azure-cli: az webapp config ssl bind results in error when webapp is in different rg than app service plan

closing this based on comments that 2.0.77 works from above plus we have plans to update SSL commands& work on making help better as a part of those changes. Thanks!

This shouldn’t be closed as same problem exists in: az version { “azure-cli”: “2.17.1”, “azure-cli-core”: “2.17.1”, “azure-cli-telemetry”: “1.0.6”, “extensions”: { “ai-examples”: “0.2.5”, “azure-cli-ml”: “1.19.0” } }

I have found a workaround for this which is to use the generic “az resource” which allows you to jump in and do things via the API directly. This is not an API bug as this works very basic for illustration only:

az webapp config hostname add {yourAppDomainToBind e.g. mydomain.com} az webapp config ssl upload {certUploadParams} az resource update --ids “{WebAppID}/hostNameBindings/{yourAppDomainToBind e.g. mydomain.com}?api-version=2019-08-01” --set properties.thumbprint={certThumprint} --set properties.sslState=SniEnabled

You need to pass both --set params or nothing will be set e.g. you cannot just send certThumprint only hoping to see it updated but not active for test though you could set it to Disabled explicitly. Replace SniEnabled with IPBasedEnabled or Disabled as suits need as per: https://docs.microsoft.com/en-us/rest/api/appservice/webapps/createorupdatehostnamebinding

Why is this closed

What is status of this issue. As I can see it is close however in version:

{
  "azure-cli": "2.4.0",
  "azure-cli-command-modules-nspkg": "2.0.3",
  "azure-cli-core": "2.4.0",
  "azure-cli-nspkg": "3.0.4",
  "azure-cli-telemetry": "1.0.4",
  "extensions": {}
}

It still does not work.

My scenario according to your comment:

type	name	resource group
App service plan	ASP1	RG1
Web app	WEBAPP2	RG2

thumbprint=$(az webapp config ssl upload --certificate-file MY_DOMAIN.pfx --certificate-password test1234 --name WEBAPP2 --resource-group RG2 -o tsv --query thumbprint)
az webapp config ssl bind --certificate-thumbprint ${thumbprint} --resource-group RG1 --name WEBAPP2 --ssl-type SNI

Its fail with comment:

{"error":{"code":"ResourceNotFound","message":"The Resource 'Microsoft.Web/sites/WEBAPP2' under resource group 'RG1' was not found."}}

When I try to execute:

az webapp config ssl bind --certificate-thumbprint ${thumbprint} --resource-group RG2 --name WEBAPP2 --ssl-type SNI

then error:

Certificate for thumbprint 'XXXXXXCERTTHUMBPRINTXXXXX' not found.

Also upload certificate to app service plan:

az webapp config ssl upload --certificate-file MY_DOMAIN.pfx --certificate-password test1234 --name ASP1 --resource-group RG1 -o tsv --query thumbprint

fails with error:

{"error":{"code":"ResourceNotFound","message":"The Resource 'Microsoft.Web/sites/ASP1' under resource group 'RG1' was not found."}}

Is there any progres to resolve this issue?

No seriously why is this closed

Hi I am also getting this issue, As of writing this I am using the latest version of the cli with powershell 7

PS C:\Users\matth> az --version
azure-cli                          2.5.1

command-modules-nspkg              2.0.3
core                               2.5.1
nspkg                              3.0.4
telemetry                          1.0.4

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\matth\.azure\cliextensions'

Python (Windows) 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 02:47:15) [MSC v.1900 32 bit (Intel)]

I manually added the certificate via the portal and I am now trying to reference using the thumbprint I obtained from the portal.

I am running the following command: az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name $app --resource-group $rg --subscription $sub

If I use the ASP resource group I get this error, I have edited the names: {"error":{"code":"ResourceNotFound","message":"The Resource 'Microsoft.Web/sites/my-web-app' under resource group 'my-web-app-resource-group' was not found."}}

If I use the Web App resource group I get this: Certificate for thumbprint 'the thumbprint' not found.

Thank you @MarkPerry24. You just saved me updating a whole bunch of web apps manually.

@panchagnula

what is the RG value you are using - the ASP one or the Webapp one?

The Webapp one.

Using the Asp RG would produce the following error: {“error”:{“code”:“ResourceNotFound”,“message”:“The Resource ‘Microsoft.Web/sites/MyWebapp2139102312’ under resource group ‘AspRG’ was not found.”}}

You can see the full script I am using below:

MyWebapp=MyWebapp2139102312
echo "Creating resource groups. . ."
echo
az group create -l northeurope -n 'AspRG' --output none
az group create -l northeurope -n 'WebappRG' --output none

echo  "Creating app service plan MyASP. . ."
planId=$(az appservice plan create -n "MyASP" -g "AspRG" --sku "S1" -l northeurope --query id)
echo  "Created with id: $planId"
echo

echo  "Creating webapp $MyWebapp. . ."
webappId=$(eval `echo az webapp create -g WebappRG -p $planId -n  $MyWebapp --query id`)
echo  "Created webapp with id: $webappId \n"
echo

echo "Uploading pfx cert. . ."
az webapp config ssl upload --certificate-file testcert.pfx --certificate-password "test1234" --name "$MyWebapp" -g "WebappRG" --output none
echo
echo "Retrieving thumbprint. . ."
thumbprint=$(az webapp config ssl upload \
    --name "$MyWebapp" \
    --resource-group WebappRG \
    --certificate-file testcert.pfx \
    --certificate-password test1234 \
    --query thumbprint \
    --output tsv)

echo  "found cert with thumbprint: $thumbprint"
echo
echo "Attempting to bind webapp to pfx cert in seperate rg to asp.."
echo
az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI --name "$MyWebapp" -g "WebappRG"

Repo I have linked above includes the throwaway cert used https://github.com/owenmather/az-webapp-bind-err-demo