I've created a Service Fabric Cluster with the Azure portal. It's secured by a wildcard SSL certificate from a CA. The certificate is stored in the keyvault.
In the cluster I have several web api services. I would like to add https endpoints to them.
I've followed this guide to update the configuraton, Added https endpoint to ServiceManifest.xml in Nimles.UserManagement.Api.Authorized
<Endpoint Protocol="https" Name="ServiceEndpointHttps" Type="Input" Port="9021" />
Added binding to ApplicationManifest.xml
<ServiceManifestRef ServiceManifestName="Nimles.UserManagement.Api.AuthorizedPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<EndpointBindingPolicy EndpointRef="ServiceEndpointHttps" CertificateRef="NimlesComCert" />
</Policies>
Added certificate
<Certificates>
<EndpointCertificate X509FindValue="*****" Name="NimlesComCert" />
</Certificates>
But I can't find information on how to add the certificate to the VM since I've used the portal to create the cluster, and all guides just referers to ARM templates.
I don't mind if I need to use ARM if this is not possible from the portal, but I don't want to recreate the cluster, in that case just use ARM with my current cluster.
The basic steps to add SSL to your Web Api in Service Fabric are:
Add certificate to KeyVault
Install it on VM Scale Set VMs
Add certificate to ServiceManifest and ApplicationManifest (or add it to your services some other way, let's go with manifest here)
Based on you description above you likely already have all of these steps covered. When you secure a cluster with a certificate, that certificate is installed on each VM in the cluster. It should just be a matter of referencing it in your manifest. Look at step 2 below for updating the VMs using ARM if you need to add another certificate to the cluster (if you are running multiple applications secured with different certificates).
Just for reference, I am adding all the required steps below.
Add certificate to KeyVault
You have already done this, but just for reference
I recommend using ServiceFabricRPHelpers to help adding the certificate to the KeyVault. Something along these lines from PowerShell
Invoke-AddCertToKeyVault
-SubscriptionId $subscriptionId
-ResourceGroupName $vaultResourceGroupName
-Location $vaultLocation
-VaultName $vaultName
-CertificateName $clusterCertName
-Password $clusterCertPw
-UseExistingCertificate
-ExistingPfxFilePath $certFilePath
Install certificate on VMSS
Since you have secured your cluster with a cert, your VMs already have the vault certificate installed, but again, just for reference
You can do this with either PS cmdlets, or by updating the ARM template. The PS cmdlet could look like this:
$certConfig = New-AzureRmVmssVaultCertificateConfig
-CertificateUrl $certificateUrl
-CertificateStore $certStore
# Add the certificate as a new secret on each VM in the scaleset
$vmss = (Get-AzureRmVmss | Where-Object{$_.name -eq $vmssName})[0]
$vmss.VirtualMachineProfile.OsProfile.Secrets[0].VaultCertificates.Add($certConfig)
# Trigger an update the VMs in the scaleset
Update-AzureRmVmss -ResourceGroupName $ResourceGroup -Name $VmssName -VirtualMachineScaleSet $Vmss
And the ARM version would look like this
"osProfile": {
"adminPassword": "[parameters('adminPassword')]",
"adminUsername": "[variables('adminUsername')]",
"computernamePrefix": "[variables('vmNodeType0ComputerName')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultValue')]"
},
"vaultCertificates": [
{
"certificateStore": "[variables('certificateStoreValue')]",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
For the ARM template version of this, you can update the already deployed cluster by either downloading the automatically generated script from Azure Portal, or by downloading the actual template you used when deploying the first time (even if you deployed by using a wizard in the portal it actualy creates a template behind the scenes for you and it is that one that is deployed when you click OK in the last step).
Find the Resource Group with your cluster in the portal.
The Automation Script renders a new template for you based on what the Resource Group contains at this point, it is an accumulation of all your changes up to this point of the resources in the group. Click download and you will get a .zip with both the template file and parameters.
You can now redeploy it using either PowerShell like this:
New-AzureRmResourceGroupDeployment
-Name "Update_admin_cert"
-TemplateFile .\template.json
-ResourceGroupName $resourceGroupName
-Mode Incremental
Note the Mode Incremental option, it simply patches whatever is already in your resource group with any new or overlapping definitions in the template your are deploying, so it is (in general) safe to run it on an existing resource group if you only want to change or add some detail for a resource.
Adding certificate to ApplicationManifest
Adding the certificate to your service is a matter of updating the manifest used for deploying the application/services. This documentation article outlines what you need. In short, add a EndpointBindingPolicy to the ServiceManifestImport in ApplicationManifest.xml and a certificate in the Certificates tag that references the thumbprint for your certificate:
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Stateful1Pkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<EndpointBindingPolicy CertificateRef="TestCert1" EndpointRef="ServiceEndpoint3"/>
</Policies>
</ServiceManifestImport>
<Certificates>
<EndpointCertificate Name="TestCert1" X509FindValue="ABCDEF27174012740129FADBC232348324" X509StoreName="MY" />
</Certificates>
You can use the portal to generate an ARM template for an existing resource group. Click to the 'automation script' menu item. Then you click 'download'.
Then you can redeploy the resource of type 'Microsoft.Compute/virtualMachineScaleSets', with the certificate info in node 'virtualMachineProfile'. (delete the rest, remove the dependencies)
Note that you'll have to provide any parameter values, as they are not filled out automatically.
(I'd recommend using an ARM template to create the cluster to begin with though.)
Related
Im trying to bind an exisiting certificate in the resource group in a custom domain.
New-AzWebAppSSLBinding -ResourceGroupName $webappname -WebAppName $webappname -Thumbprint "$newthumbprint" -Name "$customdomain"
When I Debug this the custom domain isn't found, But when I check the domain in microsoft azure under tls/ssl bindings, the domain is there with his old thumbprint.
When im using the original domain of the webapp (.azurewebsites.net) then it would say that there is a conflict because in the new certificate is that domain not registered and thats good because I dont want that.
Anyone know how I can change the thumbprint of customdomains in powershell instead of waste my time in microsoft azure application and doing it more then 100 times manually...
For the error, "custom domain isn't found" or "Hostname 'www.exmaple.com' does not exist", here are possible reasons:
You could check the certificate's subject name must match the domains used to access the Web App.
You should find the existing certificate under TLS/SSL settings---Private Key Certificates. When you run the PowerShell commands, ensure that you type the correct Hostname and matched Thumbprint.
The command is working well on my side.
In addition, If you update an SSL certificate from a local machine to the Azure web app, you can use this command.
New-AzWebAppSSLBinding -ResourceGroupName $webapprg -WebAppName $webappname -CertificateFilePath $PathToPfxFile -CertificatePassword $PlainTextPwd -Name $customdomain
I've a wildcard SSL that has expired, and I have the new cert (different authority) uploaded to Azure already..
..but I'd like to know if there's a way to bulk change all the sites using the old cert, over to the new cert. On normal IIS when you make a change for any one of your sites on the old cert, to the new cert, it asks you if you want to update other bindings that are using the old cert so that they also use the new cert. I've around 30 sites I need to move to the new cert and it's going to be quite a drag one by one
Is there an equivalent functionality on Azure? Powershell is acceptable if the portal.azure.com won't do it..
I've been using Azure CLI in Powershell for this. First build a CSV file or array with the values. It will need to contain:
- Web App Name
$Thumbprint
Then iterate through
$Thumbprint = "12bnhgikjbkj13kjbblahblah"
$WebApps = #("WebApp1","WebApp2","WebApp3") #OR
Foreach ($WebApp in $WebApps) {
az webapp config ssl bind --certificate-thumbprint $Thumbprint --ssl-type SNI --resource-group ResourceGroupName --name "$WebApp"
}
You can also do it with New-AzureRmWebAppSSLBinding from here. Also a guide here on how to do it.
I used the following code in Azure Cloud Shell to enumerate how many apps were using the old thumbprint and updated them to the new one. I found this easier than writing down each of the app service names.
You'll need to make sure you import your new certificate first.
az account set --subscription "My Application"
$webapp_ids=(az webapp list --query "[?hostNameSslStates.[thumbprint=='OLD_THUMBPRINT']].id" --output tsv)
az webapp config ssl bind --certificate-thumbprint "NEW_THUMBPRINT" --ssl-type SNI --ids $webapp_ids
I have uploaded an SSl certificate on the azure portal for my web app.
Is there a way to add key-value tag for the cert? From the documentation, I see tags only for resource-group etc but not for a particular cert.
If you are able to see the certificate in your resource group, just add tag as usual.
On my side, the certificate is hidden because it's managed by Azure. I can show it by clicking the checkbox on top of your resource group.
If after you click the certificate and there is no Tags bar on its panel, you can choose to use cloud shell to add tag. You can find the cloud shell on top right of your portal.
The first time you run it, you may need to create storage for the shell, just follow the steps azure provides. Then we can add tags. Use powershell script as an example, just two commands to achieve your goal.
$r = Get-AzureRmResource -ResourceName certificatename -ResourceGroupName resourcegroupname
Set-AzureRmResource -Tag #{ TagName="TagValue"} -ResourceId $r.ResourceId -Force
Things work on my side. Any further question, just ask.
Looking at the REST API documentation for Create or Update Certificate, looks like it is possible to assign tags to SSL Certificates. I believe this functionality is not exposed on the Portal. I looked up Azure Powershell Cmdlets as well and couldn't find anything there (it is entirely possible that I may have missed out something).
If you need to assign tags to SSL Certificate, you can always use REST API and invoke that API using either writing code or using a tool like Postman. Other thing you should look at is Azure SDK. In all likelihood, you will find some functionality there which will let you assign tags to a SSL certificate.
According to this tutorial Create a Service Fabric cluster by using Azure Resource Manager , I created the server Self-Signed .pfx certificate.After that I enter certificate thumbprint,SourceVault,CertificateURL to azure portal.
What should I do to get client certificate,to enter its thumbprint to azure portal?
When you generated the client cert you should have generated the thumbprint at that point. If not then you should be able to install that cert locally on your machine (If it's not already) and using MMC go into the properties and find the thumbprint there to copy and paste, keep in mind it needs to have all spaces removed.
Did you uplooad the certificate to the keyvault?
Invoke-AddCertToKeyVault -SubscriptionId <guid> -ResourceGroupName westus-mykeyvault -Location "West US" -VaultName mywestusvault -CertificateName mycert -Password "<password>" -UseExistingCertificate -ExistingPfxFilePath "C:\path\to\mycertkey.pfx"
After that - you'll be able to fetch the thumbprint as specified in the guide.
Name : CertificateThumbprint
Value : E21DBC64B183B5BF355C34C46E03409FEEAEF58D
Name : SourceVault
Value : /subscriptions/<guid>/resourceGroups/westus-mykeyvault/providers/Microsoft.KeyVault/vaults/mywestusvault
Make sure to follow all the steps in the guide you listed and you should have your inputs.
I am using Blockchain as a Service on Azure to deploy a private blockchain.
The default ports are 8545 for the RPC ENDPOINT and 3000 for the first transaction node. I would like to change these parameters because of a firewall constraint.
Is it possible and how can I do it?
Based on my knowledge, this is possible. You could use this template to do this.
Download azuredeploy.json file to your local PC, and modify adminSitePortand gethRPCPort value you want.
"adminSitePort": 3000,
"gethRPCPort": 8545,
Then you could use PowerShell to deploy this template.
New-AzureRmResourceGroupDeployment -Name <deployment name> -ResourceGroupName <resource group name > -TemplateFile "D:\azuredeploy.json"
After the template is deployed successful, you need check Azure NSG that opens port that you need.