Certificate upload fails via cli but works via portal

[tmcgannon]

Please provide us with the following information:

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

I have obtained my certificate via LetsEncrypt and produced a valid pfx file which I can upload to KeyVault via azure cli but fails when adding to Azure Container App Environment using this command:

az containerapp env certificate upload \    
      --resource-group ${RESOURCE_GROUP} \
      --name ${CONTAINER_APP_ENV_NAME} \
      --certificate-file ${PFX_CERT_PATH} \
      --certificate-name ${CONTAINER_APP_CERTIFICATE_NAME} \
      --password ${PFX_PASSWORD}

The error is:

Certificate must contain one private key.

However, I can upload manually in the portal.azure.com without an issue:

I looked at the pfx file using Mac Keychain Access and it looks like it has a private key with an intermediate key:

Steps to reproduct

See above

Expected behavior

The az containerapp env certificate upload command should succeed.

Actual behavior

I get this error: Certificate must contain one private key.

[StrawnSC]

@lil131 can you take a look at this? Thanks

[Mathijs-Dijk]

after support from microsoft what helped in my case was adding the certificate (pfx) on the local machine (with mmc). After this the upload worked.

I had the exact same issues as in this thread (cli => "must contain one private key", portal => "password not correct"

[lil131]

@Mathijs-Dijk thanks for reporting your case. Were you using a certificate obtained from LetsEncrypt as well?

[tmcgannon]

@Mathijs-Dijk Regarding:

adding the certificate (pfx) on the local machine (with mmc).

How did you add the certificate? What commands were used? Did the pfx get changed during the process?

[panchagnula]

@tmcgannon are you still able to repro this only on CLI & not on portal. If so would you be willing to run the CLI command with --debug & share the details, after removing some PII info or send an email to us directly with the details? We can share our email address to send the debug info to. Thanks!

[Mathijs-Dijk]

@tmxgannon
I work on a Windows machine as developer. I used MMC to add the certificate on my local machine.

@lil131 no our certificate is from Sectigo. But I think this issue occurs with all third party certificates for Azure Container Apps. We had no problems uploading the certificate in KeyVault and App Services with the exact same certificate.. As I mentioned, after adding the certificate to my local machine it worked. * Only downside is that I cannot upload it a.t.m. through Bicep in our release pipeline on Azure.

[panchagnula]

@tmxgannon I work on a Windows machine as developer. I used MMC to add the certificate on my local machine.

@lil131 no our certificate is from Sectigo. But I think this issue occurs with all third party certificates for Azure Container Apps. We had no problems uploading the certificate in KeyVault and App Services with the exact same certificate.. As I mentioned, after adding the certificate to my local machine it worked. * Only downside is that I cannot upload it a.t.m. through Bicep in our release pipeline on Azure.

@vinisoto / @anthonychu , @tmcgannon 's issue doesn't seem be client specific, could you help here? Thanks!

[vinisoto]

Would like to hear from @tmcgannon: to confirm if the issue is still reproducible only on CLI but not on Portal

[tmcgannon]

@vinisoto @panchagnula It still does not work and shows this message: