The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Virtual Machines!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
ClassicIaaSMigration - VM certificates disappeared from key vault - now in failed state RRS feed

  • Question

  • Hi,

    I migrated 3 VMs from service manager to resource manager, referencing this documentation some time ago. This all worked fine but a few months later the machines went into a failed state.

    Upon closer inspection it seems that the certificates stored in keyvaults as part of the migration have disappeared. I am convinced these weren't deleted and it looks like the keyvaults have screwed up. I'm not too stressed because these boxes were non-critical, but nonetheless useful. 

    Please could someone suggest how I might go about resolving / working around this issue? I'd rather not have to recreate the VM config and use the existing VHDs. The template suggests the certificate mentioned above is used with the WinRM endpoint and I suspect it's a fairly crucial workaround used by MS in the migration process. This leads me to believe its not as simple as simply removing the endpoints / certificate references in the deployment template and re-deploying.

    Below are some links and screenshots related to the issue:

    Virtual machine certificates Certificates in Azure Key Vault If a cloud service contains service certificates, a new Azure key vault per cloud service and moves the certificates into the key vault. The VMs are updated to reference the certificates from the key vault. 

    NOTE: Please do not delete the keyvault as it can cause the VM to go into a failed state. We're working on improving things in the backend so that Key Vaults can be deleted safely or moved along with the VM to a new subscription.
     

    https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-migration-classic-resource-manager-deep-dive

    https://cloudpuzzles.net/2016/10/asm-to-arm-migration-and-fun-with-key-vault/




    • Edited by mikejwhat Monday, March 6, 2017 2:37 PM
    Monday, March 6, 2017 2:35 PM

Answers