This post was originally published here
I was working on one of the API which needed using certificate (SSL) connectivity to the external API exposed by third-party. We stored this certificate in Key Vault and reference it to azure app services (Web API). I used arm template to add Certificate (.pfx) from Azure KeyVault in the TLS/SSL settings of Web APP Service.
Below is the Arm Template to get the Certificate from Key Vault and deploy the Web APP in the Application Services Environment (ASE).
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"appServiceName": {
"type": "string"
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account name"
}
},
"appServicePlanResourceGroup": {
"type": "string",
"metadata": {
"description": "Azure service plan resource group"
}
},
"appServicePlanName": {
"type": "string",
"metadata": {
"description": "Azure Service Plan name"
}
},
"applicationInsightsName": {
"type": "string",
"metadata": {
"description": "The name of the app insights instance for the workload"
}
},
"keyVaultName": {
"type": "string"
},
"keyVaultResourceGroup": {
"type": "string"
},
"BaseUrl": {
"type": "string"
},
"CertkeyVaultSecretName": {
"type": "string"
}
},
"variables": {
"applicationInsights": {
"apiVersion": "2015-05-01",
"name": "[parameters('applicationInsightsName')]"
},
"keyVault": {
"apiVersion": "2015-06-01",
"name": "[parameters('keyVaultName')]",
"resourceId": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
}
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('appServiceName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "Website"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"Microsoft.Web/certificates/CertificateName"
],
"properties": {
"name": "[parameters('appServiceName')]",
"serverFarmId": "[resourceId(parameters('appServicePlanResourceGroup'), 'Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
"siteConfig": {
"use32BitWorkerProcess": false,
"alwaysOn": true,
"ftpsState": "FtpsOnly"
},
"httpsOnly": true
},
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('appServiceName'))]"
],
"properties": {
"ApplicationInsights:InstrumentationKey": "[reference(resourceId(resourceGroup().Name, 'Microsoft.Insights/components', variables('applicationInsights').name), variables('applicationInsights').apiVersion).InstrumentationKey]",
"Web:BaseAddress": "[parameters('BaseUrl')]",
"Web:ClientCertificateThumbprint": "[reference(resourceId(resourceGroup().Name, 'Microsoft.Web/certificates','CertificateName'), '2016-03-01').thumbprint]",
"WEBSITE_LOAD_CERTIFICATES": "*"
}
}
]
},
{
"type": "Microsoft.Web/certificates",
"name": "CertificateName",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[variables('keyVault').resourceId]",
"keyVaultSecretName": "[parameters('CertkeyVaultSecretName')]",
"serverFarmId": "[resourceId(parameters('appServicePlanResourceGroup'), 'Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
}
},
{
"apiVersion": "2014-04-01",
"name": "[parameters('applicationInsightsName')]",
"type": "Microsoft.Insights/components",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', parameters('appServiceName'))]"
],
"tags": {
"[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', parameters('appServiceName'))]": "Resource",
"displayName": "AppInsightsComponent"
},
"properties": {
"applicationId": "[parameters('appServiceName')]"
}
}
]
}
When this deployment run on Azure Portal, it error out with the following error message.
Status Message: {“Code”:”Conflict”,”Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”,”Target”:null,”Details”:[{“Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”},{“Code”:”Conflict”},{“ErrorEntity”:{“ExtendedCode”:”53008″,”MessageTemplate”:”Another certificate exists with same thumbprint {0} at location {1} in the Resource Group {2}.”,”Parameters”:[“xxxxxxxxxxxxxxxxxxxxxxxxxxxx”,”Australia East”,”RG-AE-Dev”],”Code”:”Conflict”,”Message”:”Another certificate exists with same thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx at location Australia East in the Resource Group RG-AE-Dev.”}}],”Innererror”:null}
I couldn’t find any other certificate in the key vault with the same thumb print, Then I ran the below Powershell command to find all the certificate included in the Resource Group.
# Change these to your appropriave values
$SubscriptionId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$ResourceLocation = "Australia East"
$ResourceGroupName = "RG-AE-Dev"
$ResourceName = "CertificateName"
$KeyVaultName = "AZ-KeyVault"
$KeyVaultId = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG-AE-ICC-Dev/providers/Microsoft.KeyVault/vaults/AZ-KeyVault"
$KeyVaultSecretName = "certificatesecret"
$ServerFarmId = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG-AE-Dev/providers/Microsoft.Web/serverfarms/AustraliaEastPlan"
# Log in and select the correct subscription
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId $SubscriptionId
$ResourceLocation -PropertyObject $PropertiesObject -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/certificates -ApiVersion 2018-02-01 -Force
# List certificates
Get-AzureRmResource -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/certificates -IsCollection -ApiVersion 2018-02-01
This Powershell command list down all the certificates, and I found that the same certificate is installed with the different name, thus the same Thumb Print.
Then I navigated to the Resources.Azure.com -> Subscriptions -> resourceGroups->providers->Microsoft.Web->certificates
I found this certificate with the different name, I needed to remove it using actions (DELETE) . Re-run the deployment and yes all success now.
Thanks