Can't deploy to secured Service Fabric cluster from VS - azure

I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:

This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.

Related

Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

I am creating a VPN in Azure, and created self-signed certificate in the following places:
Local Computer:
Personal/Certificates: Issued To: FQDN name is the certificate's name
Trusted Root Certification Authorities/Certificates:
manually copied from Personal
I have configured the VPN in Azure and it is downloaded and extracted and the vpn client is installed successfully, however, when I run the client I received the following error:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
Screenshot:
The error seems suggesting the certificate is NOT found, does the name matter?
Should I change the cert's name from Azurecert to FQDN which is the name in my local computer?
Thank you for your help in advance.
UPDATE:
I removed the existing certification in Azure's configuration and re-added back with the same FQDN name shown in local computer's certificates, I redownloaded the client, I removed the existing installed vpn client and re-installed the new one, I receive the same error message. So it seems name is not the root cause?
UPDATE2:
The procedure I've followed:
Create Self Signed Certificate with the FQDN name on local laptop;
New-SelfSignedCertificate –DnsName NV-RXIE.novantas.pri -CertStoreLocation “cert:\LocalMachine\My”
Add the self-signed certificate as a trusted certificate authority, Copy the new cert to Trusted Root Certificate Authorities
export the cert and open it, copy the cert part and paste into the
VPN setting – Root certificates, Public Certificate Data
Download the VPN client and install it on laptop, run it
Connect, failed with:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.
This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates.
You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.
In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.
To fix the Error 798, I did the following:
reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
remove the VPN configuration from my pc (win10)
reboot pc (just to be safe)
download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
Once done, I could then connect without any issues. Tested on several different users.
My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.
Hope that helps.
In addition to the answer by Nancy Xiong:
If you are still having problems with this error you can try the following
Run certmgr.msc
Go to Personal->Certificates
Right-click your certificate
All Tasks->Export
Choose Yes: Export private key
Accept default options until you reach a step where you must enter a password
Enter a password, and continue until you have exported your certificate
Repeat this process if you have more than one certificate
Locate your certificates in the Windows file explorer
Right-click->Install
Select Current User for the Store Location
Accept default options, and enter the certificate password when prompted
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
This should now work.
In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps
Boot your computer into BIOS Configuration
Disabled any settings for Intel VTX and Intel VTD
Restart your computer
Retry the steps above
In addition to the answer by Peter Morris, I have did the below mentioned steps which helped in resolving this issue.
Delete the client certificate from your PC. This can be done by searching Manage User Certificates right click on the certificate -> Delete
Now, Reinstall your certificate, Accept default options, and enter the certificate password when prompted.
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
Accept all the default options which comes next and click finish.
The above steps helped me to resolve this issue
For me, I got this error because my previous cert has expired after 1 year.
I just deleted the old cert and followed this to create a new one:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Certificate Chain incomplete using Let's Encrypt and Certes (Azure webrole)

I am trying to create a new Let's Encrypt SAN certificate using the Certes Library and hosting on a Azure WebRole. Everything has worked previously (many times) but now I am getting a cert error on Android and ssllabs.com shows a certificate chain incomplete error.
The certificate is created without error and I have explicitly set FullChain = true on the PfxBuilder but I am unsure how to check if the full chain is recorded in the certificate correctly without uploading the certificate together with a new deployment (I am not a cert expert).
On the Azure Web role both the created certificate and the required Let's Encrypt Cert (Let's Encrypt Authority X3) are listed in the webrole certificates. I only uploaded the created certificate Azure adds the Let's Encrypt Authority X3 cert itself.
I am unsure whether it is a problem with the certificate not recording the full chain or some configuration setting on the WebRole. When I go to Certificates in the Azure Management console I see the Let's Encrypt Cert but when I rdp into the role and look in the IIS Manager I cannot see the Let's Encrypt Cert under Server Certificates. I also cannot find it when I open the Certificates Management Console (certlm).
I am starting to think it is a problem with the WebRole but I am at a loss on what to check next.
You need to add additional <Certificate> element in your ServiceDefinition and ServiceConfiguration to specify the intermediate certs. See https://blogs.msdn.microsoft.com/azuredevsupport/2010/02/24/how-to-install-a-chained-ssl-certificate/
Edit due to broken link
View your certificate. For each of the intermediate certificate between the root cert and your certificate, export the certificate file.
Upload these certificate to Azure
Add the <Certificate> element. You can get the thumbprint from the Azure portal.

Cannot add Admin Client key to Service Fabric cluster

I am trying to add an Admin Client authentication key to my Service Fabric cluster created using the portal.
I keep getting this error (Failed to submit updates to 'admin client certificate' for cluster)-
The background - I cannot access the Service Fabric explorer after creating a cluster. I am guessing that this is because I don't have an admin client authentication set up yet.
How can I fix this error?
From my experience with Azure Service Fabric Cluster you need to have the certificate added to add client certificate. But if you set it up right should connect to it without setting new creds.
Steps below.
While setting up the cluster if its for testing you can use a self-signed certificate from Key Vault, the process can create one for you.
At the summary page of the Cluster setup you will get a link to obtain certificate as you will need that to access Fabric Cluster.
Make sure you download and install certificate (pfx) to computer's store. No password is needed.
Once the Service Fabric cluster is fully deployed click on the 'Explorer' button or the link to open portal. Make sure you are on IE or Edge because Chrome or Firefox will not like the self-signed certificate
The browser should trigger an authentication, please select the certificate we installed previous. If that is not showing as default use the more option to find it. If it's not on the list it means that certificate was not install.
That should authenticate you and give you access to the Service Fabric Cluster.
Hope this information was helpful.
You need to make sure that the SF provision is not undergoing updates first.
Also you cannot access the SF management console with the cert that was used to secure the cluster. You will need to generate a self-signed (unless you already have a CA cert) cert and use the thumbprint from that cert to import into the "Admin Client" in SF security section
This is the cert you need to also import to your client machine Cert repository

Not able to access Service Fabric explorer on Azure cluster secured by self signed certificate

I have created Azure Service Fabric cluster secured by my self signed certificate (of type DocumentEncryptionCert). I have folowed this article from documentation. I have created key vault, uploaded certificate there as a secret and while configuring Azure Service Fabric cluster I set primary certificate for this cluster to Key Vault secret. SF automatically uses this certificate to create SSL channel also when trying to access SF Explorer. I am getting error, that there was used untrusted certificate (even though I imported certificate to trusted root certification authorities store). That means I am not able to manage the cluster and not even to deploy application from Visual Studio, as it is also not able to connect to cluster due to issues with certificate.
My question is, whether there is some special way how the certificate for such scenario has to be generated? I was generating the certificate exactly the same way as it is stated in the article above:
New-SelfSignedCertificate -Type DocumentEncryptionCert -KeyUsage DataEncipherment -Subject mysfcertificate -Provider 'Microsoft Enhanced Cryptographic Provider v1.0'
Thank you.
For the "Cluster and server certificate" you usually use a SSL certificate (it can be self-signed see https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security), more info here https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-portal

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

Resources