CODEWITHSUNDEEP
azuresslhttps
Leonard AB
Leonard AB

Reputation: 1579

HTTPS access to Azure ubuntu Virtual Machine

I have a Ubuntu VM running on Microsoft azure. Currently I can access it using HTTP, but not with HTTPS. In the network interface, inbound port rule, 443 is already allowed.

I already added a certificate into the VM, by creating a key vault and a certificate, prepare it for deployment following this documentation:

az keyvault update -n <keyvaultname> -g <resourcegroupname> --set properties.enabledForDeployment=true

then added the certificate following this answer.

In Azure CLI:

$secret=$(az keyvault secret list-versions \
          --vault-name <keyvaultname> \
          --name <certname> \
          --query "[?attributes.enabled].id" --output tsv)
$vm_secret=$(az vm secret format --secret "$secret")

az vm update -n <vmname> -g <keyvaultname> --set osProfile.secrets="$vm_secret"

I got the following error:

Unable to build a model: Cannot deserialize as [VaultSecretGroup] an object of type <class 'str'>, DeserializationError: Cannot deserialize as [VaultSecretGroup] an object of type <class 'str'>

However, when I do az vm show -g <resourcegroupname> -n <vmname> after that, in the osProfile, the secrets already contained the secret I added 

"secrets": [
      {
        "sourceVault": {
          "id": "/subscriptions/<subsID>/resourceGroups/<resourcegroupName>/providers/Microsoft.KeyVault/vaults/sit-key-vault"
        },
        "vaultCertificates": [
          {
            "certificateStore": null,
            "certificateUrl": "https://<keyvaultname>.vault.azure.net/secrets/<certname>/<certhash>"
          }
        ]
      }
    ],

When accessing using HTTPS, I failed. I can access it using HTTP but chrome still shows the "Not secure" mark next to the address.

What did I miss?

I also checked answer from similar question, but could not find "Enable Direct Server Return" anywhere in the VM control panel page.

Upvotes: 1

Views: 1075

Answers (1)

Jim Xu
Jim Xu

Reputation: 23111

As far as I known, we can follow these following steps to configure SSL for nginx server.

  1. Add SSl cert

    $secret=$(az keyvault secret list-versions --vault-name "keyvault_name" --name "cert name" --query "[?attributes.enabled].id" --output tsv)

    $vm_secret=$(az vm secret format --secrets "$secret")

    az vm update -n “VM name” -g “resource group name” --set osProfile.secrets="$vm_secret"

  2. Install Nginx

    sudo apt-get update

    sudo apt-get install nginx

  3. Configure SSL Cert

     #get cert name
 find /var/lib/waagent/ -name "*.prv" | cut -c -57

 #paste cert
 mkdir /etc/nginx/ssl
 cp “your cert name” /etc/nginx/ssl/mycert.cer
 cp “your cert name” /etc/nginx/ssl/mycert.prv

 #change nginx configuration file
 sudo nano /etc/nginx/sites-available/default
 PS: add the next content in the file
 server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/mycert.cert;
    ssl_certificate_key /etc/nginx/ssl/mycert.prv;
           }
  service nginx restart

Upvotes: 0

Related Questions