Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Management Service 2019-12-01 create "Certificate management for the default domain is not allowed" #9267

Closed
yupwei68 opened this issue Apr 29, 2020 · 5 comments
Closed

API Management Service 2019-12-01 create "Certificate management for the default domain is not allowed" #9267

yupwei68 opened this issue Apr 29, 2020 · 5 comments
Labels
API Management customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@yupwei68
Copy link
Contributor

I failed to update an api management service in 2019-12-01 version. The former version works.

  1. create an api management service:
    PUT https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/apim-yup/providers/Microsoft.ApiManagement/service/contoso-apimgmt?api-version=2019-12-01

{"identity":{"type":"SystemAssigned"},"location":"eastus","properties":{"certificates":[],"customProperties":{"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11":"false"},"hostnameConfigurations":[],"publisherEmail":"[email protected]","publisherName":"Contoso","virtualNetworkType":"None"},"sku":{"name":"Developer","capacity":1},"tags":{}}

  1. get the api management service:
    Get https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/apim-yup/providers/Microsoft.ApiManagement/service/contoso-apimgmt?api-version=2019-12-01

{"id":"/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/apim-yup/providers/Microsoft.ApiManagement/service/contoso-apimgmt","name":"contoso-apimgmt","type":"Microsoft.ApiManagement/service","tags":{},"location":"East US","etag":"AAAAAAAGzAc=","properties":{"publisherEmail":"[email protected]","publisherName":"Contoso","notificationSenderEmail":"[email protected]","provisioningState":"Created","targetProvisioningState":"Activating","createdAtUtc":"2020-04-29T05:30:42.4952606Z","gatewayUrl":null,"gatewayRegionalUrl":null,"portalUrl":null,"developerPortalUrl":null,"managementApiUrl":null,"scmUrl":null,"hostnameConfigurations":[{"type":"Proxy","hostName":null,"encodedCertificate":null,"keyVaultId":null,"certificatePassword":null,"negotiateClientCertificate":false,"certificate":null,"defaultSslBinding":true}],"publicIPAddresses":null,"privateIPAddresses":null,"additionalLocations":null,"virtualNetworkConfiguration":null,"customProperties":{"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11":"false"},"virtualNetworkType":"None","certificates":[],"disableGateway":false,"apiVersionConstraint":{"minApiVersion":null}},"sku":{"name":"Developer","capacity":1},"identity":{"type":"SystemAssigned","principalId":"XXXX-XXXX","tenantId":"XXXX-XXXX"}}

  1. update the api management service ( on fact, I have no change, the same with the former"get" response):
    Put https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/apim-yup/providers/Microsoft.ApiManagement/service/contoso-apimgmt?api-version=2019-12-01

{"identity":{"type":"SystemAssigned"},"location":"eastus","properties":{"certificates":[],"customProperties":{"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10":"false","Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11":"false"},"hostnameConfigurations":[{"type":"Proxy","hostName":"contoso-apimgmt.azure-api.net","keyVaultId":"","encodedCertificate":"","certificatePassword":"","defaultSslBinding":true,"negotiateClientCertificate":false}],"notificationSenderEmail":"[email protected]","publisherEmail":"[email protected]","publisherName":"Contoso","virtualNetworkType":"None"},"sku":{"name":"Developer","capacity":1},"tags":{}}

Then I get this error:

{
    "error": {
        "code": "NotSupported",
        "message": "Certificate management for the default domain 'contoso-apimgmt.azure-api.net' is not allowed.",
        "details": null,
        "innerError": null
    }
}

I wonder if it's a new feature, shall I dismiss hostnameConfigurations and how could I update an api managemnt service?
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 29, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 29, 2020
@weidongxu-microsoft weidongxu-microsoft added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. Service Attention Workflow: This issue is responsible by Azure service team. labels Apr 29, 2020
@ghost
Copy link

ghost commented Apr 29, 2020

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @mjconnection.

@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 29, 2020
@yupwei68
Copy link
Contributor Author

yupwei68 commented May 7, 2020

Hi, Any update?

@yupwei68
Copy link
Contributor Author

relate to hashicorp/terraform-provider-azurerm#6621

@sirlatrom
Copy link

sirlatrom commented May 11, 2020
edited
Loading

When diff'ing the hostnameConfigurations fields of no. 2 and 3 (with sorted JSON keys for clarity), I see a couple of subtle differences:

2:

{
  "hostnameConfigurations": [
    {
      "certificate": null,
      "certificatePassword": null,
      "defaultSslBinding": true,
      "encodedCertificate": null,
      "hostName": null,
      "keyVaultId": null,
      "negotiateClientCertificate": false,
      "type": "Proxy"
    }
  ]
}

3:

{
  "hostnameConfigurations": [
    {
      "certificatePassword": "",
      "defaultSslBinding": true,
      "encodedCertificate": "",
      "hostName": "contoso-apimgmt.azure-api.net",
      "keyVaultId": "",
      "negotiateClientCertificate": false,
      "type": "Proxy"
    }
  ]
}

It looks like in 3, the following fields are changed from null to either "" or the evaluated hostname:

"certificatePassword": "",
"encodedCertificate": "",
"hostName": "contoso-apimgmt.azure-api.net",
"keyVaultId": "",

I presume this could be caused by Terraform's way of reading the current values, which I'll take a quick look at in the provider's code.

Edit:

FWIW, I've created this pull request to remedy the issue: hashicorp/terraform-provider-azurerm#6850.

@yupwei68
Copy link
Contributor Author

Hi @sirlatrom Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Management customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sirlatrom @weidongxu-microsoft @yupwei68