Share via

Cannot renew Certificate in Azure Application Gateway with WAF

Javier Morales 31 Reputation points
2022-07-01T16:47:38.253+00:00

Hi everyone.

We have an Application Gateway with a public certificate. The certificate is working properly but expires in about 30 days. We rekey the certificate in GoDaddy and tried to install it on the AppGw.

When we try to install the certificate, we receive an error from Azure
Failed to save configuration changes to application gateway AppGw03. Error: WebApplicationFirewallConfiguration cannot be changed when there is a WAF policy DevWAFPolicy associated with it.

We tried using powershell and get the same error.
We tried to do this using a PFX certificate file and a Key-Vault, and get the same error.

How can we install the certificate in the AppGw?

Azure Application Gateway
Azure Application Gateway

An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

0 comments

Answer accepted by question author

GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator
2022-07-04T12:13:14.577+00:00

Hello @Javier Morales ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are unable to renew certificate in Azure Application Gateway with WAF and getting following error when trying to upload a new certificate - "Failed to save configuration changes to application gateway AppGw03. Error: WebApplicationFirewallConfiguration cannot be changed when there is a WAF policy DevWAFPolicy associated with it."

I checked internally and found that you already have raised a support request for this issue and the support team advised you to delete the existing certificate and then upload the new certificate.
I am not sure if you have already tried this but I also found the same issue reported by another customer where the Application gateway Product Group team was engaged and the resolution provided was as below:

The received error is not expected and actually in normal conditions you should be able to upload new certificates without any problems. The error here could be because some parameters related to the WAF policy are missing from the Application Gateway configuration.

You can fix this error by changing the Application Gateway SKU from WAF_V2 to Standard_V2, using the below PowerShell script: 

$SubscriptionId = 'xxxxxx-xxxx-xxx'  
$ResourceGroupName = 'RGname'  
$GatewayName = 'appgwname'  
Connect-AzAccount -Subscription $SubscriptionId  
$appGw = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $GatewayName  
$appGw.FirewallPolicy = $null  
$appGw.Sku.Name = 'Standard_v2'  
$appGw.Sku.Tier = 'Standard_v2'  
$appGw.WebApplicationFirewallConfiguration = $null  
$appGW.ForceFirewallPolicyAssociation = $true  
Set-AzApplicationGateway -ApplicationGateway $AppGw

Once you finish updating the Application Gateway using the above script, you should be able to upload the new certificate successfully.
After that you can change the Application Gateway SKU again to WAF_V2 via Azure portal and associate the WAF policy to it.

217381-image.png

To associate your WAF policy with the existing Application Gateway : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/associate-waf-policy-existing-gateway

I would request you to try the above steps to fix your issue.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Was this answer helpful?

3 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.