Azure – Front Door, Custom Domain - BYOC-In Secret not able to add the certificate

Question

Azure – Front Door, Custom Domain - BYOC-In Secret not able to add the certificate

Rajasekar K 6

I'm trying to setup a custom domain in Azure frontDoor using "GoDaddy" issued certificate. I did followed the steps given in the below Microsoft links.

https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain
https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal

Note that there is no firewall enabled on Keyvault , Service Prinicple added, Access policy is set ( Get & List set for Secrets & Certificates ) and also my account has full access to Keyvault.

After successfully adding the certificate in the Keyvault , I am trying to add certificate in secret section in frontdoor but cant able to add i got error message attached.

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-02T09:19:00.42+00:00

Hello @Rajasekar K ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to setup a custom domain in Azure FrontDoor and you have already added the Service Principle & Access policy in your Key Vault but when trying to add the GoDaddy issued certificate in the secret section of Frontdoor, you are getting the following error "Failed to create the secret. We don't have permission to access this secret. Go to access policies in your key vault account to give Microsoft.AzureFrontDoor-cdn or managed identities permission to get secrets".

Could you please confirm if the both the below steps have been completed?

1) Register Azure Front Door:
Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
The Application Id is "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#register-azure-front-door

2) Grant Azure Front Door access to your key vault:
In your key vault account, select Access policies and create a new access policy with Get Secret & Certificate permissions to allow Front Door to retrieve the certificate. In Select principal, search for 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8, and select Microsoft.AzureFrontDoor-Cdn
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#grant-azure-front-door-access-to-your-key-vault
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-05T10:11:16.35+00:00

Hello @Rajasekar K ,

Could you please provide an update on this post?

I would request you to re-try the above steps and then try adding the certificate to the secret section of Front Door.

Regards,
Gita
Rajasekar K 6 Reputation points

2022-12-05T10:17:19.733+00:00

Yes, Its working now thanks
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-05T13:30:19.297+00:00

Thank you for the update, @Rajasekar K . Glad to hear that it is working now.

I've added the information in the answer section below for better visibility.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,
Gita

1 answer

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-02T09:19:00.42+00:00

Hello @Rajasekar K ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to setup a custom domain in Azure FrontDoor and you have already added the Service Principle & Access policy in your Key Vault but when trying to add the GoDaddy issued certificate in the secret section of Frontdoor, you are getting the following error "Failed to create the secret. We don't have permission to access this secret. Go to access policies in your key vault account to give Microsoft.AzureFrontDoor-cdn or managed identities permission to get secrets".

Could you please confirm if the both the below steps have been completed?

1) Register Azure Front Door:
Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
The Application Id is "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#register-azure-front-door

2) Grant Azure Front Door access to your key vault:
In your key vault account, select Access policies and create a new access policy with Get Secret & Certificate permissions to allow Front Door to retrieve the certificate. In Select principal, search for 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8, and select Microsoft.AzureFrontDoor-Cdn
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#grant-azure-front-door-access-to-your-key-vault
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-05T10:11:16.35+00:00

Hello @Rajasekar K ,

Could you please provide an update on this post?

I would request you to re-try the above steps and then try adding the certificate to the secret section of Front Door.

Regards,
Gita
Rajasekar K 6 Reputation points

2022-12-05T10:17:19.733+00:00

Yes, Its working now thanks
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-12-05T13:30:19.297+00:00

Thank you for the update, @Rajasekar K . Glad to hear that it is working now.

I've added the information in the answer section below for better visibility.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,
Gita

Answer 1

Hello @Rajasekar K ,

I understand that you are trying to setup a custom domain in Azure FrontDoor and you have already added the Service Principle & Access policy in your Key Vault but when trying to add the GoDaddy issued certificate in the secret section of Frontdoor, you are getting the following error "Failed to create the secret. We don't have permission to access this secret. Go to access policies in your key vault account to give Microsoft.AzureFrontDoor-cdn or managed identities permission to get secrets".

To be able to add the certificate to the secret section of Front Door, the below 2 steps must be completed first and sometimes, it may take more than 1 try. So request you to check if both the below steps have been completed and re-try them just to be sure and then try adding the certificate:

1) Register Azure Front Door:
Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
The Application Id is "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#register-azure-front-door

2) Grant Azure Front Door access to your key vault:
In your key vault account, select Access policies and create a new access policy with Get Secret & Certificate permissions to allow Front Door to retrieve the certificate. In Select principal, search for 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8, and select Microsoft.AzureFrontDoor-Cdn
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#grant-azure-front-door-access-to-your-key-vault

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure – Front Door, Custom Domain - BYOC-In Secret not able to add the certificate

1 answer

Your answer