01-26-2020 07:22 PM
failed to download certificate from key vault using keyvault vm extension on windows VM
below is log on azure vm under folder C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\1.0.1082.9:
2020-01-26 17:24:00: <debug> [WindowsCertificateManager] TryWaitForContinuation: Wait returned WAIT_TIMEOUT..
2020-01-26 17:24:00: <info> [CertificateManager] Starting refreshing observed certificates...
2020-01-26 17:24:00: <info> [CertificateManager] Beginning refresh for: https://keyvaultid.vault.azure.net/certificates/wildcard-company-com
2020-01-26 17:24:00: <info> [WindowsCertificateStore] attempting to open store 'LocalMachine\MY'
2020-01-26 17:24:00: <debug> [WindowsCertificateStore] opening the 'LocalMachine' store..
2020-01-26 17:24:00: <debug> [WindowsCertificateStore] store opened successfully.
2020-01-26 17:24:00: <debug> [AuthClient] AcquireTokenCallback invoked
2020-01-26 17:24:00: <debug> [AuthClient] acquiring token
2020-01-26 17:24:00: <debug> [MSIAuthClient] acquiring token via MSI
2020-01-26 17:24:00: <debug> [MSIHttpClient] MSI URL: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&authority=https://login...
2020-01-26 17:24:00: <error> [CertificateManager] Refreshing 'https://keyvaultid.vault.azure.net/certificates/wildcard-company-com' failed with KeyVault exception: Unable to parse SecretBundle: missing ContenetType
2020-01-26 17:24:00: <error> [CertificateManager] Failed to download one or more certificates.
2020-01-26 17:24:00: <info> [WindowsCertificateManager] Checking state of termination event with a timeout of 300000
Thanks in advance
05-01-2020 12:35 PM
@bhanush880 You need to use the secrets path to the certificate because that'll make sure the download includes the private key as the certificate endpoint only includes the public key.
i.e. https://keyvaultid.vault.azure.net/secrets/wildcard-company-com
Keep in mind you do not need to add a secret in your Key Vault. simply making the URL change should allow the extension to download the correct certificate
Let me know if that works for you.
Thanks,
Jack