Azure-docs: Incorrect description for *CertificateIssuerStores
The part "An empty IssuerCommonName whitelists all certificates in the corresponding stores specified under X509StoreNames" seems wrong.
When trying to upgrade a cluster configuration in this manner, I see errors on the cluster (nothing visible as output of Start-ServiceFabricClusterConfigurationUpgrade) about incorrect xml. It looks like the json is used to generate some xml, ending up with a <Parameter Name="" Value="Root" /> element, where the empty string is (reasonably) invalid for the attribute Name.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 853125bc-3720-1031-f79e-21aafcd38ee1
- Version Independent ID: 4db45bdd-eef4-bf40-b92d-d98a71c982d4
- Content: Secure an Azure Service Fabric cluster on Windows by using certificates
- Content Source: articles/service-fabric/service-fabric-windows-cluster-x509-security.md
- Service: service-fabric
- GitHub Login: @dkkapur
- Microsoft Alias: dekapur
lanfeust69
All 9 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
mimckitt
on 10 Sep 2019
@dkkapur @peterpogorski could either of you take a look and advise on this one? I am happy to do any doc updates as needed.
mimckitt
on 10 Sep 2019
@maburlik @jkochhar can one of you comment on the validation steps for a cluster upgrade config when the issuer is blank? Thanks!
dkkapur
on 13 Sep 2019
Can you share the json config you used - just the section how you set the *CertificateIssuerStores
jkochhar
on 18 Sep 2019
I didn't keep it (I think I initially only did the cluster/server certificate, not the client one), but it was something along de lines of :
"security": {
"ClusterCredentialType": "X509",
"ServerCredentialType": "X509",
"CertificateInformation": {
"ClusterCertificateCommonNames": {
"CommonNames": [
{
"CertificateCommonName": "my-cluster.my-domain.my-tld"
}
],
"X509StoreName": "My"
},
"ClusterCertificateIssuerStores": [
{
"IssuerCommonName": "",
"X509StoreNames": "Root"
}
],
"ServerCertificateCommonNames": {
"CommonNames": [
{
"CertificateCommonName": "my-cluster.my-domain.my-tld"
}
],
"X509StoreName": "My"
},
"ServerCertificateIssuerStores": [
{
"IssuerCommonName": "",
"X509StoreNames": "Root"
}
],
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "0123456789ABCD0123456789ABCD0123456789AB",
"IsAdmin": true
}
]
}
}
The error on the cluster side is a Warning from Microsoft-ServiceFabric-Events :
AsyncCalloutAdapter-18902043: end delegate threw an exception
System.Fabric.FabricException: Cluster manifest validation failed with exception System.InvalidOperationException: There is an error in XML document (167, 18). ---> System.Xml.Schema.XmlSchemaValidationException: The 'Name' attribute is invalid - The value '' is invalid according to its datatype 'String' - The actual length is less than the MinLength value. ---> System.Xml.Schema.XmlSchemaException: The actual length is less than the MinLength value.
--- End of inner exception stack trace ---
at System.Xml.Schema.XmlSchemaValidator.SendValidationEvent(XmlSchemaValidationException e, XmlSeverityType severity)
at System.Xml.Schema.XmlSchemaValidator.CheckAttributeValue(Object value, SchemaAttDef attdef)
at System.Xml.Schema.XmlSchemaValidator.ValidateAttribute(String lName, String ns, XmlValueGetter attributeValueGetter, String attributeStringValue, XmlSchemaInfo schemaInfo)
at System.Xml.XsdValidatingReader.ValidateAttributes()
at System.Xml.XsdValidatingReader.ProcessElementEvent()
at System.Xml.XsdValidatingReader.Read()
at System.Xml.XmlReader.MoveToContent()
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReader1.Read35_SettingsOverridesTypeSection(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReader1.Read37_ClusterManifestType(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReader1.Read312_ClusterManifest()
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Fabric.FabricDeployer.XmlHelper.ReadXml[T](XmlReader reader)
at System.Fabric.FabricDeployer.XmlHelper.ReadXml[T](String fileName, String schemaFile)
at System.Fabric.FabricDeployer.DeploymentParameters.Initialize()
at System.Fabric.FabricDeployer.DeploymentOperation.ExecuteOperation(DeploymentParameters parameters, Boolean disableFileTrace)
at System.Fabric.Management.ImageBuilder.FabricProvisionOperation.ProvisionFabric(String localCodePath, String localConfigPath, String configurationCsvFilePath, String infrastructureManifestFilePath, Boolean validateOnly, TimeSpan timeout). ClusterManifestPath: D:\ServiceFabric\Data\MyNode_1\Fabric\work\IB\132120829295597110\ckjnzmnj.gik ---> System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x80071BE6
at System.Fabric.Interop.NativeClient.IFabricClusterManagementClient10.EndProvisionFabric(IFabricAsyncOperationContext context)
at System.Fabric.Interop.Utility.<>c__DisplayClass22_0.<WrapNativeAsyncInvoke>b__0(IFabricAsyncOperationContext context)
at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously)
--- End of inner exception stack trace ---
@jkochhar anything else you need?
mimckitt
on 24 Sep 2019
Thanks! I ll investigate with the config you shared and update.
Get Outlook for iOShttps://aka.ms/o0ukef
From: Micah notifications@github.com
Sent: Tuesday, September 24, 2019 9:13:06 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Jitendra Kochhar jitendra.kochhar@hotmail.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Incorrect description for *CertificateIssuerStores (#38623)
@jkochharhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjkochhar&data=02%7C01%7C%7C533c69e0b18b406aec3608d7410a15a1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637049383868603098&sdata=FzxIQtBQPGPS%2BsThOhZkAtSH3ZLoxUC3GoyFTpctTPU%3D&reserved=0 anything else you need?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F38623%3Femail_source%3Dnotifications%26email_token%3DAC55T5ZDIMLL6MVXREUDX4TQLI4BFA5CNFSM4IVIRJK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7O5KQY%23issuecomment-534631747&data=02%7C01%7C%7C533c69e0b18b406aec3608d7410a15a1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637049383868613103&sdata=YDjRKcp99s0VS74tktI3UfFQtLC48syFGUUyglz9sVA%3D&reserved=0, or mute the threadhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAC55T5Y3XJGLGPUFHRMVQTTQLI4BFANCNFSM4IVIRJKQ&data=02%7C01%7C%7C533c69e0b18b406aec3608d7410a15a1%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637049383868623108&sdata=FzPkyM%2BxDoPe8WWrYVNfNoGgrF0jdPpDPFIfCYKritA%3D&reserved=0.
jkochhar
on 26 Sep 2019
@lanfeust69 I will create a bug on our side to investigate it further. It does seem we are generating the manifest as you pointed out with empty Name so will need to see how we address it.
jkochhar
on 3 Oct 2019
Thanks @jkochhar I will close this out as we are tracking it internally. Let me know if you want anything done from a doc perspective in the meantime.
mimckitt
on 3 Oct 2019
Related issues
renattomachado
·
42Comments
danielstocker
·
70Comments
kamaljoshi911
·
47Comments
ManuelMos
·
46Comments
aspnet4you
·
50Comments