Azure-docs: Secondary cluster certificate on Linux cluster
It is now better and easier way to add a secondary certificate using the Add-AzureRmServiceFabricClusterCertificate cmdlet.
I have a Linux SF cluster, and tried to add a secondary certificate using PowerShell.
I think the cmdlet is expecting Windows only, because it complained about "certificateStore":
PS C:\Users\OSKAR207ADM> Add-AzureRmServiceFabricClusterCertificate -ResourceGroupName 'wtw-ixs-aml-dev' -Name 'ixsamlde
m20sf01dev' -KeyVaultResouceGroupName 'wtw-ixs-aml-dev' -KeyVaultName 'ixsamldem20kv02dev' -CertificateFile 'F:\Source\D
evOps\Dev Environment SF Cluster Server Certificate.pfx' -CertificatePassword (get-credential).Password -Verbose
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
VERBOSE: Performing the operation "Add cluster certificate" on target "ixsamldem20sf01dev".
VERBOSE: 15:55:09 - Importing certificate to Azure KeyVault wtw-ixs-aml-dev20180831155509
VERBOSE: 15:55:11 - Certificate imported Azure KeyVault
https://ixsamldem20kv02dev.vault.azure.net/certificates/wtw-ixs-aml-dev20180831155509/5571b2b057e34997bd86de4f47a04c42
VERBOSE: 15:55:12 - Virtual machine scale set type1 state is Succeeded.
VERBOSE: 15:55:12 - Virtual machine scale set type2 state is Succeeded.
Add-AzureRmServiceFabricClusterCertificate : Code: InvalidParameter, Message: Parameter 'certificateStore' is not
allowed.
Details:
At line:1 char:1
+ Add-AzureRmServiceFabricClusterCertificate -ResourceGroupName 'wtw-ix ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureRmServ...sterCertificate], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.AddAzureRmServiceFabricClusterCertificat
e
Add-AzureRmServiceFabricClusterCertificate : Code: InvalidParameter, Message: Parameter 'certificateStore' is not
allowed.
Details:
At line:1 char:1
+ Add-AzureRmServiceFabricClusterCertificate -ResourceGroupName 'wtw-ix ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureRmServ...sterCertificate], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.AddAzureRmServiceFabricClusterCertificat
e
Add-AzureRmServiceFabricClusterCertificate : One or more errors occurred.
At line:1 char:1
+ Add-AzureRmServiceFabricClusterCertificate -ResourceGroupName 'wtw-ix ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmServ...sterCertificate], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.AddAzureRmServiceFabricClusterCertificat
e
Document details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 30fab368-8a51-14d6-1775-defa5f0ff04f
- Version Independent ID: a8fbbe3d-063a-d6c9-b61d-1ebcfcaa1422
- Content: Manage certificates in an Azure Service Fabric cluster
- Content Source: articles/service-fabric/service-fabric-cluster-security-update-certs-azure.md
- Service: service-fabric
- GitHub Login: @ChackDan
- Microsoft Alias: chackdan
xenalite
All 13 comments
Thanks for the question! We are currently investigating and will update you shortly.
Karishma-Tiwari-MSFT
on 31 Aug 2018
+Justin to close on this.
From: Karishma Tiwari - MSFT notifications@github.com
Sent: Friday, August 31, 2018 10:16 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Chacko Daniel chackdan@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Secondary cluster certificate on Linux cluster (#14348)
Thanks for the question! We are currently investigating and will update you shortly.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F14348%23issuecomment-417732737&data=02%7C01%7CChackDan%40microsoft.com%7C7c4df33d53fa41c8329908d60f657040%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636713325680907826&sdata=oK3P%2FOlY3BPUlCBrWz92jyfp3sZRyDewxHgNPv1VAtk%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKq9psYslHJIcW6oDEF-jS5LtQDX7YFFks5uWW9WgaJpZM4WVYGz&data=02%7C01%7CChackDan%40microsoft.com%7C7c4df33d53fa41c8329908d60f657040%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636713325680907826&sdata=woCO1oDIXQpl8YnpLgLTbdcnvco83gHxuUwxJjFuGE4%3D&reserved=0.
ChackDan
on 31 Aug 2018
@ChackDan Tagging Justin here. :)
@juhacket Could you please chime in on this customer's issue and share your insights?
Karishma-Tiwari-MSFT
on 4 Sep 2018
Has this issue been resolved? I am getting the same error message.
mccow002
on 17 Sep 2018
@juhacket Can you please share your expert insights on this issue? I assigned it to you as per directed by @ChackDan. Looks like another customer is seeing the same issue.
Karishma-Tiwari-MSFT
on 17 Sep 2018
@xenalite @mccow002 This is a known issue with adding certificates to Linux clusters. As a workaround, you can perform an ARM template deployment to add the certificate.
Also, we recommend switching to using certificate common names.
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn
juhacket
on 17 Sep 2018
@xenalite Did that help? Any updates on this issue?
Karishma-Tiwari-MSFT
on 18 Sep 2018
@Karishma-Tiwari-MSFT Yes, we started using ARM-based certificate deployments instead, but also switched to Windows cluster in the meantime. I can't comment on how well that works on Linux clusters.
xenalite
on 18 Sep 2018
@xenalite Thanks for sharing the update. we will now close the issue. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion. :)
Karishma-Tiwari-MSFT
on 18 Sep 2018
The error still occurs indeed. I don't think that closing that issue resolves it automatically, it should be fixed instead. The problem is very common, as you have said before.
Any update on this?
r3m4k3
on 24 Oct 2018
I have talked to Alex to followup on this , so that the experience is properly validated. Please assign this worktime to aljo .
he will followup with the team and file the necessary workitems.
Please repen the issue. and mark the issue as "defect"
ChackDan
on 24 Oct 2018
@r3m4k3
What errors are you getting using: https://docs.microsoft.com/rest/api/servicefabric/sfrp-model-servercertificatecommonnames
Which I used to provision a cluster every day: https://github.com/aljo-microsoft/demo/blob/master/deploy/Deploy-2NodeTypes-3ScaleSets.json
I also provision linux cluster's every day and don't experience any issues using: https://docs.microsoft.com/rest/api/servicefabric/sfrp-model-certificatedescription
Service Fabric only ever uses one cluster certificate at a time, and declaring by thumbprint pinning requires updates that tend to be user error prone; so our recommendation is to declare the cluster certificate by common name, and SF will always use the valid declared certificate (Non expired, accessible in the clusters store certificate, properties match user's declaration).
As justin referenced earlier, please change from certificatedescription using thumbprints to common name, which we document here:
https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-change-cert-thumbprint-to-cn
@Karishma-Tiwari-MSFT
If the user is satisfied with this, please close this.
aljo-microsoft
on 2 Jan 2019
@r3m4k3 We will now close this issue. If there are further questions regarding this matter, please tag me in a comment. I will reopen it and we will gladly continue the discussion.
Karishma-Tiwari-MSFT
on 15 Jan 2019
Related issues
monteledwards
·
3Comments
Ponant
·
3Comments
spottedmahn
·
3Comments
ianpowell2017
·
3Comments
spottedmahn
·
3Comments