I have an Azure Batch account setup with system assigned identity (the account was created through TF and User assigned identities are not yet supported).
A certificate is available to the batch account and on the pool as well.
When inspecting the node on the pool (scaled to one for now), it shows a certificate reference:
I've manually created a job and a simple task (/bin/bash -c 'ls -la $AZ_BATCH_CERTIFICATES_DIR/') to list contents and everything comes empty.
This seems to be the case for all self-signed certificates I've used to try this.
Can somebody please point out what I'm doing wrong?
(I've tried all combinations for Task-NonAdmin, TaskAdmin, Pool-NonAdmin, Pool-Admin together with LocalMachine, currentUser).
Thanks all!
Well, this thing happened:
Issue with Windows LocalMachine certificates:
If you are adding certificate references on your pool which install into the Windows LocalMachine certificate store, and are running tasks without admin access which need access to the certificate's private key, your tasks will work on the old agent but not work in the new agent.
Only pfx files where your non-admin task needs access to the private key should be moved to "My" in CurrentUser
https://github.com/Azure/Batch/issues/1
If I upload the certs to CurrentUser\My, the tasks do get the certs.
Related
I am trying to follow the tutorial for deploying a split-merge service (Azure Elastic Database... tools).
The first complication is that the doc instructs me to create an "Azure Cloud Service." The closest thing to that seems to be "Cloud service (classic)," so that's what I created.
When it came to creating a self-signed cert, I had to translate the parameters for makecert (which is deprecated and no longer seems to be present in any SDKs) to the powershell New-SelfSignedCertificate cmdlet. The relevant params I passed to the cmdlet were:
Subject: CN=*.cloudapp.net
KeySpec: KeyExchange
TextExtension: 2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
I finally got the certificate created/exported/uploaded, got the service configuration file completed and created the service. Azure portal reports the web and workers running, but I can't hit the service URL (403 access denied even after prompting me to select my certificate). I confirmed that my certificate thumbprint shows correctly in the various places in the service configuration (DataEncryptionPrimaryCertificateThumbprint, DataEncryptionPrimary, AdditionalTrustedRootCertificationAuthorities, AllowedClientCertificateThumbprints, DataEncryptionPrimaryCertificateThumbprint). My certificate's thumbprint also shows as the thumbprint in configuration under the "Certificates" section as SSL, CA, and DataEncryptionPrimary.
The only thing I can think of that is causing the access denied is something mentioned in this doc, "If you are using self-signed certificates, you will need to disable certificate chain validation." The PowerShell cmdlet that it shows to use to disable chain validation in that case (for an API service; no clue how that differs from my service) fails with InvalidOperation.
Is there some way for me to disable certificate chain validation for my "classic" cloud service? Other suggestions of things to check?
This line is creating problem as it requires the Cert to be present in the machine in which it is currently executing..
topologyConfigurationManager = new TopologyConfigurationManager(new Uri("https://int2.metrics.nsatc.net"), GenevaCertThumbprint, StoreLocation.LocalMachine, TimeSpan.FromMinutes(1));
I have gone through this link deploying-application-certificates-to-the-cluster
but still i am not able to get how to upload certificate in VM(nodes) of azure cluster.Can some one give me detailed step of where to upload the cert(.pfx file).
I had this same problem few days ago, i was needing to change to a new certificate because the old has expired, and i solved it by deploying the azure resource template for service fabric again, which means that i'd basically recreated the all environment.
In the template i've only changed the certificate link and the thumbprint.
Finally Got the answer::
Login to the Node of Remote cluster using following command in cmd:mstsc /v:mycluster.eastus.cloudapp.azure.com:3389
Where "mycluster.eastus.cloudapp.azure.com" is cluster name.After logging in Install certifcates Manually.
3389-is first node 3390-second node and so on.
I followed the tutorial here for settings up the Azure Scheduler:
http://fabriccontroller.net/blog/posts/a-complete-overview-to-get-started-with-the-windows-azure-scheduler/
I want to run my application on an Azure Website but it is blocking me from creating my X509Certificate.
I found this article: http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/
Which points out the issue:
Well it turns out that when you load certificates the system will use a local directory to store the key (??)
The default location for the key is the under the local user profile, and with Windows Azure Websites, there is no local user profile directory."
So following his advice and adding the following flag: "X509KeyStorageFlags.MachineKeySet" I can get away with:
CryptographicException: The system cannot find the file specified
but I now get:
CryptographicException: Access denied.
Is there really no way to use the SDK from an AzureWebsite?! It defeats a lot of appeal of the Azure Scheduler if I am forced into using a WebRole instead of an Azure Website.
In this thread: http://social.msdn.microsoft.com/Forums/windowsazure/en-US/cfe06e73-53e1-4030-b82d-53200be37647/load-privately-created-p12-cert-from-azureblob-and-have-it-be-trusted
It appears as if they are sucessfully creating a X509Certificate on an Azure Website so what is different that mine throws "Access Denied" when I try to?
The problem was with using the ManagementCertificate string in the PublishSettings file... I created a self signed certificate on my local machine using the VisualStudio Console and exported both a '.cer' and '.pfx'.
Uploaded the self signed .cer into my Azure/Settings/Management Certificates
Bundled the .pfx with my solution and published to Azure Web Sites
Then used the following code to create the certificate:
var certificate = new X509Certificate2(
HttpContext.Current.Server.MapPath("~/<filename>.pfx"), "<password>", X509KeyStorageFlags.MachineKeySet);
I am attempting to get Wasabi (the Enterprise library autoscaling block) to work within an Azure worker role. The Wasabi worker role (Extra Small, full trust) is scaling a different worker role within the same service. It works perfectly from a local console app, with an identical configuration - given the errors, the certificate isn't making it to the VM. I am using the latest versions of the Azure SDKs, the enterprise library autoscaling block, and the Azure portal.
Here are the steps I took, based on these docs: http://msdn.microsoft.com/en-us/library/hh680937(v=pandp.50).aspx
I created a management certificate as per the directions here: http://msdn.microsoft.com/en-us/library/gg432987.aspx.
I exported the .pfx with the private key and gave it a password.
I uploaded the .cer to the Settings->Management Certificates section on the portal.
I uploaded the .pfx with the correct password to the Cloud Services->(My Service)->Certificates, noting the thumbprint listed.
I created some trivial rules that scale up my app a few instances, and correctly configured the service information to use my new cert. The XML files are in blob storage. This exactly configuration works fine on my local machine in a console app.
I added an entry in the Wasabi role's configuration, using the correct cert name and thumbprint. I set it to use the CurrentUser\My store. I confirmed that the .csdef and .cscfg files were correctly updated.
I deploy the service to staging on Azure, using the publish tool. The certificate configuration setting correctly shows up in the Configuration setting for the role.
It doesn't scale the app. I check the trace entries, and it has an exception when trying to pull access the management API. It is trying to access the right subscription, and it's trying to find the correct certificate thumbprint in the right store, so my configuration is being loaded correctly. It claims that it cannot find the certificate with that thumbprint in that store.
I tried the LocalMachine\My store (configured in the role certificate settings, and in the service information store XML), and I got a different exceptionthe error listed in Azure WASABi SecurityNegotiationException. That fix was ultimately to go to CurrentUser, so that doesn't help me here.
I tried a lot of other combinations of CurrentUser\LocalMachine and different stores, and all CurrentUser locations result in certificate-not-found, and all LocalMachine stores result in the other exception.
I triple-checked the thumbprints in the role settings, the portal (certificate page) and the service information file, and they all match.
I then enabled remote-desktop and logged in to the Wasabi role instance, and used MMC to look at the certificate configuration for both the local machine and the current user. When I selected the LocalMachine store in the role certificate settings, the certificate did show up in the LocalMachine store, which tells me that the certificate is correctly installed in the service and the thumbprints match. When the CurrentUser store is selected, the certificate is not visible anywhere. This could be because the user that is used by RDP is not the same user as the service, but it does match the error.
So, in summary:
The certificate was correctly configured and installed in the portal (management certificates for the subscription, and service certificates).
Apparently, you must use the CurrentUser location, not the LocalMachine location, for the Wasabi role (as per the linked SO question).
When I'm trying to install to the CurrentUser, the certificate is not getting placed in the VM, at least not anywhere that the role can find it.
Any ideas?
Thanks!
See my answer to this SO POST. The certificate must be in LocalMachine and because of config changes in SDK 1.8 and Server2012 role initialization you have to run the worker role with elevated permissions to give NETWORK SERVICE access to the cert's private keys. Edit ServiceDefinition.csdef
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="blah" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2012-10.1.8">
<WorkerRole name="blah" vmsize="Small">
<Runtime executionContext="elevated" />
...
</WorkerRole>
</ServiceDefinition>
I got a problem with upgrading my deployment to windows server 2012, my deploy works fine with osfamily=2 and compiled with .net4, but failed at .net4.5 and osfamily=3,
the exception I saw when remote to the vm is "Keyset does not exist", seems to related to some certificates. My program using the certificates to encrypt some stream and should be able to using this certs to decode this stream after I deploy it.
I checked the certs on vm, it is installed fine, in the right place.
So I suspect this is an issue with the different secure policy with 2012 that prevent my role to get the key in the certs.
this blocks me for a while so Thank a lot for any clue!
Keyset does not exist typically refers to an error when your program is trying to access a private key of a certificate and is unable to do so, either because the private key does not exist or because it has no permissions to access it
You will need to find the certificate in question in your certificate store, verify that it contains a private key (that will show up in the properties of the certificate)
And then verify that your process/application pool has permissions to access the private key by right-clicking on the certificate from the certificate store and choosing: All Tasks->Manage Private Keys. From there, make sure to add sufficient users to the allowed list
Hope this helps