azurerm_key_vault_certificate 401 when trying to create a new self-signed certificate

[Supermathie]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.azurerm v1.9.0
• provider.random v1.3.1
• provider.template v1.0.0

Affected Resource(s)

• azurerm_key_vault_certificate

Terraform Configuration Files

resource "azurerm_key_vault_certificate" "crt" {
  name      = "${replace(var.hostname, ".", "-")}" # app-discuss-xxxx-dev-michael
  vault_uri = "${var.vault_uri}" # app-discuss.xxxx-dev-michael

  certificate_policy {
    issuer_parameters {
      name = "${var.issuer_name}" # Self
    }
    key_properties {
      exportable = true
      key_size   = "${var.key_bits}" # 4096
      key_type   = "${var.key_type}" # RSA
      reuse_key  = true
    }
    lifetime_action {
      action {
        action_type = "AutoRenew"
      }
      trigger {
        days_before_expiry = 30
      }
    }
    secret_properties {
      content_type = "application/x-pkcs12"
    }
    x509_certificate_properties {
      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject            = "${var.hostname}"
      validity_in_months = 12
    }
  }
}

Debug Output

2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: 2018/07/16 18:07:51 [DEBUG] AzureRM Request:
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: POST /certificates/forums-microsoft-com/create?api-version=2016-10-01 HTTP/1.1
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Host: xxxx-dev-michael.vault.azure.net
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: User-Agent: Go/go1.9.2 (amd64-linux) go-autorest/v10.12.0 Azure-SDK-For-Go/v18.0.0 keyvault/2016-10-01;HashiCorp-Terraform-v0.11.3
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Content-Length: 452
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Authorization: Bearer SECRET
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Content-Type: application/json; charset=utf-8
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Accept-Encoding: gzip
2018-07-16T18:07:51.569-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: 
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: 2018/07/16 18:07:51 [DEBUG] AzureRM Response for https://xxxx-dev-michael.vault.azure.net/certificates/app-discuss-xxxx-dev-michael/create?api-version=2016-10-01:
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: HTTP/2.0 401 Unauthorized
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Content-Length: 0
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Cache-Control: no-cache
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Date: Mon, 16 Jul 2018 22:07:50 GMT
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Expires: -1
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Pragma: no-cache
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Server: Microsoft-IIS/10.0
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Strict-Transport-Security: max-age=31536000;includeSubDomains
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: Www-Authenticate: Bearer authorization="https://login.windows.net/963b8592-7e24-4476-978d-567836ff2d1b", resource="https://vault.azure.net"
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Aspnet-Version: 4.0.30319
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Content-Type-Options: nosniff
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Ms-Keyvault-Network-Info: addr=198.2.91.229;act_addr_fam=InterNetwork;
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Ms-Keyvault-Region: eastus
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Ms-Keyvault-Service-Version: 1.0.0.852
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Ms-Request-Id: 288737d9-f674-487a-bce1-cbef08dc4f72
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: X-Powered-By: ASP.NET
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: 
2018-07-16T18:07:51.578-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.9.0_x4: 
2018/07/16 18:07:51 [ERROR] root.awg_clusters_crt_0: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* azurerm_key_vault_certificate.crt: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF
2018/07/16 18:07:51 [ERROR] root.awg_clusters_crt_0: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* azurerm_key_vault_certificate.crt: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

(available on request)

Panic Output

Expected Behavior

The certificate should have been created and issued

Actual Behavior

* module.awg_clusters_crt_0.azurerm_key_vault_certificate.crt: 1 error(s) occurred:

* azurerm_key_vault_certificate.crt: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

Steps to Reproduce

1. terraform apply

Important Factoids

I know that my user does have permissions to the Key Vault as I can perform the operations via the CLI or Azure Portal.

References

• More or less using the same sample code from the docs

[tombuildsstuff]

hey @Supermathie

Thanks for opening this issue :)

Taking a look into this - would it be possible to confirm how you're authenticating to Azure with Terraform, either using the Azure CLI/MSI or a Service Principal? There's a known issue with Azure CLI authentication and KeyVaults (which is fixed in the next release) where a 401 is returned, which looks to be the case in this instance.

Thanks!

[Supermathie]

@tombuildsstuff thanks - yes I'm authenticating via CLI az login, not via SP.

So this will be fixed in 1.10? Fantastic!

[tombuildsstuff]

@Supermathie

@tombuildsstuff thanks - yes I'm authenticating via CLI az login, not via SP.
So this will be fixed in 1.10? Fantastic!

Yep - this was fixed in #1544 which has been merged and will be part of v1.10. Given this is a duplicate of
#656 I'm going to close it for the moment; but please let us know if you're still seeing this with v1.10 when it's released later this week. Should you wish to work around this in the interim you can either use a Service Principal or build a custom binary from the master branch (details are in the README).

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!