How to bind custom SSL certificate to Service Fabric cluster management endpoint?

1
votes

I have an Azure Service Fabric cluster running with management endpoint https://mysf.westeurope.cloudapp.azure.com:19080/Explorer.

And I have a CNAME record: sf.mycoolcluster.nl --> mysf.westeurope.cloudapp.azure.com and a valid certificate for sf.mycoolcluster.nl.

What I would like is to go to https://sf.mycoolcluster.nl:19080/Explorer and see my own certificate being served. However, I see no way of binding my certificate to port 19080 on the cluster so this doesn't happen.

I already configured my own certificate as the secondary SF certificate via the cluster ARM template and started using this certificate everywhere the primary certificate was used. This works fine. But still the (old) primary certificate is used by the management endpoint, resulting in a certificate validation error.

1
azuresslcertificatessl-certificateazure-service-fabric
Not sure I fully understand your last paragraph, have you updated your ARM template so your certificate is the primary? The secondary certificate is only for certificate roll over. @Ronald Wildenbergjimpaine
But it is impossible to actually switch the primary and secondary cert. You get an error message (don't recall the exact text): impossible to add and remove certificate in the same operation. So how does a rollover work?Ronald Wildenberg
Have a look at this link azure.microsoft.com/en-us/documentation/articles/… it covers certificate roll oversjimpaine
The way that I do this is through the setup in the Azure portal. I haven't attempted to setup a Service Fabric cluster programmatically before.The Muffin Man

1 Answers

1
votes

You need to setup secondary certificate by ARM template deployment, then You need to change primary with secondary (Swap) , wait 30min, delete the secondary and wait 30 min. All described here https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure