I'm unable to connect to my azure service fabric cluster using powershell.
I have created a certificate "Admin" on my computer using https://support.jetglobal.com/hc/en-us/articles/235636308-How-To-Create-a-SHA-256-Self-Signed-Certificate
I have imported this certificate in my Key Vault, and added an "Admin client" authentication using "Certificate Thumbprint" authentication mode in the cluster (with the thumbprint of the created certificate)
I am using the below powershell command :
$ClusterName= "***.francecentral.cloudapp.azure.com:19000"
$ThumbPrint= "e8*****"
Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `
-X509Credential `
-ServerCommonName "Admin" `
-FindType FindBySubjectName `
-FindValue "Admin" `
-StoreLocation CurrentUser `
-StoreName My
As described in https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-to-secure-cluster
(I have also tried with -FindByThumPrint)
I get FARBRIC_E_SERVER_AUTHENTICATION_FAILED: CertficateNotMatched.
What did I miss ?
SSL certificate and SF Cluster endpoint URI must match
There are few ways to solve this:
If the Cluster Certificate was issued to a custom domain (lets say mysite.mydomain.com) you need to use that custom domain URL into $ClusterName. Also both mysite.mydomain.com and ***.francecentral.cloudapp.azure.com must resolve to the same IP address.
You can also fix it by creating new certificate and pointing it to ***.francecentral.cloudapp.azure.com. After doing this, replace it with the old one in your cluster and connect by using ***.francecentral.cloudapp.azure.com endpoint.
This is not a fix but workaround. You can disable certificate name check by modifying C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config and setting checkCertificateName to false. Like this (click here):
<configuration><system.net><settings><servicePointManager checkCertificateName="false" /></settings><system.net></configuration>
Related
I am having trouble uploading a new SSL pfx certificate onto my WAF V2 application gateway. I currently have 3 basic wildcard listeners setup (*.contoso.com *.fabrikam.com and *.adatum.com for example) and I would like to update the certificate associated with *.contoso.com.
The problem with using the UI is that if I attempt to update and save the certificate on the listener I get an error message indicating "This Basic HTTP listener cannot use the same frontend port as an existing listener". I understand this is likely because using multiple basic listeners is still in preview and can only be setup via powershell or ARM templates. I originally setup the gateway via ARM templates.
I instead attempted to update the listener's certificate using powershell. I first uploaded the pfx cert to a key vault. I then created a user managed identity with azure role assignments for both the app gateway and the key vault. After, I ran the following powershell commands from inside the portal's CLI but got the resulting error message.
PS > Select-AzureRmSubscription -Scope CurrentUser -SubscriptionName "Pay-As-You-Go"
PS > $appgw = Get-AzApplicationGateway -ResourceGroupName "myresourcegroup" -Name "myappgateway"
PS > $secret = Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "contoso-cert"
PS > $secretId = $secret.Id
PS > set-AzApplicationGatewaySSLCertificate -Name "contoso-cert" -ApplicationGateway $appgw -KeyVaultSecretId $secretId
PS > Set-AzApplicationGateway -ApplicationGateway $appgw
Set-AzApplicationGateway: Application Gateway 'myappgateway' requires a 'UserAssigned' Identity with 'get' access policy to the referenced KeyVault. Please provide so by using top level 'Identity' property.
Why am I unable to update the certificate on the basic listener using powershell? Is there any alternative option I can try in order to set the certificate? Please help
Pretty sure I came across this same issue when looking at the Wildcard Listeners Preview in App Gateway.
I don't have a test environment configured in such a way that I can try this for you at the moment, but I believe the solution was to create a Multisite HTTPS listener (instead of basic) with an arbitrary FQDN, and using the same SSL cert as the one you want to update. Then use that listener to update the SSL cert (you could probably even update the cert at the same time as you create the listener).
Let us know how you get on!
Im trying to bind an exisiting certificate in the resource group in a custom domain.
New-AzWebAppSSLBinding -ResourceGroupName $webappname -WebAppName $webappname -Thumbprint "$newthumbprint" -Name "$customdomain"
When I Debug this the custom domain isn't found, But when I check the domain in microsoft azure under tls/ssl bindings, the domain is there with his old thumbprint.
When im using the original domain of the webapp (.azurewebsites.net) then it would say that there is a conflict because in the new certificate is that domain not registered and thats good because I dont want that.
Anyone know how I can change the thumbprint of customdomains in powershell instead of waste my time in microsoft azure application and doing it more then 100 times manually...
For the error, "custom domain isn't found" or "Hostname 'www.exmaple.com' does not exist", here are possible reasons:
You could check the certificate's subject name must match the domains used to access the Web App.
You should find the existing certificate under TLS/SSL settings---Private Key Certificates. When you run the PowerShell commands, ensure that you type the correct Hostname and matched Thumbprint.
The command is working well on my side.
In addition, If you update an SSL certificate from a local machine to the Azure web app, you can use this command.
New-AzWebAppSSLBinding -ResourceGroupName $webapprg -WebAppName $webappname -CertificateFilePath $PathToPfxFile -CertificatePassword $PlainTextPwd -Name $customdomain
I've a wildcard SSL that has expired, and I have the new cert (different authority) uploaded to Azure already..
..but I'd like to know if there's a way to bulk change all the sites using the old cert, over to the new cert. On normal IIS when you make a change for any one of your sites on the old cert, to the new cert, it asks you if you want to update other bindings that are using the old cert so that they also use the new cert. I've around 30 sites I need to move to the new cert and it's going to be quite a drag one by one
Is there an equivalent functionality on Azure? Powershell is acceptable if the portal.azure.com won't do it..
I've been using Azure CLI in Powershell for this. First build a CSV file or array with the values. It will need to contain:
- Web App Name
$Thumbprint
Then iterate through
$Thumbprint = "12bnhgikjbkj13kjbblahblah"
$WebApps = #("WebApp1","WebApp2","WebApp3") #OR
Foreach ($WebApp in $WebApps) {
az webapp config ssl bind --certificate-thumbprint $Thumbprint --ssl-type SNI --resource-group ResourceGroupName --name "$WebApp"
}
You can also do it with New-AzureRmWebAppSSLBinding from here. Also a guide here on how to do it.
I used the following code in Azure Cloud Shell to enumerate how many apps were using the old thumbprint and updated them to the new one. I found this easier than writing down each of the app service names.
You'll need to make sure you import your new certificate first.
az account set --subscription "My Application"
$webapp_ids=(az webapp list --query "[?hostNameSslStates.[thumbprint=='OLD_THUMBPRINT']].id" --output tsv)
az webapp config ssl bind --certificate-thumbprint "NEW_THUMBPRINT" --ssl-type SNI --ids $webapp_ids
According to this tutorial Create a Service Fabric cluster by using Azure Resource Manager , I created the server Self-Signed .pfx certificate.After that I enter certificate thumbprint,SourceVault,CertificateURL to azure portal.
What should I do to get client certificate,to enter its thumbprint to azure portal?
When you generated the client cert you should have generated the thumbprint at that point. If not then you should be able to install that cert locally on your machine (If it's not already) and using MMC go into the properties and find the thumbprint there to copy and paste, keep in mind it needs to have all spaces removed.
Did you uplooad the certificate to the keyvault?
Invoke-AddCertToKeyVault -SubscriptionId <guid> -ResourceGroupName westus-mykeyvault -Location "West US" -VaultName mywestusvault -CertificateName mycert -Password "<password>" -UseExistingCertificate -ExistingPfxFilePath "C:\path\to\mycertkey.pfx"
After that - you'll be able to fetch the thumbprint as specified in the guide.
Name : CertificateThumbprint
Value : E21DBC64B183B5BF355C34C46E03409FEEAEF58D
Name : SourceVault
Value : /subscriptions/<guid>/resourceGroups/westus-mykeyvault/providers/Microsoft.KeyVault/vaults/mywestusvault
Make sure to follow all the steps in the guide you listed and you should have your inputs.
I've created a Service Fabric Cluster with the Azure portal. It's secured by a wildcard SSL certificate from a CA. The certificate is stored in the keyvault.
In the cluster I have several web api services. I would like to add https endpoints to them.
I've followed this guide to update the configuraton, Added https endpoint to ServiceManifest.xml in Nimles.UserManagement.Api.Authorized
<Endpoint Protocol="https" Name="ServiceEndpointHttps" Type="Input" Port="9021" />
Added binding to ApplicationManifest.xml
<ServiceManifestRef ServiceManifestName="Nimles.UserManagement.Api.AuthorizedPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<EndpointBindingPolicy EndpointRef="ServiceEndpointHttps" CertificateRef="NimlesComCert" />
</Policies>
Added certificate
<Certificates>
<EndpointCertificate X509FindValue="*****" Name="NimlesComCert" />
</Certificates>
But I can't find information on how to add the certificate to the VM since I've used the portal to create the cluster, and all guides just referers to ARM templates.
I don't mind if I need to use ARM if this is not possible from the portal, but I don't want to recreate the cluster, in that case just use ARM with my current cluster.
The basic steps to add SSL to your Web Api in Service Fabric are:
Add certificate to KeyVault
Install it on VM Scale Set VMs
Add certificate to ServiceManifest and ApplicationManifest (or add it to your services some other way, let's go with manifest here)
Based on you description above you likely already have all of these steps covered. When you secure a cluster with a certificate, that certificate is installed on each VM in the cluster. It should just be a matter of referencing it in your manifest. Look at step 2 below for updating the VMs using ARM if you need to add another certificate to the cluster (if you are running multiple applications secured with different certificates).
Just for reference, I am adding all the required steps below.
Add certificate to KeyVault
You have already done this, but just for reference
I recommend using ServiceFabricRPHelpers to help adding the certificate to the KeyVault. Something along these lines from PowerShell
Invoke-AddCertToKeyVault
-SubscriptionId $subscriptionId
-ResourceGroupName $vaultResourceGroupName
-Location $vaultLocation
-VaultName $vaultName
-CertificateName $clusterCertName
-Password $clusterCertPw
-UseExistingCertificate
-ExistingPfxFilePath $certFilePath
Install certificate on VMSS
Since you have secured your cluster with a cert, your VMs already have the vault certificate installed, but again, just for reference
You can do this with either PS cmdlets, or by updating the ARM template. The PS cmdlet could look like this:
$certConfig = New-AzureRmVmssVaultCertificateConfig
-CertificateUrl $certificateUrl
-CertificateStore $certStore
# Add the certificate as a new secret on each VM in the scaleset
$vmss = (Get-AzureRmVmss | Where-Object{$_.name -eq $vmssName})[0]
$vmss.VirtualMachineProfile.OsProfile.Secrets[0].VaultCertificates.Add($certConfig)
# Trigger an update the VMs in the scaleset
Update-AzureRmVmss -ResourceGroupName $ResourceGroup -Name $VmssName -VirtualMachineScaleSet $Vmss
And the ARM version would look like this
"osProfile": {
"adminPassword": "[parameters('adminPassword')]",
"adminUsername": "[variables('adminUsername')]",
"computernamePrefix": "[variables('vmNodeType0ComputerName')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultValue')]"
},
"vaultCertificates": [
{
"certificateStore": "[variables('certificateStoreValue')]",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
For the ARM template version of this, you can update the already deployed cluster by either downloading the automatically generated script from Azure Portal, or by downloading the actual template you used when deploying the first time (even if you deployed by using a wizard in the portal it actualy creates a template behind the scenes for you and it is that one that is deployed when you click OK in the last step).
Find the Resource Group with your cluster in the portal.
The Automation Script renders a new template for you based on what the Resource Group contains at this point, it is an accumulation of all your changes up to this point of the resources in the group. Click download and you will get a .zip with both the template file and parameters.
You can now redeploy it using either PowerShell like this:
New-AzureRmResourceGroupDeployment
-Name "Update_admin_cert"
-TemplateFile .\template.json
-ResourceGroupName $resourceGroupName
-Mode Incremental
Note the Mode Incremental option, it simply patches whatever is already in your resource group with any new or overlapping definitions in the template your are deploying, so it is (in general) safe to run it on an existing resource group if you only want to change or add some detail for a resource.
Adding certificate to ApplicationManifest
Adding the certificate to your service is a matter of updating the manifest used for deploying the application/services. This documentation article outlines what you need. In short, add a EndpointBindingPolicy to the ServiceManifestImport in ApplicationManifest.xml and a certificate in the Certificates tag that references the thumbprint for your certificate:
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Stateful1Pkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<EndpointBindingPolicy CertificateRef="TestCert1" EndpointRef="ServiceEndpoint3"/>
</Policies>
</ServiceManifestImport>
<Certificates>
<EndpointCertificate Name="TestCert1" X509FindValue="ABCDEF27174012740129FADBC232348324" X509StoreName="MY" />
</Certificates>
You can use the portal to generate an ARM template for an existing resource group. Click to the 'automation script' menu item. Then you click 'download'.
Then you can redeploy the resource of type 'Microsoft.Compute/virtualMachineScaleSets', with the certificate info in node 'virtualMachineProfile'. (delete the rest, remove the dependencies)
Note that you'll have to provide any parameter values, as they are not filled out automatically.
(I'd recommend using an ARM template to create the cluster to begin with though.)