全部。我正在尝试通过ACME提供程序使用Terraform和Letsencrypt在Azure应用程序网关v2.0中创建azurerm backend_http_settings。
我可以成功创建证书并将.pfx导入前端https侦听器,acme和azurerm提供程序提供了处理pkcs12所需的一切。
[Unfortunatley,后端需要一个.cer文件,大概是用base64编码的,而不是DER,无论我如何尝试,我都无法使其正常工作。我的理解是,letsencrypt .pem文件可以解决此问题,但是当我尝试使用acme提供程序的certificate_pem作为trusted_root_certificate时,出现以下错误:
错误:错误创建/更新应用程序网关“ agw-frontproxy”(资源组“ rg-mir”):network.ApplicationGatewaysClient#CreateOrUpdate:发送请求失败:StatusCode = 400-原始错误:Code =“ ApplicationGatewayTrustedRootCertificateInvalidData”消息= “证书的数据... / providers / Microsoft.Network / applicationGateways / agw-frontproxy / trustedRootCertificates / vnet-mir-be-cert无效。”详细信息= []
terraform计划效果很好,当Azurerm提供程序对证书数据无效感到愤怒时,在Terraform应用期间会发生上述错误。我已将证书写入磁盘,并且它们看起来与我期望的一样。这是带有相关代码的代码片段:
locals {
https_setting_name = "${azurerm_virtual_network.vnet-mir.name}-be-tls-htst"
https_frontend_cert_name = "${azurerm_virtual_network.vnet-mir.name}-fe-cert"
https_backend_cert_name = "${azurerm_virtual_network.vnet-mir.name}-be-cert"
}
provider "azurerm" {
version = "~>2.7"
features {
key_vault {
purge_soft_delete_on_destroy = true
}
}
}
provider "acme" {
server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}
resource "acme_certificate" "certificate" {
account_key_pem = acme_registration.reg.account_key_pem
common_name = "cert-test.example.com"
subject_alternative_names = ["cert-test2.example.com", "cert-test3.example.com"]
certificate_p12_password = "<your password here>"
dns_challenge {
provider = "cloudflare"
config = {
CF_API_EMAIL = "<your email here>"
CF_DNS_API_TOKEN = "<your token here>"
CF_ZONE_API_TOKEN = "<your token here>"
}
}
}
resource "azurerm_application_gateway" "agw-frontproxy" {
name = "agw-frontproxy"
location = azurerm_resource_group.rg-mir.location
resource_group_name = azurerm_resource_group.rg-mir.name
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
trusted_root_certificate {
name = local.https_backend_cert_name
data = acme_certificate.certificate.certificate_pem
}
ssl_certificate {
name = local.https_frontend_cert_name
data = acme_certificate.certificate.certificate_p12
password = "<your password here>"
}
# Create HTTPS listener and backend
backend_http_settings {
name = local.https_setting_name
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 20
trusted_root_certificate_names = [local.https_backend_cert_name]
}
我在做什么错?
对我来说,唯一有效的方法是使用紧密耦合的Windows工具。如果您遵循以下文档,它将可以正常工作。花2天的时间解决同一问题:)