"containerapp hostname bind" fails to find managed certificates by name

[1TT-Chris]

Describe the bug

The command fails saying that the cert cannot be found in the container apps environment when it does exist.

All the resources involved are in the same resource group. This is a managed certificate binding to a custom domain already created on the container app using the following commands:

az containerapp hostname add -n $CONTAINER_APP_NAME -g $RESOURCE_GROUP --hostname $CUSTOM_DOMAIN
az containerapp env certificate create -g $RESOURCE_GROUP -n $CONTAINER_APP_ENV_NAME --hostname $CUSTOM_DOMAIN --validation-method CNAME

The reason for the issue can be seen when running the command with --debug, the request URL to find the certificate is Request URL: 'https://management.azure.com/subscriptions/***/resourceGroups/***/providers/Microsoft.App/managedEnvironments/***/certificates/***?api-version=2024-03-01'

However, the resource id for a managed certificate is of the form:
/subscriptions//resourceGroups//providers/Microsoft.App/managedEnvironments//managedCertificates/

The workaround is to specify the full resource id for the certificate rather than just the name.

Related command

az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate $MANAGED_CERTIFICATE_NAME

Errors

The certificate '$MANAGED_CERTIFICATE_NAME' does not exist in Container app environment '$CONTAINER_APP_ENV_NAME'.

Issue script & Debug output

az containerapp hostname bind -g *** -n *** --hostname *** --environment *** --certificate *** --debug
....
cli.azure.cli.core.util: Request URL: 'https://management.azure.com/subscriptions/***/resourceGroups/***/providers/Microsoft.App/managedEnvironments/***/certificates/***?api-version=2024-03-01'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Windows-10-10.0.22631-SP0) AZURECLI/2.61.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'd92561db-81b7-40ce-a61b-d40c45a0d5af'
cli.azure.cli.core.util: 'CommandName': 'containerapp hostname bind'
cli.azure.cli.core.util: 'ParameterSetName': '-g -n --hostname --environment --certificate --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions//resourceGroups//providers/Microsoft.App/managedEnvironments//certificates/?api-version=2024-03-01 HTTP/1.1" 404 321
cli.azure.cli.core.util: Response status: 404
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Pragma': 'no-cache'
cli.azure.cli.core.util: 'Content-Length': '321'
cli.azure.cli.core.util: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.util: 'Expires': '-1'
cli.azure.cli.core.util: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.util: 'x-ms-request-id': 'eee5e6b2-e59e-4763-8781-cc062addfbbe'
cli.azure.cli.core.util: 'x-ms-correlation-request-id': 'eee5e6b2-e59e-4763-8781-cc062addfbbe'
cli.azure.cli.core.util: 'x-ms-routing-request-id': 'UKSOUTH:20240606T154437Z:eee5e6b2-e59e-4763-8781-cc062addfbbe'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.util: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.util: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.util: 'X-MSEdge-Ref': 'Ref A: CB3AA910CBA24C92A0A0532C8B8157BA Ref B: AMS231032607023 Ref C: 2024-06-06T15:44:37Z'
cli.azure.cli.core.util: 'Date': 'Thu, 06 Jun 2024 15:44:37 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"ResourceNotFound","message":"The Resource 'Microsoft.App/managedEnvironments//certificates/' under resource group '' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 723, in _run_job
File "C:\Users*.azure\cliextensions\containerapp\azext_containerapp_client_factory.py", line 28, in _polish_bad_errors
raise ex
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "C:\Users*.azure\cliextensions\containerapp\azext_containerapp\custom.py", line 1338, in bind_hostname
return bind_hostname_logic(cmd=cmd, resource_group_name=resource_group_name, name=name, hostname=hostname, thumbprint=thumbprint, certificate=certificate, location=location, environment=environment, validation_method=validation_method)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/containerapp/custom.py", line 3895, in bind_hostname_logic
azure.cli.core.azclierror.ResourceNotFoundError: The certificate '' does not exist in Container app environment '*'.

cli.azure.cli.core.azclierror: The certificate '' does not exist in Container app environment ''.

Expected behavior

The command should look for the certificate in both the certificates and managedCertificates endpoints.

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Extensions:
containerapp 0.3.52

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @calvinsID.

[Greedygre]

Hi @1TT-Chris

When execute command to bind an managed certificate, please specify cert id with -c/--certificate, for example:
az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate ${cert-id}

Or if there is only one managed cert under the managed environment, you can use command without --certificate, it will look for or create a managed certificate if no certificate info provided, for example:
az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME

Thanks

[KevinIlPazzo]

Hi @1TT-Chris

When execute command to bind an managed certificate, please specify cert id with -c/--certificate, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME --certificate ${cert-id}

Or if there is only one managed cert under the managed environment, you can use command without --certificate, it will look for or create a managed certificate if no certificate info provided, for example: az containerapp hostname bind -g $RESOURCE_GROUP -n $CONTAINER_APP_NAME --hostname $CUSTOM_DOMAIN --environment $CONTAINER_APP_ENV_NAME

Thanks

This helped a lot!!!
But the first suggestion is not working in my setup with multiple certificates in status succeeded and failed.
Getting the id would be a great solution, but the bind command pre-append my local path for some reason
Error -> The certificate 'C:/Program Files/Git/subscriptions/...' does not exist in Container app environment 'xxx'
I think this has something to do with bash on windows but didn't test through

You're second solution saved my day!!!
But you first have to delete all you're failed attempts to get only one managed cert and then this will work like a charm :)

[rohitkvv]

Hi any update on this or any other potential workarounds? None of the suggestions worked for me. Neither able to create a managed certificate from portal nor from cli.

From portal, it always times out and is in a perpetual failure state, and when tried to bind it from azure cli got the following error message
(CertificateProvisioningError) Certificate '**********' is not in succeeded provisioning state.