All geek questions in one place

How to renew X509 certificates for Fabric Cluster

The documentation on renewing x509 certificates in Service Fabric is incomprehensible to me regarding non-Azure (On-Prem) installations: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-upgrade -windows-server

I followed these steps, but they didn’t work.

  • Updated json template to configure the cluster so that the fingerprint of the original certificate is now "ThumbprintSecondary".

  • Added a new certificate thumbprint in the "Thumbprint" section. eg.

    "security": {"metadata": "The X509 credential type indicates that it is a cluster using X509 certificates. The fingerprint format is d5 ec 42 3b 79 cb e5 07 fd 83 59 3c 56 b9 d5 31 24 25 42 64.", "ClusterCredentialType": "X509", "ServerCredentialType": "X509", "Reference": {"ClusterCertificate": {"Thumbprint": "New Thumbprint", "ThumbprintSecondary": "Old fingerprint", "X509StoreName": " My "}," ServerCertificate ": {" Thumbprint ":" New Thumbprint "," ThumbprintSecondary ":" Old fingerprint ","X509StoreName ":" My "},

  • Install the new pfx certificate and update the ACL for "NETWORK SERVICE"

  • Run Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath "Path to json configuration file"
+4
source share
1 answer

for your question, there is no way to "renew" the Certificate for Service certificate on the local cluster. I opened a ticket with Microsoft on this problem: 117011115158708, and they replied that it will be fixed in version 5.5, now this version is missing and the problem is still not fixed, they should return to me with the answer about this problem, I will try to save this post updated.

+2
source

Source: https://habr.com/ru/post/1676269/

More articles:


All Articles