Orchestrator function 'AddCertificate_Orchestrator' failed: The orchestrator function 'IssueCertificate' failed

Describe the bug

After following the instructions in the README.md file, adding a certificate to an App Service fails with an error message (which was horribly compacted into a browser alert box which cannot be copied to the clipboard).

The error details are embedded in a JSON object stored in a JSON string inside another JSON object - fun. I can’t post the full response verbatim as it appears to contain Base64-encoded PFX files.

Here’s what I can show, however ($foo, $bar, $domain, $resgroup are placeholders)::

The outer JSON object starts with this:

{"type":"https://tools.ietf.org/html/rfc7231#section-6.6.1","title":"An error occured while processing your request.","status":500,"detail":"Orchestrator function 'AddCertificate_Orchestrator' failed: The orchestrator function 'IssueCertificate' failed: \"The activity function 'UploadCertificate' failed: \"Failed to deserialize exception from TaskActivity: {\"$type\":\"Microsoft.Azure.Management.WebSites.Models.DefaultErrorResponseException, Microsoft.Azure.Management.Websites\",\"Request\":{\"$type\":\"Microsoft.Rest.HttpRequestMessageWrapper, Microsoft.Rest.ClientRuntime\",\"Method\":{\"$type\":\"System.Net.Http.HttpMethod, System.Net.Http\",\"Method\":\"PUT\"},\"RequestUri\":\"https://management.azure.com/subscriptions/$sub/resourceGroups/Resgroup-rss1/providers/Microsoft.Web/certificates/$domain.com-$bar?api-version=2020-06-01\",\"Properties\":{\"$type\":\"System.Collections.Generic.Dictionary`2[[System.String, System.Private.CoreLib],[System.Object, System.Private.CoreLib]], System.Private.CoreLib\"},\"Content\":\"{\\r\\n  \\\"properties\\\": {\\r\\n    \\\"pfxBlob\\\": 
etc

The inner response object has a content property with this (message is repeated in full below):

{
	"error": {
		"code": "LinkedAuthorizationFailed",
		"message": "The client 'foo' with object id 'foo' has permission to ..."
	}
}

The message is

The client ‘$foo’ with object id ‘$foo’ has permission to perform action ‘Microsoft.Web/certificates/write’ on scope ‘/subscriptions/$sub/resourceGroups/Resgroup-example1/providers/Microsoft.Web/certificates/domain.com-$bar’; however, it does not have permission to perform action ‘write’ on the linked scope(s) ‘/subscriptions/$sub/resourceGroups/Resgroup-example/providers/Microsoft.Web/serverfarms/exampleWebPlan’ or the linked scope(s) are invalid.

To Reproduce Steps to reproduce the behavior:

• I followed the instructions in the README file.
• I verified the Azure Function running the ACMEBot has permission to access the parent Resource Group of the App Service, as per the README file’s instructions.

With these options:

• “Use IP based SSL?” - No
• “Force DNS-01 Challenge?” - No

Environment (please complete the following information):

• App Service OS: Windows
• App Service Type: Unsure - just a “normal” website Azure App Service
• Runtime Stack: .NET Core
• Certificate Type: I don’t know, I wasn’t given an option

Additional context

So there’s at least 2 bugs:

• The ACMEBot needs to handle errors better, ideally by displaying them within the page’s HTML content instead of in an alert(), because Chrome does not currently let you copy text in an alert().
• The README needs updated instructions for the necessary permissions.

And a feature suggestion:

• Add a permissions test feature.