Terraform - App Gateway - Duplicate SSL Certificate Issue

Question

I have a Wildcard SSL Certificate in my KeyVault. I've got multiple hostnames that needs to use the Wildcard SSL Certificate for. I want to create 3x HTTPS Listerners in my Application Gateway, each for the different hostnames (hostname1, hostname2 & hostname3). I can use the same certificate for all 3x HTTPS Listerners if I manually create the Listerners in the Azure Portal but once I try to do it via Terraform, it gives me a duplicate SSL Certificate error.

app_gateway.tf

http_listener {
    frontend_ip_configuration_name = "AppGWPublicFrontendIP"
    frontend_port_name             = "fp-443"
    host_names                     = ["${var.ENV}.hostname1.company.com"]
    name                           = "fl-hostname-https-443"
    protocol                       = "Https"
    ssl_certificate_name           = "star.company.com-cert"
  }
  http_listener {
    frontend_ip_configuration_name = "AppGWPublicFrontendIP"
    frontend_port_name             = "fp-443"
    host_names                     = ["${var.ENV}.hostname2.company.com"]
    name                           = "fl-hostname2-https-443"
    protocol                       = "Https"
    ssl_certificate_name           = "star.company.com-cert"
  }
  http_listener {
    frontend_ip_configuration_name = "AppGWPublicFrontendIP"
    frontend_port_name             = "fp-443"
    host_names                     = ["${var.ENV}.hostname3.company.com"]
    name                           = "fl-hostname3-https-443"
    protocol                       = "Https"
    ssl_certificate_name           = "star.company.com-cert"

ssl_certificate {
    name                = "star.company.com-cert"
    key_vault_secret_id = "https://keyvault.vault.azure.net/certificates/star-company-com/${var.certificate_secret_id}"
  }

Error:

│ Error: updating Application Gateway: (Name "AppGateway_Name" / Resource Group "ResourceGroup_Name"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewayDuplicateSslCertificate" Message="Application Gateway /subscriptions/00000000-0000-0000-0000-0000000000/resourceGroups/ResourceGroup_Name/providers/Microsoft.Network/applicationGateways/AppGateway_Name cannot have same certificate used across two Ssl Certificate elements. Certificate for /subscriptions/00000000-0000-0000-0000-0000000000/resourceGroups/ResourceGroup_Name/providers/Microsoft.Network/applicationGateways/AppGateway_Name/sslCertificates/cert-***-env-hostname-cert and /subscriptions/00000000-0000-0000-0000-0000000000/resourceGroups/ResourceGroup_Name/providers/Microsoft.Network/applicationGateways/AppGateway_Name/sslCertificates/cert-***-env-hostname-cert are same." Details=[]

In this thread, it looks like it was fixed https://stackoverflow.com/questions/69193030/terraform-how-to-attach-ssl-certificate-stored-in-azure-keyvault-to-an-applica — SoySolisCarlos, Feb 24 '23 at 19:56
Hi @SoySolisCarlos Yes,it has been resolved. I'll update now. — Kalin-the-Builder, Feb 27 '23 at 06:59

score 0 · Answer 1 · answered Feb 27 '23 at 12:18

This error means that the specified Application Gateway resource is using a "duplicate SSL certificate".

The certificate is shared by two SSL Certificate attributes in the same Application Gateway. The error is also specifying which certificates are similar.

To resolve this:

Make sure that each SSL certificate is only used once in the Application Gateway resource.

You can verify the Application Gateway configuration to ensure that the certificates are not being used repeatedly.

You can also verify that there are no duplicate SSL certificates in the Azure portal. If there are duplicate certificates, remove it to avoid this kind of conflicts.

I do agree with @SoySolisCarlos and you can refer SO by @Ansuman Bal and I made a few changes to this script by giving my certificate details and it worked as expected.

Changes in the code:

http_listener {
    name                           = listener_name
    frontend_ip_configuration_name = frontend_ip_configuration_name
    frontend_port_name             = frontend_port_name
    protocol                       = "Https"
    ssl_certificate_name = "mycert"
  }
  ssl_certificate {
    name = "mycert"
    key_vault_secret_id = azurerm_key_vault_certificate.main.secret_id
  }

Terraform successfully initialized without any errors:

enter image description here

Kalin-the-Builder · Answer 2 · 2023-03-09T10:30:55.287

What worked for me was using a data source:

data "azurerm_resource_group" "resource_group" {
  name = "resource_group_name"
}
data "azurerm_key_vault" "KeyVault" {
  name                = "KeyVault_name"
  resource_group_name = data.azurerm_resource_group.resource_group_name.name
}
data "azurerm_key_vault_certificate" "star-company-com" {
  name         = "star-company-com"
  key_vault_id = data.azurerm_key_vault.KeyVault.id
}

http_listener {
    frontend_ip_configuration_name = "AppGWPublicFrontendIP"
    frontend_port_name             = "fp-443"
    host_names                     = ["${var.ENV}.hostname1.company.com"]
    name                           = "fl-hostname-https-443"
    protocol                       = "Https"
    ssl_certificate_name           = "star.company.com-cert"
  }

ssl_certificate {
    name                = "star-company-com-cert"
    data                = data.azurerm_key_vault_certificate.star-company-com.certificate_data
    password            = ""
  }

Terraform - App Gateway - Duplicate SSL Certificate Issue

2 Answers2