[英]How to add new certificate for a listener of an Azure Application gateway with Python
everyone. 大家。
I am a beginner on Internet and Azure. 我是Internet和Azure的初学者。 I have a question about adding a certificate to a listener of an Azure application gateway with Python.
我有一个关于使用Python向Azure应用程序网关的侦听器添加证书的问题。 I describe my problem in detail as follows.
我将详细描述我的问题,如下所示。
1. Background 1.背景
The Azure environment I use is: 我使用的Azure环境是:
Resource group name: My_ResourceGroup
Subscription ID: sub_id
Tenant ID: tenant_id
Client: my_client
Service principal password: sp_password
2. Top-domain and sub-domain 2.顶级域名和子域名
In resource group My_ResourceGroup
, there are two Azure DNS providers with zones contoso.com
and chen.contoso.com
respectively. 在资源组
My_ResourceGroup
,有两个Azure DNS提供程序,分别具有区域contoso.com
和chen.contoso.com
。 The contoso.com
is the top domain while the chen.contoso.com
is the sub-domain. contoso.com
是顶级域名,而chen.contoso.com
是子域名。
For chen.contoso.com
, I created an A record with name www
and IP 10.10.10.10
(note that this IP is just used for testing). 对于
chen.contoso.com
,我创建了一个名称为www
和IP 10.10.10.10
的A记录(请注意,该IP仅用于测试)。 I also generated a certificate ( cert.pfx
file) for this domain in order to use HTTPS. 我还为此域生成了一个证书(
cert.pfx
文件)以使用HTTPS。
3. Install cert.pfx
certificate to a listener 3.将
cert.pfx
证书安装到侦听器
I have a off-the-shelf Azure application gateway contoso-appgw
in resource group My_ResourceGroup
. 我在资源组
My_ResourceGroup
有一个现成的Azure应用程序网关contoso-appgw
My_ResourceGroup
。 In this gateway, there is a listener contoso-appgw-hl
and there has been a certificate cert0.pfx
in this listener . 在此网关中,有一个侦听器
contoso-appgw-hl
并且在此侦听器中存在证书cert0.pfx
。
What I want to do is appending (or, installing) the cert.pfx
certificate to the listener contoso-appgw-hl
with Azure Python SDK. 我想做的是使用Azure Python SDK将
cert.pfx
证书附加(或安装)到侦听器contoso-appgw-hl
。 After this operation, there should be two certificates in listener contoso-appgw-hl
: cert0.pfx
(the old one) and cert.pfx
(the new one). 完成此操作后,侦听器
contoso-appgw-hl
应该有两个证书: cert0.pfx
(旧证书)和cert.pfx
(新证书)。
4. My code and the references 4.我的代码和参考
My Python code is as follows: 我的Python代码如下:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.network import NetworkManagementClient
# Replace this with your subscription id
subscription_id = 'sub_id'
# Tenant ID for your Azure subscription
TENANT_ID = 'tenant_id'
# Your service principal App ID
CLIENT = 'client'
# Your service principal password
KEY = 'sp_password'
credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID
)
network_client = NetworkManagementClient(credentials, subscription_id)
network_client.application_gateways.create_or_update(
'My_ResourceGroup',
'contoso-appgw',
{
'location': 'East US 2',
'http_listeners': [
{
'name': 'contoso-appgw-hl',
'protocol': 'Https',
'ssl_certificate': {
'data': 'cert.pfx',
'name': 'chenkui',
'password': '123abc'
}
}
]
}
)
I wrote my code based on the following resources: 我基于以下资源编写了代码:
Note that the cert.pfx
in my code is a Base-64 format certificate because based on the document a Base-64 format certificate is needed. 请注意,我的代码中的
cert.pfx
是Base-64格式的证书,因为基于文档需要Base-64格式的证书。
5. Error message 5.错误讯息
The above code is failed. 上面的代码失败。 The error message shown in
Azure Portal --> contoso-appgw --> Activity log
of the above code is: 上面代码的
Azure Portal --> contoso-appgw --> Activity log
中显示的错误消息是:
Operation name:
Create or Update Application Gateway
Error code:
InvalidRequestFormat
Message:
Cannot parse the request.
Even I use the Azure Portal (ie instead of using Python code, use GUI Portal in browser), adding the certificate is also failed. 即使我使用Azure门户(即,不使用Python代码,也要在浏览器中使用GUI门户),添加证书也会失败。 The error message shown in
Azure Portal --> contoso-appgw --> Activity log
is: Azure Portal --> contoso-appgw --> Activity log
显示的错误消息是:
Operation name:
Create or Update Application Gateway
Error code:
ApplicationGatewaySslCertificateDataMustBeSpecified
Message:
Data must be specified for Certificate /subscriptions/c72b5b1b-771e-4b65-ba34-a7db981c9dcf/resourceGroups/My_ResourceGroup/providers/Microsoft.Network/applicationGateways/contoso-appgw/sslCertificates/chenkui.
6. My question 6.我的问题
My questions are given as follows: 我的问题如下:
Thank you very much! 非常感谢你!
If you want to covert listener from http to https, you can use the following powershell script : 如果要将隐式侦听器从http转换为https,则可以使用以下powershell脚本:
$appgw= Get-AzApplicationGateway -Name "AppGWname" -ResourceGroupName "RG Name"
#$listener= Get-AzApplicationGatewayHttpListener -Name listener1 -ApplicationGateway $appgw
$FEC= Get-AzApplicationGatewayFrontendIPConfig -Name "FrontendIP" -ApplicationGateway $appgw
Add-AzApplicationGatewayFrontendPort -ApplicationGateway $appgw -Name "Name of the Port" -Port 443
$port = Get-AzApplicationGatewayFrontendPort -ApplicationGateway $appgw -Name "Name of Port"
$passwd = ConvertTo-SecureString "Passoword" -AsPlainText -Force
Add-AzApplicationGatewaySSLCertificate -Name "Name of the cert" -CertificateFile "Full path of the cert with.pfx" -Password $passwd -ApplicationGateway $appgw
$cert =Get-AzApplicationGatewaySSLCertificate -Name "Name of cert" -ApplicationGateway $appgw
Set-AzApplicationGatewayHttpListener -ApplicationGateway $appgw -Name "Name of the listener" -FrontendIPConfiguration $FEC -FrontendPort $port -Protocol Https -SslCertificate $cert
Set-AzApplicationGateway -ApplicationGateway $appgw
I have found a method to update an existing application gateway. 我找到了一种更新现有应用程序网关的方法。 When using
create_or_update
function to update an existing Azure resource, you must get
it first. 使用
create_or_update
函数更新现有Azure资源时,必须首先get
它。 Otherwise, create_or_update
will create a new resource instead of updating an existing one. 否则,
create_or_update
将创建一个新资源,而不是更新现有资源。
The following link is a good example. 以下链接是一个很好的例子。 It creates and updates an Azure VM.
它创建和更新Azure VM。 Create and manage Windows VMs in Azure using Python
使用Python在Azure中创建和管理Windows VM
Because creating and managing resources in Azure has a uniform method, we can apply the idea given in above link to manage application gateway. 因为在Azure中创建和管理资源具有统一的方法,所以我们可以将上面链接中给出的想法应用于管理应用程序网关。 The code is as follows.
代码如下。
import base64
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2019_06_01.models import ApplicationGateway, ApplicationGatewaySslCertificate
def test_appgw():
# create credentials
credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID
)
# create network client
network_client = NetworkManagementClient(credentials, subscription_id)
# get an existing application gateway
app_gw = network_client.application_gateways.get(RESOURCE_GROUP_NAME, APPLICATION_GATEWAY_NAME)
# read the pfx certificate and convert it to base-64 string
with open('certificate.pfx', 'rb') as binary_cert:
base64_cert = base64.b64encode(binary_cert.read())
cert_data = base64_cert.decode('utf-8')
# create an SSL certificate
ssl_cert = ApplicationGatewaySslCertificate(
name=ANY_NAME_IS_OK,
data=cert_data,
password=THE_PASSWARD_USED_TO_CREATE_CERTIFICATE
)
# app_gw.ssl_certificates is a Python list, so we append the new certificate in it
app_gw.ssl_certificates.append(ssl_cert)
# update the application gateway
network_client.application_gateways.create_or_update(
RESOURCE_GROUP_NAME,
APPLICATION_GATEWAY_NAME,
app_gw
)
if __name__ == "__main__":
test_appgw()
Note: 注意:
get
function to obtain an existing application gateway; get
函数获取现有的应用网关; name
of ApplicationGatewaySslCertificate
class is a string. ApplicationGatewaySslCertificate
类的第一个参数name
是字符串。 You can use any name you like; data
is a string. data
是字符串。 It is NOT a name of a certificate, but a Base-64 string of the content of a pfx
certificate; pfx
证书内容的Base-64字符串。 password
is a string. password
是一个字符串。 It should be the password by which you create your pfx
certificate. pfx
证书所使用的密码。 Hope this help you. 希望这对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.