locked
Cannot create cluster with X509 certificates (CommonNames, not thumbprints) - take 2 RRS feed

  • Question

  • I'm still trying to create a local (on premises) SF cluster using X509 security and certificate's common names.

    I've reduced the cluster size to one node, and (again) successfully installed SF cluster using certificates thumbprints. I only needed to switch off checking the revocation list (VM has no internet connectivity) by adding 

                {
                    "name": "Security",
                    "parameters": [
                        {
                            "name": "CrlCheckingFlag",
                            "value": "0x80000004"
                        }
                    ]
                },
                {
                    "name": "Federation",
                    "parameters": [
                        {
                            "name": "X509CertChainFlags",
                            "value": "0x80000004"
                        }
                    ]
                }

    to the "fabricSettings" section

    Using the same VM (restoring a checkpoint again and again) and the same certificates I fail to create a running cluster using common names. The script creating the cluster always finishes reporting the successful creation of a cluster, I can connect to the cluster either through PowerShell or through Service Fabric Explorer using the configured client certificates but all the cluster can do is reporting errors:

    Error: Get applications failed.
    Code: FABRIC_E_SERVER_AUTHENTICATION_FAILED
    Message: FABRIC_E_SERVER_AUTHENTICATION_FAILED: CertificateNotMatched 

    Error: Get cluster health failed.
    Code: FABRIC_E_SERVER_AUTHENTICATION_FAILED
    Message: FABRIC_E_SERVER_AUTHENTICATION_FAILED: CertificateNotMatched 

    Error: Get nodes failed.
    Code: FABRIC_E_SERVER_AUTHENTICATION_FAILED
    Message: FABRIC_E_SERVER_AUTHENTICATION_FAILED: CertificateNotMatched 

    The certificates I use have following certification path:

    Main Certification Unit KG -> Certification Unit KI -> Certificate.

    "Main Certification Unit KG" is installed in localMachine\Root, "Certification Unit KI" is installed in LocalMachine\CA and certificates are installed in LocalMachine\My. Test-Certificate returns true.

    I've tried the following configurations:

            "security": {
                "ClusterCredentialType": "X509",
                "ServerCredentialType": "X509",
                "CertificateInformation": {
                    "ClusterCertificateCommonNames": {
                        "CommonNames": [
                          {
                              "CertificateCommonName": "V-SFC01-Cluster"
                          }
                        ],
                        "X509StoreName": "My"
                    },
                    "ClusterCertificateIssuerStores": [
                        {
                            "IssuerCommonName": "Certification Unit KI",
                            "X509StoreNames" : "CA"
                        }
                    ],
                    "ServerCertificateCommonNames": {
                      "CommonNames": [
                        {
                            "CertificateCommonName": "V-SFC01-Server"                   
                        }
                      ],
                      "X509StoreName": "My"
                    },
                    "ServerCertificateIssuerStores": [
                        {
                            "IssuerCommonName": "Certification Unit KI",
                            "X509StoreNames" : "CA"
                        }
                    ],
                    "ReverseProxyCertificateCommonNames": {
                      "CommonNames": [
                          {
                            "CertificateCommonName": "V-SFC01-RevProxy"                 
                          }
                        ],
                        "X509StoreName": "My"
                    },

    and 

            "security": {
                "ClusterCredentialType": "X509",
                "ServerCredentialType": "X509",
                "CertificateInformation": {
                    "ClusterCertificateCommonNames": {
                        "CommonNames": [
                          {
                              "CertificateCommonName": "V-SFC01-Cluster"
                          }
                        ],
                        "X509StoreName": "My"
                    },
                    "ServerCertificateCommonNames": {
                      "CommonNames": [
                        {
                            "CertificateCommonName": "V-SFC01-Server"           
                        }
                      ],
                      "X509StoreName": "My"
                    },
                    "ReverseProxyCertificateCommonNames": {
                      "CommonNames": [
                          {
                            "CertificateCommonName": "V-SFC01-RevProxy"                 
                          }
                        ],
                        "X509StoreName": "My"
                    },
    and 
            "security": {
                "ClusterCredentialType": "X509",
                "ServerCredentialType": "X509",
                "CertificateInformation": {
                    "ClusterCertificateCommonNames": {
                        "CommonNames": [
                          {
                              "CertificateCommonName": "V-SFC01-Cluster",
                              "CertificateIssuerThumbprint": "AC16EDFCD853F463A662ED820413CCC81D439FF5"
                          }
                        ],
                        "X509StoreName": "My"
                    },
                    "ServerCertificateCommonNames": {
                      "CommonNames": [
                        {
                            "CertificateCommonName": "V-SFC01-Server",
                            "CertificateIssuerThumbprint": "AC16EDFCD853F463A662ED820413CCC81D439FF5"                    
                        }
                      ],
                      "X509StoreName": "My"
                    },
                    "ReverseProxyCertificateCommonNames": {
                      "CommonNames": [
                          {
                            "CertificateCommonName": "V-SFC01-RevProxy"                 
                          }
                        ],
                        "X509StoreName": "My"
                    },
    (AC16... is the thumbprint of the intermediate CA, "Certification Unit KI") and
            "security": {
                "ClusterCredentialType": "X509",
                "ServerCredentialType": "X509",
                "CertificateInformation": {
                    "ClusterCertificateCommonNames": {
                        "CommonNames": [
                          {
                              "CertificateCommonName": "V-SFC01-Cluster",
                              "CertificateIssuerThumbprint": ""
                          }
                        ],
                        "X509StoreName": "My"
                    },
                    "ServerCertificateCommonNames": {
                      "CommonNames": [
                        {
                            "CertificateCommonName": "V-SFC01-Server",
                            "CertificateIssuerThumbprint": ""                    
                        }
                      ],
                      "X509StoreName": "My"
                    },
                    "ReverseProxyCertificateCommonNames": {
                      "CommonNames": [
                          {
                            "CertificateCommonName": "V-SFC01-RevProxy"                 
                          }
                        ],
                        "X509StoreName": "My"
                    },

    None worked. 

    Client certificates work always, both those specified by thumbprint as those specified by common name and issuer thumbprint

    What am I missing?  The certificate common names (like V-SFC01-Cluster) are certificate's CN in subject (CN=V-SFC01-Cluster) right?



    Tuesday, September 4, 2018 1:51 PM

Answers

  • Hi Micah,

    I asked the admins to open the support ticket, but I couldn't just wait for it to happen and I managed to solve the issue meanwhile :-)

    The problem was that the server certificate I used had only 'Server Authentication' in 'Enhanced Key Usage', it lacked 'Client Authentication'.

    The fact that the (server authentiction only) certificate works when used with cluster configuration using certificate thumbprints, made me sure the certificate was ok, but it turned out it wasn't.

    Thanks for Your offer to help nevertheless :-)


    Thursday, September 6, 2018 6:30 PM

All replies

  • Hi Sebastian. Seems you have been having issues with this same subject for a bit. 

    Would you be able to open a technical support ticket so we can get you in touch with a Service Fabric engineer to help get this solved for good. 

    If you don't have the ability to open a ticket, you can email me at AzCommunity@microsoft.com and provide me with your SubscriptionID and link to this thread I can enable one for you. 

    Tuesday, September 4, 2018 8:38 PM
  • Hi Micah,

    I asked the admins to open the support ticket, but I couldn't just wait for it to happen and I managed to solve the issue meanwhile :-)

    The problem was that the server certificate I used had only 'Server Authentication' in 'Enhanced Key Usage', it lacked 'Client Authentication'.

    The fact that the (server authentiction only) certificate works when used with cluster configuration using certificate thumbprints, made me sure the certificate was ok, but it turned out it wasn't.

    Thanks for Your offer to help nevertheless :-)


    Thursday, September 6, 2018 6:30 PM