Skip to content

Commit

Permalink
Adding "DisableChallengeResourceVerification = true" to prevent the c…
Browse files Browse the repository at this point in the history 
…ert client from failing behind a proxy.
  • Loading branch information
@joevanwanzeeleKF
joevanwanzeeleKF committed Dec 18, 2024
1 parent c6d3226 commit e5e6832
Showing 1 changed file with 13 additions and 12 deletions.
25 changes: 13 additions & 12 deletions AzureKeyVault/AzureClient.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,8 @@ private protected virtual CertificateClient CertClient
cred = new ClientSecretCredential(VaultProperties.TenantId, VaultProperties.ClientId, VaultProperties.ClientSecret, new ClientSecretCredentialOptions() { AuthorityHost = AzureCloudEndpoint, AdditionallyAllowedTenants = { "*" } });
logger.LogTrace("generated credentials");
}
_certClient = new CertificateClient(new Uri(VaultProperties.VaultURL), credential: cred);
var certClientOptions = new CertificateClientOptions() { DisableChallengeResourceVerification = true }; // without this, requests fail when running behind a proxy https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/TROUBLESHOOTING.md#incorrect-challenge-resource
_certClient = new CertificateClient(new Uri(VaultProperties.VaultURL), credential: cred, certClientOptions);

return _certClient;
}
Expand Down Expand Up @@ -111,7 +112,7 @@ internal protected virtual ArmClient getArmClient(string tenantId)
logger.LogTrace("got credentials for service principal identity");
}

_mgmtClient = new ArmClient(credential);
_mgmtClient = new ArmClient(credential, VaultProperties.SubscriptionId, new ArmClientOptions() { });
logger.LogTrace("created management client");
return _mgmtClient;
}
Expand Down Expand Up @@ -219,10 +220,7 @@ public virtual async Task<KeyVaultCertificateWithPolicy> ImportCertificateAsync(
logger.LogTrace($"importing created x509 certificate named {1}", certName);
logger.LogTrace($"There are {x509Collection.Count} certificates in the chain.");
var cert = await CertClient.ImportCertificateAsync(new ImportCertificateOptions(certName, certWithKey));

// var fullCert = _secretClient.GetSecret(certName);
// The certificate must be retrieved as a secret from AKV in order to have the full chain included.


return cert;
}
catch (Exception ex)
Expand Down Expand Up @@ -278,8 +276,9 @@ public virtual async Task<IEnumerable<CurrentInventoryItem>> GetCertificatesAsyn
var fullInventoryList = new List<CertificateProperties>();
var failedCount = 0;
Exception innerException = null;

await foreach (var cert in inventory) {

await foreach (var cert in inventory)
{
logger.LogTrace($"adding cert with ID: {cert.Id} to the list.");
fullInventoryList.Add(cert); // convert to list from pages
}
Expand All @@ -300,23 +299,25 @@ public virtual async Task<IEnumerable<CurrentInventoryItem>> GetCertificatesAsyn
PrivateKeyEntry = true,
ItemStatus = OrchestratorInventoryItemStatus.Unknown,
UseChainLevel = true,
Certificates = new List<string>() { Convert.ToBase64String(cert.Value.Cer) }
Certificates = new List<string>() { Convert.ToBase64String(cert.Value.Cer) }
});
}
catch (Exception ex)
{
failedCount++;
innerException = ex;
logger.LogError($"Failed to retreive details for certificate {certificate.Name}. Exception: {ex.Message}");
logger.LogError($"Failed to retreive details for certificate {certificate.Name}. Exception: {ex.Message}");
// continuing with inventory instead of throwing, in case there's an issue with a single certificate
}
}

if (failedCount == fullInventoryList.Count()) {
if (failedCount == fullInventoryList.Count())
{
throw new Exception("Unable to retreive details for certificates.", innerException);
}

if (failedCount > 0) {
if (failedCount > 0)
{
logger.LogWarning($"{failedCount} of {fullInventoryList.Count()} certificates were not able to be retreieved. Please review the errors.");
}

Expand Down

0 comments on commit e5e6832

Please sign in to comment.