Not able to get certificate on azure VM using keyvault extension from azure key vault using azure VM object id RRS feed

  • Question

  • Hi I am getting below error:

    2020-01-22 02:42:48: <debug> [WindowsCertificateManager] TryWaitForContinuation: Wait returned WAIT_TIMEOUT..
    2020-01-22 02:42:48: <info> [CertificateManager] Starting refreshing observed certificates...
    2020-01-22 02:42:48: <info> [CertificateManager] Beginning refresh for:
    2020-01-22 02:42:48: <info> [WindowsCertificateStore] attempting to open store 'LocalMachine\MY'
    2020-01-22 02:42:48: <debug> [WindowsCertificateStore] opening the 'LocalMachine' store..
    2020-01-22 02:42:48: <debug> [WindowsCertificateStore] store opened successfully.
    2020-01-22 02:42:48: <debug> [AuthClient] AcquireTokenCallback invoked
    2020-01-22 02:42:48: <debug> [AuthClient] acquiring token
    2020-01-22 02:42:48: <debug> [MSIAuthClient] acquiring token via MSI
    2020-01-22 02:42:48: <debug> [MSIHttpClient] MSI URL: http://100.200.300.256/metadata/identity/oauth2/token?api-version=2018-02-01&authority=
    2020-01-22 02:42:48: <error> [MSIAuthClient] failed to retrieve MSI token from response: {"error":"invalid_request","error_description":"Invalid authority"}
    2020-01-22 02:42:48: <error> [CertificateManager] Refreshing '' failed with RequestException: 400; desc: {"error":"invalid_request","error_description":"Invalid authority"}
    2020-01-22 02:42:48: <error> [CertificateManager] Failed to download one or more certificates.
    2020-01-22 02:42:48: <info> [WindowsCertificateManager] Checking state of termination event with a timeout of 300000

    I have imported a valid wildcard certificate on keyvault and I am using azure vm keyvault extension to install certificate on vm . I have created a object id/Principal using Managed Service Identity (MSI) for VM and given following permission to VM object id using keyvault access policy.

    Permissions to Keys                        : get, list
    Permissions to Secrets                     : get, list
    Permissions to Certificates                : get, list, getissuers, listissuers 

    I am not sure Where I am facing issue.  any help would be appreciated.

    Wednesday, January 22, 2020 3:28 AM

All replies

  • Can you please check the state of your extension deployment using Get-AzVMExtension -VMName <vmName> -ResourceGroupname <resource group name> PowerShell command.  Also, you can check the extension logs at "%windrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\<version>\akvvm_service_<date>.log" if you have any extension issues.
    Friday, January 24, 2020 7:45 PM
  • Hi Bhanush,

    Please let us know if the above reply was helpful to you. If so, please remember to mark as answer so that others in the community with similar questions can more easily find a solution.

    Feel free to get back to us if you have further questions!

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Tuesday, February 4, 2020 12:16 AM