I have an Azure virtual machine running Server 2012 R2. I use Azure Automation to start the machine weekdays at 6am and shut it down at 10pm. I just realized the machine hasn’t started all week.
When I logged in to the Azure dashboard, no warnings were displayed.
I clicked on my Automation account and saw this at the top of the page:
The automation Job History shows all green “Success” check marks:
However if you click on an individual job, you can see that in fact it is failing with error AADSTS50012:
Clicking on the error reveals these details:
RunbookFlow : AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. [Reason - The key used is expired., Thumbprint of key used by client: '502E811...B2FFE', Found key 'Start=06/10/2016, End=06/11/2017, Thumbprint=502E811...B2FFE', Configured keys: [Key0:Start=06/10/2016, End=06/11/2017, Thumbprint=502E811...B2FFE;]] Trace ID: ab2b557e-1573-4634-9bd1-36fb937f0700 Correlation ID: 71561595-be47-4af6-88c6-bd212d526324 Timestamp: 2017-06-14 13:01:05Z At line:9 char:57 + <#-- Enable activity tracing to see error location -->; RunbookFlow ` + ~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Invoke-RunbookFlow], AdalServiceException + FullyQualifiedErrorId : Orchestrator.GraphRunbook.Cmdlets.InvokeRunbookFlowCommand
I went back to the first error and clicked where it said “Click here to renew the certificate(s).” This took me to Run As Accounts. After clicking on the Azure Run As Account, there was a link to Renew certificate:
This message is displayed:
After clicking Yes, a new, one-year certificate is issued:
Back on the main Automation account overview page, I now have this message:
Huh? Why would it tell me that it will be using the “latest modules” three days from now? The “Learn More” link only goes to the document on scheduling runbooks. Maybe this message is coincidental and not related to the certificate issue.
I started the StartAzureV2Vm runbook manually. This time, it completed without errors and the machine was started.
Note to Microsoft
This is extremely poorly implemented. There is no advance warning that a certificate is near expiration, and failing jobs show as successful.
- If a certificate is about to expire, notify the account owner via email.
- If the StartAzureV2Vm job fails to start the VM, fail the job; do not show a green “success” check mark just because the job completed.
- If an automation job fails, notify the account owner via email.
Update November 27, 2018
This year, it seems the certificate auto-renewed without intervention. In the Automation account, under Shared Resources > Certificates, the certificate shows an effective date of June 14, 2018.