Blogginlägg

Using Azure Key Vault with Azure Web Apps – “The parameter certificateEnvelope.Properties.KeyVaultId has an invalid value.” [Solved ✓]

Av Peter Örneholm | Blogg | 3 januari 2017

TL;DR: If you receive “Bad Request (51008): The parameter certificateEnvelope.Properties.KeyVaultId has an invalid value.” as part of your App Service deployment when using an SSL cert hosted in Azure Key Vault you have probably tried changing what Key Vault to use which does not seem to be supported. The workaround is to manually remove any usage of the certificate and also the certificate itself and then to redeploy your infrastructure.

The longer story

I just recently blogged about how to solve an issue with Azure Key Vault when the certificate was in the wrong format. Another issue I found when I was exploring the combination of Azure App Service and Azure Key Vault for SSL certificates was that I was unable to change what Key Vault to use.

In my ARM template I had simply changed what keyVaultId to use for Microsoft.Web/certificates, but that seems to be read only once set.

The ARM definition would look something like this:

{
  "type": "Microsoft.Web/certificates",
  "name": "peterorneholm",
  "apiVersion": "2016-03-01",
  "location": "westeurope",
  "properties": {
    "keyVaultId": "/subscriptions/b2d60a3f-bef4-441c-88de-0c6831390c8d/resourceGroups/peterorneholm/providers/Microsoft.KeyVault/vaults/peterorneholm",
    "keyVaultSecretName": "mycert"
  }
},

And changing the keyVaultId would result in the following error:

Resource Microsoft.Web/certificates 'peterorneholm' failed with message '{
  "Code": "BadRequest",
  "Message": "The parameter certificateEnvelope.Properties.KeyVaultId has an invalid value.",
  "Target": null,
  "Details": [
    {
      "Message": "The parameter certificateEnvelope.Properties.KeyVaultId has an invalid value."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "Code": "BadRequest",
        "Message": "The parameter certificateEnvelope.Properties.KeyVaultId has an invalid value.",
        "ExtendedCode": "51008",
        "MessageTemplate": "The parameter {0} has an invalid value.",
        "Parameters": [
          "certificateEnvelope.Properties.KeyVaultId"
        ],
        "InnerErrors": null
      }
    }
  ],
  "Innererror": null
}'

The workaround I came up with was to manually delete any hostname bindings using the certificate and finally delete the certificate resource itself (the one in Azure App Service). This could be accomplished with the APIs (through Poweshell for example), but in my case I found it simpler to just use the resource explorer available at http://resources.azure.com/.

If you enable Read/Write in the upper right corner, you are able to delete the resources I mentioned above. Once this is done you can simply redeploy your ARM template with the new configuration.

Till inlägget