Unable to update an existing certificate using azure.azcollection.azure_rm_keyvaultcertificate #2093
Description
SUMMARY
I am unable to update an existing certificate using azure.azcollection.azure_rm_keyvaultcertificate
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure_rm_keyvaultcertificate module of azure.azcollection
ANSIBLE VERSION
ansible [core 2.17.14]
config file = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/bin/ansible
python version = 3.10.12 (main, Aug 15 2025, 14:32:43) [GCC 11.4.0] (/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/bin/python3)
jinja version = 3.1.6
libyaml = True
COLLECTION VERSION
# /root/.ansible/collections/ansible_collections
Collection Version
------------------ -------
azure.azcollection 3.10.1
CONFIGURATION
ansible [core 2.17.14]
config file = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/bin/ansible
python version = 3.10.12 (main, Aug 15 2025, 14:32:43) [GCC 11.4.0] (/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/bin/python3)
jinja version = 3.1.6
libyaml = True
CONFIG_FILE() = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg
DEFAULT_HOST_LIST(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = ['/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/02_ansible/inventory/myazure_rm.yaml']
DEFAULT_PRIVATE_KEY_FILE(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/private_key.pem
DEFAULT_REMOTE_USER(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = sinequadmin
DEFAULT_TIMEOUT(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = 30
HOST_KEY_CHECKING(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = False
INVENTORY_ENABLED(/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible.cfg) = ['host_list', 'script', 'auto', 'yaml', 'ini', 'toml']
OS / ENVIRONMENT
Github private runner on docker , base image is ubuntu
STEPS TO REPRODUCE
---
- name: Issue Let's Encrypt cert via dns-01 and store in Azure Key Vault
hosts: all
gather_facts: false
vars:
# Azure Key Vault
keyvault_uri: "https://mykvurl.vault.azure.net"
keyvault_cert_name: "server-ansible"
# derived paths
cert_key: "{{ workdir }}/cert.key"
cert_path: "{{ workdir }}/cert.pem"
chain_path: "{{ workdir }}/chain.pem"
import_pem_path: "{{ workdir }}/server-import.pem"
tasks:
- name: Build PEM bundle for Key Vault import (key + cert + chain)
ansible.builtin.copy:
dest: "{{ import_pem_path }}"
mode: "0600"
content: |
{{ lookup('file', cert_key) }}
{{ lookup('file', cert_path) }}
{{ lookup('file', chain_path) }}
- name: Import PEM into Azure Key Vault as a certificate
azure.azcollection.azure_rm_keyvaultcertificate:
vault_uri: "{{ keyvault_uri }}"
name: "{{ keyvault_cert_name }}"
state: import
password: null # PEM has no password
policy:
content_type: 'application/x-pem-file'
cert_data: "{{ lookup('file', import_pem_path ) }}"
enabled: true
tags:
Ansible: "true"
notify:
- Restart Webapps
- Reload cloud env vars
EXPECTED RESULTS
SSL Certificate to be updated in the Azure Keyvault
ACTUAL RESULTS
TASK [Import PEM into Azure Key Vault as a certificate] ************************
task path: /home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/02_ansible/s4a_backend_cert.yml:168
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c 'echo ~root && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279 `" && echo ansible-tmp-1762121351.570616-3659-32627797826279="` echo /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultcertificate.py
<localhost> PUT /root/.ansible/tmp/ansible-local-2916bbb9_t0q/tmp20a34zg3 TO /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279/AnsiballZ_azure_rm_keyvaultcertificate.py
<localhost> EXEC /bin/sh -c 'chmod u+rwx /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279/ /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279/AnsiballZ_azure_rm_keyvaultcertificate.py && sleep 0'
<localhost> EXEC /bin/sh -c '/home/docker/actions-runner/_work/sse-iac-sinequa-for-azure/sse-iac-sinequa-for-azure/ansible/bin/python3 /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279/AnsiballZ_azure_rm_keyvaultcertificate.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1762121351.570616-3659-32627797826279/ > /dev/null 2>&1 && sleep 0'
ok: [azrdvmwebeng2 -> localhost] => {
"certificate": {
"cert_data": "MIIFcjCCBFqgAwIBAgISLCkKXiAmjVlGJXKNvpqp8xRDMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExcoU1RBR0lORykgTGV0J3MgRW5jcnlwdDEnMCUGA1UEAxMeKFNUQUdJTkcpIFJpZGRsaW5nIFJodWJhcmIgUjEyMB4XDTI1MTEwMTA4NTAyOFoXDTI2MDEzMDA4NTAyN1owQDE+MDwGA1UEAxM1YXpyZHZtd2ViZW5nMi5zc2VwbGF0Zm9ybXBwLnByaXZhdGUuaWFzcC50Z3NjbG91ZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMY2HIlcDEJJbL+zvriyb8KPCbvUhYpIrMGMdvpZNMMxVFY2C5ehYv/dYDWe9E1NpTGZafovsOYUMKjzHgodh/POve2TU9Kb3ji2byLq6IjwPL9iIL5KJ6KzQ24hjj5JhBsXhbmkUCCTSJiKEY1zkYZcMt/vL/JdG1I2RONtMcO44EbnY4GESsChCwgZzvJ/uY8P+MlY5sTxByD0klc9YvUQNDGVzEE2Nm8hXDr5sIKup1ieFCr+7v4oqz8Py1sLBaP19tyvK1WqjjYbYvos2CHG6vZsQvxbjb2mXCQESKjptKUe6InjOcYqWyeJOycVD2/mnPPnq/swPT6tFljW63AgMBAAGjggJMMIICSDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEKhDtqvOMWmvg1W9OpACcoJ3+gdMB8GA1UdIwQYMBaAFPZDA5EvZiWvhSXd5GTRaX7LohzZMDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAoYbaHR0cDovL3N0Zy1yMTIuaS5sZW5jci5vcmcvMEAGA1UdEQQ5MDeCNWF6cmR2bXdlYmVuZzIuc3NlcG
"name": "azrdvmwebeng2-ansible",
"policy": {
"attributes": {
"created": "2025-11-01T09:49:04+00:00",
"enabled": true,
"expires": null,
"not_before": null,
"recoverable_days": null,
"recovery_level": null,
"updated": "2025-11-01T09:49:04+00:00"
},
"certificate_transparency": null,
"certificate_type": null,
"content_type": "application/x-pem-file",
"enhanced_key_usage": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2"
],
"exportable": true,
"issuer_name": "Unknown",
"key_curve_name": null,
"key_size": 2048,
"key_type": "RSA",
"key_usage": [
"digitalSignature",
"keyEncipherment"
],
"lifetime_actions": [
{
"action": "EmailContacts",
"days_before_expiry": null,
"lifetime_percentage": 80
}
],
"reuse_key": false,
"san_dns_names": [
"azrdvmwebeng2.sseplatformpp.private.iasp.tgscloud.net"
],
"san_emails": null,
"san_user_principal_names": null,
"subject": "CN=azrdvmwebeng2.sseplatformpp.private.iasp.tgscloud.net",
"validity_in_months": 3
},
"properties": {
"attributes": {
"created": "2025-11-01T09:49:04+00:00",
"enabled": true,
"expires": "2026-01-30T08:50:27+00:00",
"not_before": "2025-11-01T08:50:28+00:00",
"recovery_level": "Recoverable",
"updated": "2025-11-01T09:49:04+00:00"
},
"id": "https://mykvurl.vault.azure.net/certificates/azrdvmwebeng2-ansible/98f540f942d245d8bdbc288af59fb8be",
"tags": {
"Ansible": "true"
},
"vault_id": "https://mykvurl.vault.azure.net/",
"x509_thumbprint": "fvcBHWLNLadfZixIDtKIHYG8vL8="
}
},
"changed": false,
"invocation": {
"module_args": {
"ad_user": null,
"adfs_authority_url": null,
"api_profile": "latest",
"append_tags": true,
"auth_source": "auto",
"cert_data": "-----BEGIN PRIVATE KEY-----\n[[ Deleted for privacy, was originally base64 private key, then other certs]]
"cert_validation_mode": null,
"client_id": null,
"cloud_environment": "AzureCloud",
"disable_instance_discovery": false,
"enabled": true,
"log_mode": null,
"log_path": null,
"name": "server-ansible",
"password": null,
"policy": {
"attributes": {
"created": "2025-11-01T09:49:04+00:00",
"enabled": true,
"expires": null,
"not_before": null,
"recoverable_days": null,
"recovery_level": null,
"updated": "2025-11-01T09:49:04+00:00"
},
"certificate_transparency": null,
"certificate_type": null,
"content_type": "application/x-pem-file",
"enhanced_key_usage": null,
"exportable": null,
"issuer_name": null,
"key_curve_name": null,
"key_size": null,
"key_type": null,
"key_usage": null,
"lifetime_actions": null,
"reuse_key": null,
"san_dns_names": null,
"san_emails": null,
"san_user_principal_names": null,
"subject": null,
"validity_in_months": null
},
"profile": null,
"secret": null,
"state": "import",
"subscription_id": null,
"tags": {
"Ansible": "true"
},
"tenant": null,
"thumbprint": null,
"vault_uri": "https://mykvurl.vault.azure.net/",
"x509_certificate_path": null
}
}
}