How to update Update X509 certificates for On-Premise Service Fabric cluster

4
votes

The documentation for updating x509 certificates in Service Fabric is unclear to me with regards to non-Azure (On-Prem) installations: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-upgrade-windows-server

I have followed these steps, but they have not worked.

  1. Updated the cluster setup json template so that the thumbprint of the original certificate is now "ThumbprintSecondary".

  2. Added the new certificate thumbprint under "Thumbprint". e.g.

    "security": { "metadata": "The Credential type X509 indicates this is cluster is secured using X509 Certificates. The thumbprint format is - d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.", "ClusterCredentialType": "X509", "ServerCredentialType": "X509", "CertificateInformation": { "ClusterCertificate": { "Thumbprint": "New Thumbprint", "ThumbprintSecondary": "Old Thumbprint", "X509StoreName": "My" }, "ServerCertificate": { "Thumbprint": "New Thumbprint", "ThumbprintSecondary": "Old Thumbprint", "X509StoreName": "My" },

  3. Install the new certificate pfx and update the ACL for "NETWORK SERVICE"

  4. Run Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath "Path to json Configuration File"
2
microservicesazure-service-fabric
"Not worked" - what errors do you get?Mardoxx
I've updated the SDK and it seems to work for me now. I'll close this question offSturmUndDrang

2 Answers

2
votes

for your question, no there is no out of the box way to update Certificate for Service Fabric on-premise cluster. I opened a ticket with Microsoft for this issue: 117011115158708 and they replied it will be fixed on version 5.5 this version is out now and the problem still not fixed, they should get back to me with an answer about this issue, i will try to keep this post updated.

0
votes

Certificate update would be a cluster configuration change. The following method has worked for me for cluster configuration changes.

  • Install the new cert on all nodes as you've already done.
  • Run Get-ServiceFabricRegisteredClusterConfigVersion. The highest number listed will most likely be the cluster config version you are on.
  • Run Get-ServiceFabricClusterManifest | Out-File C:\ClusterManifest.xml
  • Edit the ClusterManifest.xml file and make the following changes:
    • Upgrade the Version attribute on the root ClusterManifest XML tag (e.g. if it is 1, go to 2)
    • Update the thumbprints under the Certificates section
  • Use Copy-ServiceFabricClusterPackage with -Config option (I have not included the full syntax but you can look that up as it is quite detailed) and specify the modified ClusterManifest.xml file.
  • Run Get-ServiceFabricRegisteredClusterConfigVersion. The version you just uploaded will now be the highest version (e.g. 2 in this example).
  • Run Start-ServiceFabricClusterUpgrade -Config -ClusterManifestVersion new-version (2 in this example; again I have left out other parameters for simplicity).