Connect to azure service fabric cluster with powershell

0
votes

I'm unable to connect to my azure service fabric cluster using powershell.

I have created a certificate "Admin" on my computer using https://support.jetglobal.com/hc/en-us/articles/235636308-How-To-Create-a-SHA-256-Self-Signed-Certificate

I have imported this certificate in my Key Vault, and added an "Admin client" authentication using "Certificate Thumbprint" authentication mode in the cluster (with the thumbprint of the created certificate)

I am using the below powershell command :

$ClusterName= "***.francecentral.cloudapp.azure.com:19000"
$ThumbPrint= "e8*****"

Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `
    -X509Credential `
    -ServerCommonName "Admin" `
    -FindType FindBySubjectName `
    -FindValue "Admin" `
    -StoreLocation CurrentUser `
    -StoreName My

As described in https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-to-secure-cluster

(I have also tried with -FindByThumPrint)

I get FARBRIC_E_SERVER_AUTHENTICATION_FAILED: CertficateNotMatched.

What did I miss ?

1
azurepowershellcertificateazure-service-fabric
It think it is exactly what I have tried in the posted code, isn't it ?Lou

1 Answers

0
votes

SSL certificate and SF Cluster endpoint URI must match

There are few ways to solve this:

  1. If the Cluster Certificate was issued to a custom domain (lets say mysite.mydomain.com) you need to use that custom domain URL into $ClusterName. Also both mysite.mydomain.com and ***.francecentral.cloudapp.azure.com must resolve to the same IP address.

  2. You can also fix it by creating new certificate and pointing it to ***.francecentral.cloudapp.azure.com. After doing this, replace it with the old one in your cluster and connect by using ***.francecentral.cloudapp.azure.com endpoint.

  3. This is not a fix but workaround. You can disable certificate name check by modifying C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config and setting checkCertificateName to false. Like this (click here):

    <configuration><system.net><settings><servicePointManager checkCertificateName="false" /></settings><system.net></configuration>