"az containerapp hostname bind" does not create a managed certificate about azure-cli HOT 15 CLOSED

Thank you for opening this issue, we will look into it.

from azure-cli.

Hi @MichaelCameronDHSC

About "Look for or create a managed certificate and bind with the hostname if no certificate or thumbprint is provided."

The managed certificate is not ready in the azure-cli, you need to install containerapp extension with command: az extension add -n containerapp.
I will fix the help for the command containerapp hostname bind.

Thanks

from azure-cli.

Sorry but this suggestion still fails, albeit with a different error message:

michael_cameron [ ~ ]$ az extension add -n containerapp
Default enabled including preview versions for extension installation now. Disabled in future release. Use '--allow-preview true' to enable it specifically if needed. Use '--allow-preview false' to install stable version only.
The installed extension 'containerapp' is in preview.
michael_cameron [ ~ ]$ az containerapp hostname bind -n caefdtest001 -g rg-internalapp-dev-uks-001 --hostname a02.azurefd.net
The behavior of this command has been altered by the following extension: containerapp
Please specify at least one of parameters: --certificate and --environment

Specifying the environment leads to another different error:

michael_cameron [ ~ ]$ az containerapp hostname bind -n caefdtest001 -g rg-internalapp-dev-uks-001 --hostname a02.azurefd.net --environment cae-internal-dev-uks-001
The behavior of this command has been altered by the following extension: containerapp
Creating managed certificate 'mc-cae-internal-d-a02-azurefd-net-1605' for a02.azurefd.net.
It may take up to 20 minutes to create and issue a managed certificate.
Please specify the parameter: --validation-method

I cannot see anything in the updated documentation that describes what values the validation-method parameter accepts.

from azure-cli.

--validation-method

Hi @MichaelCameronDHSC
The validation-method accept HTTP, CNAME or TXT.

PS:
In azure-cli will be included from Azure CLI version: 2.62.0, Official Release: 07/02/2024 , PR: #29156 , no need to install extension. The doc in az containerapp hostname bind -h will also show the available vale for --validation-method from Azure CLI version: 2.62.0.

from azure-cli.

How do I force the use of private DNS? There is CNAME record but not the public one

from azure-cli.

How do I force the use of private DNS? There is CNAME record but not the public one

I don't know how to use private DNS, did you occur error with --validation-method CNAME?

from azure-cli.

Yes, the CNAME record that exists in private DNS cannot be found. I'm following a guide to using internal container apps and exposing them via custom private links with front door so need to use private DNS but cannot bind the hostname either with cli or in the portal.

michael_cameron [ ~ ]$ az containerapp hostname bind -n caefdtest001 -g rg-internalapp-dev-uks-001 --hostname a02.azurefd.net --environment cae-internal-dev-uks-001 --validation-method CNAME
The behavior of this command has been altered by the following extension: containerapp
Creating managed certificate 'mc-cae-internal-d-a02-azurefd-net-9665' for a02.azurefd.net.
It may take up to 20 minutes to create and issue a managed certificate.
(FailedCnameValidation) Not found CNAME of hostname 'a02.azurefd.net' directly pointing to a default hostname. Found CNAME record(s) of the hostname are .

from azure-cli.

Hi @MichaelCameronDHSC
Can you use Private key certificates?

• use az containerapp env certificate upload to upload a certificate in your environment
• use az containerapp hostname bind to bind it to your containerapp

You can also use Portal:

from azure-cli.

No

from azure-cli.

Hello @MichaelCameronDHSC ,

I see that this is a Consumption Environment with a VNet. Can you share your DNS settings of a02.azurefd.net as well ?

I see from the custom-domain on the app caefdtest001 that the custom domain you are trying to add is a02.azurefd.net. This looks like a Azure Front Door instance. Do you have a reference to your container app generated FQDN in the DNS settings ?
https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-certificates

Have you tried the following ?
https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#dns

from azure-cli.

I'm trying to set up access via frontdoor and am also using MS authentication in my container app.
The only need for a custom domain is to enable host name preservation to allow the app to operate as it should. So, yes, I want to create a custom domain and have created a private DNS Zone to try and achieve that with an A record that points to the static IP.

I do not understand the assertion "If you are using an internal Container Apps Environment, there is no validation for the DNS binding, as the cluster can only be accesses from within the virtual network"
To create the binding appears to require validation.

What am I missing?

from azure-cli.

Hi @MichaelCameronDHSC
The internal environment is created with command in CLI: az containerapp env create -s {subnet-id} --internal-only

--internal-only                                                       : Boolean indicating the
                                                                            environment only has an
                                                                            internal load balancer.
                                                                            These environments do
                                                                            not have a public static
                                                                            IP resource, therefore
                                                                            must provide infrastruct
                                                                            ureSubnetResourceId if
                                                                            enabling this property.
                                                                            Allowed values: false,
                                                                            true.

You can also check with command
az containerapp env show -n {name} -g {rg-name} --query "properties.vnetConfiguration.internal"

from azure-cli.

The value is true:

michael_cameron [ ~ ]$ az containerapp env show -n cae-internal-dev-uks-001 -g rg-internalapp-dev-uks-001 --query "properties.vnetConfiguration.internal"
The behavior of this command has been altered by the following extension: containerapp
true

from azure-cli.

@MichaelCameronDHSC Can you add the app FQDN as a CNAME record in your DNS settings.

a02.azurefd.net CNAME caefdtest001.lemonground-3209f350.uksouth.azurecontainerapps.io

The error you are seeing (FailedCnameValidation) Not found CNAME of hostname 'a02.azurefd.net' directly pointing to a default hostname. Found CNAME record(s) of the hostname are . is due to DigiCert not able to find any CNAME's in your DNS settings. I did a quick DNS lookup on a02.azurefd.net and was not able to see any CNAME settings

from azure-cli.

We also see that the env cae-internal-dev-uks-001 is internal. One of the requirements for managed certs is having the container app accessible publicly.

https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal

from azure-cli.