cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

failed to download certificate from key vault using keyvault vm extension on windows VM

bhanush880
Copper Contributor

‎Jan 26 2020 07:22 PM

‎Jan 26 2020 07:22 PM

failed to download certificate from key vault using keyvault vm extension on windows VM

failed to download certificate from key vault using keyvault vm extension on windows VM

below is log on azure vm under folder C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\1.0.1082.9:

2020-01-26 17:24:00: <debug> [WindowsCertificateManager] TryWaitForContinuation: Wait returned WAIT_TIMEOUT..
2020-01-26 17:24:00: <info> [CertificateManager] Starting refreshing observed certificates...
2020-01-26 17:24:00: <info> [CertificateManager] Beginning refresh for: https://keyvaultid.vault.azure.net/certificates/wildcard-company-com
2020-01-26 17:24:00: <info> [WindowsCertificateStore] attempting to open store 'LocalMachine\MY'
2020-01-26 17:24:00: <debug> [WindowsCertificateStore] opening the 'LocalMachine' store..
2020-01-26 17:24:00: <debug> [WindowsCertificateStore] store opened successfully.
2020-01-26 17:24:00: <debug> [AuthClient]  AcquireTokenCallback invoked
2020-01-26 17:24:00: <debug> [AuthClient]  acquiring token
2020-01-26 17:24:00: <debug> [MSIAuthClient]  acquiring token via MSI
2020-01-26 17:24:00: <debug> [MSIHttpClient]  MSI URL: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&authority=https://login...
2020-01-26 17:24:00: <error> [CertificateManager] Refreshing 'https://keyvaultid.vault.azure.net/certificates/wildcard-company-com' failed with KeyVault exception: Unable to parse SecretBundle: missing ContenetType
2020-01-26 17:24:00: <error> [CertificateManager] Failed to download one or more certificates.
2020-01-26 17:24:00: <info> [WindowsCertificateManager] Checking state of termination event with a timeout of 300000

 

Thanks in advance

Labels:
7,043 Views
0 Likes
4 Replies
Reply
4 Replies
jackjiang

‎May 01 2020 12:35 PM

‎May 01 2020 12:35 PM

Re: failed to download certificate from key vault using keyvault vm extension on windows VM

@bhanush880 You need to use the secrets path to the certificate because that'll make sure the download includes the private key as the certificate endpoint only includes the public key.

 

i.e. https://keyvaultid.vault.azure.net/secrets/wildcard-company-com

 

Keep in mind you do not need to add a secret in your Key Vault. simply making the URL change should allow the extension to download the correct certificate

 

Let me know if that works for you.

 

Thanks,

Jack

0 Likes
Reply
akohnen

‎Feb 08 2021 12:53 PM

‎Feb 08 2021 12:53 PM

Re: failed to download certificate from key vault using keyvault vm extension on windows VM

@jackjiang 

 

Hello

 

I just wanted to thank you for providing this solution as it has worked for me. Once I changed:

["https://<keyvault-name>.vault.azure.net/certificates/andrew-test"]

To

["https://<keyvault-name>.vault.azure.net/secrets/andrew-test"]

 

It worked fine, as indicated in the extension logs

 

Thank you

1 Like
Reply
Kumar018

‎Jun 08 2021 07:26 AM

‎Jun 08 2021 07:26 AM

Re: failed to download certificate from key vault using keyvault vm extension on windows VM

@akohnen 

Hi ,

Working on azure key vault extension for windows. All the steps followed as per the documentation. But when the extension is running in the time interval below error is occurring.

Refreshing 'https://<keyvault-name>.vault.azure.net/secrets/CertificateName' failed with RequestException: 404; desc:
{"error":{"code":"SecretNotFound","message":"A secret with (name/id) CertificateName was not found in this key vault.

0 Likes
Reply
DUNCAN KUFFAR

‎Feb 23 2022 06:34 PM

‎Feb 23 2022 06:34 PM

Re: failed to download certificate from key vault using keyvault vm extension on windows VM

That works for me to, thank you very much, change */certificates/* to */secrets/*
0 Likes
Reply