有没有办法使用证书运行此 Azure Key Vault 任务（在 Azure DevOps 中）？

Question

我们在本地环境中启用了 SSL 检查。我们可以使用此命令“.\config.cmd --sslcacert cacert.pem”运行带有证书的自托管代理，您可以从该日志中看到：

2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem

但是，当我们运行 Azure Key Vault 任务时，我们仍然收到此“错误：证书链中的自签名证书”。这意味着 Key Vault 任务没有使用证书。

我们的临时解决方法是使用 2 个 URL 绕过 SSL 检查： 登录.windows.net xxx-kv.vault.azure.net（实际的 keyvault 任务）

运行 Azure Key Vault 任务时的完整调试日志：

2019-09-04T20:36:48.5271195Z ##[section]Starting: Azure Key Vault: XXX-KV
2019-09-04T20:36:48.5633898Z ==============================================================================
2019-09-04T20:36:48.5634124Z Task         : Azure Key Vault
2019-09-04T20:36:48.5634269Z Description  : Download Azure Key Vault secrets
2019-09-04T20:36:48.5634436Z Version      : 1.155.0
2019-09-04T20:36:48.5634589Z Author       : Microsoft Corporation
2019-09-04T20:36:48.5634739Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-key-vault
2019-09-04T20:36:48.5634909Z ==============================================================================
2019-09-04T20:36:49.1806715Z ##[debug]agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.1855381Z ##[debug]loading inputs and endpoints
2019-09-04T20:36:49.1880068Z ##[debug]loading ENDPOINT_AUTH_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1896857Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_AUTHENTICATIONTYPE
2019-09-04T20:36:49.1904896Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALID
2019-09-04T20:36:49.1912609Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_SERVICEPRINCIPALKEY
2019-09-04T20:36:49.1919718Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_8040b62c-c752-455e-be9c-b1cf3ac8c1c4_TENANTID
2019-09-04T20:36:49.1926908Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2019-09-04T20:36:49.1932604Z ##[debug]loading ENDPOINT_AUTH_SCHEME_8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.1938483Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1944016Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2019-09-04T20:36:49.1951040Z ##[debug]loading INPUT_CONNECTEDSERVICENAME
2019-09-04T20:36:49.1956493Z ##[debug]loading INPUT_KEYVAULTNAME
2019-09-04T20:36:49.1962116Z ##[debug]loading INPUT_SECRETSFILTER
2019-09-04T20:36:49.1976755Z ##[debug]loaded 12
2019-09-04T20:36:49.2000363Z ##[debug]Agent.ProxyUrl=undefined
2019-09-04T20:36:49.2001937Z ##[debug]Agent.CAInfo=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\cacert.pem
2019-09-04T20:36:49.2002201Z ##[debug]Agent.ClientCert=undefined
2019-09-04T20:36:49.2002457Z ##[debug]expose agent certificate configuration.
2019-09-04T20:36:49.2002978Z ##[debug]Agent.SkipCertValidation=undefined
2019-09-04T20:36:49.2361569Z ##[debug]agent.proxyurl=undefined
2019-09-04T20:36:49.2362396Z ##[debug]VSTS_ARM_REST_IGNORE_SSL_ERRORS=undefined
2019-09-04T20:36:49.2363096Z ##[debug]AZURE_HTTP_USER_AGENT=VSTS_dc216ba3-25e9-46a8-823a-fb77a81f2a9f_Release__1792_3286_5
2019-09-04T20:36:49.3499232Z ##[debug]Agent.TempDirectory=C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_temp
2019-09-04T20:36:49.3580461Z ##[debug]Setting resource path to C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3582279Z ##[debug]check path : C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3585807Z ##[debug]adding resource file: C:\Users\DH56022\Downloads\vsts-agent-win-x64-2.155.1\_work\_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\1.155.0\task.json
2019-09-04T20:36:49.3586610Z ##[debug]system.culture=en-US
2019-09-04T20:36:49.3645635Z ##[debug]ConnectedServiceName=8040b62c-c752-455e-be9c-b1cf3ac8c1c4
2019-09-04T20:36:49.3646702Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data SubscriptionId = e0279acf-930e-4937-abbf-f45670343bcf
2019-09-04T20:36:49.3660205Z ##[debug]KeyVaultName=XXX-KV
2019-09-04T20:36:49.3667591Z ##[debug]SecretsFilter=*
2019-09-04T20:36:49.3674107Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3680310Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3695138Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3711060Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionid = xxx
2019-09-04T20:36:49.3711521Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data subscriptionname = xxx
2019-09-04T20:36:49.3718207Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalid = ***
2019-09-04T20:36:49.3718578Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environmentAuthorityUrl = https://login.windows.net/
2019-09-04T20:36:49.3723634Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param tenantid = ***
2019-09-04T20:36:49.3724897Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4=https://management.azure.com/
2019-09-04T20:36:49.3725191Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data environment = AzureCloud
2019-09-04T20:36:49.3731459Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth scheme = ServicePrincipal
2019-09-04T20:36:49.3731928Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data msiclientId = undefined
2019-09-04T20:36:49.3732261Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data activeDirectoryServiceEndpointResourceId = https://management.core.windows.net/
2019-09-04T20:36:49.3732543Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultServiceEndpointResourceId = https://vault.azure.net
2019-09-04T20:36:49.3732765Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data AzureKeyVaultDnsSuffix = vault.azure.net
2019-09-04T20:36:49.3732970Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data ScopeLevel = Subscription
2019-09-04T20:36:49.3739455Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param authenticationType = ***
2019-09-04T20:36:49.3739758Z ##[debug]credentials spn endpoint
2019-09-04T20:36:49.3744895Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 auth param serviceprincipalkey = ***
2019-09-04T20:36:49.3745190Z ##[debug]8040b62c-c752-455e-be9c-b1cf3ac8c1c4 data EnableAdfsAuthentication = false
2019-09-04T20:36:49.3749942Z ##[debug]{"subscriptionID":"xxx","subscriptionName":"xxx","servicePrincipalClientID":"***","environmentAuthorityUrl":"https://login.windows.net/","tenantID":"***","url":"https://management.azure.com/","environment":"AzureCloud","scheme":"ServicePrincipal","activeDirectoryResourceID":"https://management.azure.com/","azureKeyVaultServiceEndpointResourceId":"https://vault.azure.net","azureKeyVaultDnsSuffix":"vault.azure.net","scopeLevel":"Subscription","authenticationType":"***","servicePrincipalKey":***,"isADFSEnabled":false,"applicationTokenCredentials":{"clientId":"***","domain":"***","baseUrl":"https://management.azure.com/","authorityUrl":"https://login.windows.net/","activeDirectoryResourceId":"https://management.azure.com/","isAzureStackEnvironment":false,"authType":"***","secret":***,"isADFSEnabled":false}}
2019-09-04T20:36:49.3801318Z SubscriptionId: e0279acf-930e-4937-abbf-f45670343bcf.
2019-09-04T20:36:49.3801630Z Key vault name: XXX-KV.
2019-09-04T20:36:49.3804177Z ##[debug]set SYSTEM_UNSAFEALLOWMULTILINESECRET=true
2019-09-04T20:36:49.3806438Z ##[debug]Processed: ##vso[task.setvariable variable=SYSTEM_UNSAFEALLOWMULTILINESECRET;issecret=false;]true
2019-09-04T20:36:49.3807530Z ##[debug]Downloading all secrets from subscriptionId: e0279acf-930e-4937-abbf-f45670343bcf, vault: XXX-KV
2019-09-04T20:36:49.3815679Z Downloading secrets using: https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01.
2019-09-04T20:36:49.3837017Z ##[debug][POST]https://login.windows.net/***/oauth2/token/
2019-09-04T20:36:49.8075826Z ##[debug][GET]https://XXX-KV.vault.azure.net/secrets?maxresults=25&api-version=2016-10-01
2019-09-04T20:36:50.1199696Z ##[debug]Processed: ##vso[task.logissue type=error;code=SELF_SIGNED_CERT_IN_CHAIN;]
2019-09-04T20:36:50.1200310Z ##[debug]{"code":"SELF_SIGNED_CERT_IN_CHAIN"}
2019-09-04T20:36:50.1200536Z ##[debug]task result: Failed
2019-09-04T20:36:50.1201010Z ##[error]Get secrets failed. Error: self signed certificate in certificate chain.

预期结果：当自托管代理设置为使用证书运行时，代理执行的所有任务也应该相同。

Answer 1

有没有办法使用证书运行此 Azure Key Vault 任务（在 Azure DevOps 中）？

恐怕没有这种方法可以使用证书运行 Azure Key Vault 任务。

就像 EagleDev 指出的原因：

您不能以证书文件的形式下载密钥（无论是 .pem 还是 .pfx) 在证书上传到密钥存储后从 Azure Key Vault 获取。 Azure Key Vault 中的密钥专门用于 签名/加密/解密操作。 返回的 JSON 是一种格式 JWT (Json Web Token) 仅包含您存储的公共部分 键。 这基本上意味着将输出转换为 PEM 或 X.509 是不可能的。

有关详细信息，您可以查看以下票证：

Getting pem file uploaded in Azure Key Vault Keys

希望这会有所帮助。