Reputation: 413
Azure Let's Encrypt error
I'm trying to get the Azure Let's encrypt site plug in working for one of my Azure websites following the instructions at:
but I'm getting an authorization error when I run it. I have no idea where to start looking to try and solve this and any help would be more than welcome.
The error is as follows:
Microsoft.Rest.Azure.CloudException: The client '{id}' with object id '{same id here??}' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/{subscription id} /resourceGroups/Default-Web-NorthEurope/providers/Microsoft.Web/sites/{sitename}'. at Microsoft.Azure.Management.WebSites.SitesOperations.d__29.MoveNext()
Update
It was an issue with the principles access to the web app.
I decided to follow through troy hunts walkthrough here: https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/
Which is pretty good - he uses the old azure portal to set up the active directory which I found a bit more useful as I could actually see what was going on.
Anyway I've got all the way through the process right up to the actual certificate request and now I am getting a 403 server error returned:
The remote server returned an error: (403) Forbidden.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.WebException: The remote server returned an error: (403) Forbidden.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[WebException: The remote server returned an error: (403) Forbidden.]
System.Net.HttpWebRequest.GetResponse() +1390
ACMESharp.AcmeClient.RequestHttpPost(Uri uri, Object message) +642
[AcmeWebException: Unexpected error]
ACMESharp.AcmeClient.AuthorizeIdentifier(String dnsIdentifier) +435
LetsEncrypt.SiteExtension.Core.CertificateManager.Authorize(Target target) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:518
LetsEncrypt.SiteExtension.Core.CertificateManager.Auto(Target binding) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:441
LetsEncrypt.SiteExtension.Core.CertificateManager.RequestAndInstallInternal(Target target) in c:\Projects\LetsEncrypt-SiteExtension\LetsEncrypt-SiteExtension\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:244
LetsEncrypt.SiteExtension.Controllers.HomeController.Install(RequestAndInstallModel model) +604
lambda_method(Closure , ControllerBase , Object[] ) +104
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +169
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50
System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +225
System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26
System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100
System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36
System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9644037
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Upvotes: 10
Views: 4143
Answers (6)
Reputation: 38109
After adding the App Registration, it is necessary to add it as a Role Assignment to the Resource Group with the role "Contributer".
If you forget this, you will get the above error message.
After doing this, please restart the App Service before trying to run Lets encrypt extension again.
Upvotes: 11
Reputation: 961
I ran into the exact same exception and followed these steps to resolve it
- Navigate to Subscriptions in Azure Portal
- Select the subscription in which the App Service is hosted
- Select Access Control (IAM)
- Add a new entity
- Select the role Contributor
- Search after the Service Principal
- Add the user
This immediately resolved the exception of insufficient access rights
Update Following the steps (5. Register Service Principal) be sure that you are signed in to the correct subscription. In my case I created the service principal in the wrong subscription hence the principal wasn't assigned correctly to the App Service in use
Upvotes: 2
Reputation: 1886
I ran into the same issue for a new Azure App Service. Turned out I had to actually deploy a web app before running the Let's Encrypt wizard. When the default Azure App Service landing page for an empty site is the content, the wizard isn't able to do its job.
Upvotes: 1
Reputation: 1025
For me, this problem came up when my ResourceGroup was not the same as my ServicePlanResourceGroup.
So if those are not equal, you need to add the App registration you created (The clientId you created the secret key for) to the ServicePlanResourceGroup in addition to the ResourceGroup.
Upvotes: 5
Reputation: 628
I ran into the same problem.
I solved it by not specifying the custom domain (e.g. lybecker.com) in the Azure Let's Encrypt site extension configuration, but using full lybecker.onmicrosoft.com
Upvotes: 0
Reputation: 4062
it is the problem with the access. Please check 5. Register a Service Principal part of the article you mentioned. Do you have the same ApplicationId when that part was done with the ApplicationId on the LetsEncrypt page? The same secret? Check it, because it looks like something wrong with that step.
P.S. I have just checked that walkthrough without the error you mentioned.
Upvotes: 0
Related Questions
- Google authentication not working when deployed to azure
- Same code on two different Azure Servers, but one is having routing problems?
- What causes d:\ drive to be unavailable in web app on Azure?
- Error after deploy ASP.NET MVC 5 on Azure
- azure media services from blob storage
- Cannot Access Azure DB Server from Azure Website
- Deploying MVC 4 to Azure Web Site with SQL db
- Authenticated WCF Data Service through Azure Service Bus