Unable to update or delete Listener TLS certificates (App gateway)

Hello,

We're experiencing an issue within the Application Gateway when attempting to modify or remove the listener TLS certificates (error details attached). These certificates have been deleted and also purged from Key Vault and are no longer available to us, so re-uploading isn't an option. This error is blocking us to proceed with further tests.

Is there a method to delete those certificates from the App Gateway?

Any guidance would be appreciated!

Thank you and have a nice day!

Cosmina Alexandra Jelea (RO) 165 Reputation points

2023-10-04T06:49:59.67+00:00
It seems that the error cannot be attached as file. I will write in below:

Failed to save changes

Failed to save the changes for the listener certificate 'certificate-15-09-testpfx' Please try again.

Failed to save application gateway changes

Failed to save configuration changes to application gateway 'preprod-agw2'. Error: Data or KeyVaultSecretId must be specified for certificate 'preprod-rg/providers/Microsoft.Network/applicationGateways/preprod-agw2/sslCertificates/certificate-preprod-202309261522pfx'>preprod-agw2/certificate-preprod-202309261522pfx'. If you are providing certificate data, please upload the certificate again, otherwise please remove the certificate and all references. Subsequent operations will continue to fail with this error message until a valid certificate replaces the existing certificate or the certificate is removed. For secrets/certificates referenced by key vault, please ensure connectivity to key vault is possible and the referenced secret/certificate has not been disabled.

See less
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-04T11:19:24.5966667+00:00
@Cosmina Alexandra Jelea (RO)

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that Application gateway has reference to deleted certificates from KeyVault and this in turn preventing you to perform any CRUD operations on the App Gateway.

May I ask if the Listener(s) to which the certificate(s) were uploaded/referenced were deleted already?

If yes,

Open Azure Preview Portal : https://preview.portal.azure.com/#home

Go to the App Gateway and open Listeners

You should see a "Listener TLS certificates (Preview)" tab

From here, select the certificate that is causing the issue

In your case, it should be "certificate-preprod-202309261522pfx"

You will see that certain certificates will have "Associated Listeners" as 0

Use the ellipsis and click "Delete" to delete the reference in all such entries with 0 Associated Listeners one by one.

If No,

I don't think so this be the case

But if this were the case, please do let me know and I shall look into the next steps.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-05T09:49:21.6766667+00:00

@Cosmina Alexandra Jelea (RO)

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
Cosmina Alexandra Jelea (RO) 165 Reputation points

2023-10-05T10:53:32.2866667+00:00

@KapilAnanth-MSFT thanks a lot for your answer.

Unfortunately, we cannot delete those entries.
I guess next step would be to create another App gateway with the corresponding listeners...and after that, to delete the blocked one.

Can you please confirm this?
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-05T13:22:06.1+00:00
@Cosmina Alexandra Jelea (RO)

You are welcome.

Wrt, "Unfortunately, we cannot delete those entries."

Can you please provide more information?

Was there an error message ?

Or the certificate was not listed?

If you are planning to delete the old one and create a new one,

You will not be able to figure out the root cause as to why the old one went into such a blocked state

Also, if you are going for a green development, then yes, spinning up a new App gateway would make sense.

However, if you want to make the new App gateway just to mimic the old App gateway's configurations(just because the old App Gw is in a stuck state) , I would say it might lead to management overheads.

As you have to make sure all the Listeners, Rules and Backends are properly configured.

Adding to the above, it could be the case that we may not be able to delete the old App Gateway as we can see CRUD operations fail.

I would recommend you to proceed with Troubleshooting how we can remediate the App gateway to a functioning state.

Can you please let me know if you are planning for a Green deployment or Brown Deployment.

Cheers,

Kapil
Cosmina Alexandra Jelea (RO) 165 Reputation points

2023-10-05T16:56:00.6133333+00:00

@KapilAnanth-MSFT thanks a lot for your involvement!

Finally we managed to solve this by using PowerShell commands:

$AppGw = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
Remove-AzApplicationGatewaySslCertificate -ApplicationGateway $AppGw -Name "Certname-in-app-gateway"
Set-AzApplicationGateway -ApplicationGateway $AppGw

Thanks for your prompt response and support!

We'll definitely come back once we have some other issues.
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-06T09:33:23.65+00:00

@Cosmina Alexandra Jelea (RO)

I am glad the issue is resolved.

Accepting one's own answer is not supported in Q&A forum as of now. Hence I am summarizing our comments posting it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread.

Should there be any query, please do let us know and we will be more than happy to assist :)

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-06T09:30:25.6566667+00:00
@Cosmina Alexandra Jelea (RO)

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that Application gateway has reference to deleted certificates from KeyVault and this in turn preventing you to perform any CRUD operations on the App Gateway.

I suggested,

Open Azure Preview Portal : https://preview.portal.azure.com/#home

Go to the App Gateway and open Listeners

You should see a "Listener TLS certificates (Preview)" tab

From here, select the certificate that is causing the issue

In your case, it should be "certificate-preprod-202309261522pfx"

You will see that certain certificates will have "Associated Listeners" as 0

Use the ellipsis and click "Delete" to delete the reference in all such entries with 0 Associated Listeners one by one.

You informed us that there were some issues with Portal but however, you were able to do the same with Powershell.

Remove-AzApplicationGatewaySslCertificate

Thanks,

Kapil

Please Accept an answer as this helps the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Share via

Unable to update or delete Listener TLS certificates (App gateway)

0 additional answers