      default_ssl_binding          = true
      negotiate_client_certificate = false
    }
  }
Syed Farjad Zia Zaidi
  • 3,302
  • 4
  • 27
  • 50
RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11