New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Guidelines (eg: Protocol="https" Port="443") #3

Closed
jameskeongchen opened this Issue Nov 25, 2015 · 30 comments

Comments

Projects
None yet
@jameskeongchen
Contributor

jameskeongchen commented Nov 25, 2015

Great sample by Vaclav Turecek

regarding the service-fabric-dotnet-web-reference-app/ReferenceApp/Web.Service/PackageRoot/ServiceManifest.xml

In the interests of good security, can the documentation/sample be expanded to also cover HTTPS/SSL endpoints? (eg: Protocol="https" Port="443")

I think service-fabric-dotnet-web-reference-app/ReferenceApp/Web.Service/OwinCommunicationListener.cs also needs to be adjusted to handle SSL?

Anywhere else?

@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Dec 3, 2015

Contributor

Making progress on this - got an SSL endpoint working on port 443 on the local Service Fabric development cluster:

In the ServiceManifest.xml set the endpoint:

<Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" />

In the OwinCommunicationListener.cs after setting the serviceEndpoint get the protocol:

EndpointProtocol protocol = serviceEndpoint.Protocol;

Then also update the listeningAddress to take into account the protocol:

                this.listeningAddress = string.Format(
                    CultureInfo.InvariantCulture,
                    //"http://+:{0}/{1}",
                    "{0}://+:{1}/{2}",
                    protocol,
                    port,
                    string.IsNullOrWhiteSpace(this.appRoot)
                        ? string.Empty
                        : this.appRoot.TrimEnd('/') + '/');

You can now publish to the local cluster and use the following in an elevated command prompt to bind your certificate to the local port:

netsh http add sslcert ipport=0.0.0.0:443 appid="{12345678-db90-4b66-8b01-88f7af2e36bf}" certhash="<your-certificate-thumbprint>"
Contributor

jameskeongchen commented Dec 3, 2015

Making progress on this - got an SSL endpoint working on port 443 on the local Service Fabric development cluster:

In the ServiceManifest.xml set the endpoint:

<Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" />

In the OwinCommunicationListener.cs after setting the serviceEndpoint get the protocol:

EndpointProtocol protocol = serviceEndpoint.Protocol;

Then also update the listeningAddress to take into account the protocol:

                this.listeningAddress = string.Format(
                    CultureInfo.InvariantCulture,
                    //"http://+:{0}/{1}",
                    "{0}://+:{1}/{2}",
                    protocol,
                    port,
                    string.IsNullOrWhiteSpace(this.appRoot)
                        ? string.Empty
                        : this.appRoot.TrimEnd('/') + '/');

You can now publish to the local cluster and use the following in an elevated command prompt to bind your certificate to the local port:

netsh http add sslcert ipport=0.0.0.0:443 appid="{12345678-db90-4b66-8b01-88f7af2e36bf}" certhash="<your-certificate-thumbprint>"
@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Dec 3, 2015

Contributor

One question still remains; what is the Service Fabric best practice to deploy the cert and bind it to each of the nodes in an Azure Cloud deployment?

Contributor

jameskeongchen commented Dec 3, 2015

One question still remains; what is the Service Fabric best practice to deploy the cert and bind it to each of the nodes in an Azure Cloud deployment?

@mani-ramaswamy

This comment has been minimized.

Show comment
Hide comment
@mani-ramaswamy

mani-ramaswamy Dec 3, 2015

Contributor

You can use keyvault to do this - which is also what we suggest when creating a secure cluster (https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security/)

This link might also help : http://blogs.technet.com/b/kv/archive/2015/07/14/vm_2d00_certificates.aspx

Contributor

mani-ramaswamy commented Dec 3, 2015

You can use keyvault to do this - which is also what we suggest when creating a secure cluster (https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-security/)

This link might also help : http://blogs.technet.com/b/kv/archive/2015/07/14/vm_2d00_certificates.aspx

@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Dec 4, 2015

Contributor

Hey Mani, thanks very much for that link; I'm actually already using the secured cluster so deploying the certs can be done like you say with keyvault - how about the final part, binding the cert to port 443 on all the nodes?

Is this as simple as crafting a PowerShell script to remotely execute the following binding on each of my nodes?:

netsh http add sslcert ipport=0.0.0.0:443 appid="{12345678-db90-4b66-8b01-88f7af2e36bf}" certhash="<your-certificate-thumbprint>"
Contributor

jameskeongchen commented Dec 4, 2015

Hey Mani, thanks very much for that link; I'm actually already using the secured cluster so deploying the certs can be done like you say with keyvault - how about the final part, binding the cert to port 443 on all the nodes?

Is this as simple as crafting a PowerShell script to remotely execute the following binding on each of my nodes?:

netsh http add sslcert ipport=0.0.0.0:443 appid="{12345678-db90-4b66-8b01-88f7af2e36bf}" certhash="<your-certificate-thumbprint>"
@msfussell

This comment has been minimized.

Show comment
Hide comment
@msfussell

msfussell Dec 4, 2015

For the
"how about the final part, binding the cert to port 443 on all the nodes?"
this is simply done in the application XML manifest lfor an imported service like this.

<Policies>
  <EndpointBindingPolicy EndpointRef="<endpointname>" CertificateRef="<your-certificate-thumbprint>" />
</Policies>

See the doc here with an example - https://azure.microsoft.com/en-us/documentation/articles/service-fabric-application-runas-security/

This may be useful to add into the sample now this is https enabled.

msfussell commented Dec 4, 2015

For the
"how about the final part, binding the cert to port 443 on all the nodes?"
this is simply done in the application XML manifest lfor an imported service like this.

<Policies>
  <EndpointBindingPolicy EndpointRef="<endpointname>" CertificateRef="<your-certificate-thumbprint>" />
</Policies>

See the doc here with an example - https://azure.microsoft.com/en-us/documentation/articles/service-fabric-application-runas-security/

This may be useful to add into the sample now this is https enabled.

@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Dec 8, 2015

Contributor

Thanks Mark,

That was the final piece, it works well locally and cloud deployed.

The ServiceManifest endpoint that worked was:

    <Endpoints>
      <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="Cert1"/>
    </Endpoints>

and the ApplicationManifest uses the EndpointBindingPolicy you suggested:

   <ServiceManifestImport>
    ...
      <Policies>
         <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="Cert1" />
      </Policies>
   </ServiceManifestImport>

and finally the certificate reference is also needed at the end of the ApplicationManifest:

   <Certificates>
      <EndpointCertificate X509FindValue="<certificate-thumbprint>" Name="Cert1" />
   </Certificates>

I've closed this now - thank you both again for your fast help! Service Fabric is great!!

Contributor

jameskeongchen commented Dec 8, 2015

Thanks Mark,

That was the final piece, it works well locally and cloud deployed.

The ServiceManifest endpoint that worked was:

    <Endpoints>
      <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="Cert1"/>
    </Endpoints>

and the ApplicationManifest uses the EndpointBindingPolicy you suggested:

   <ServiceManifestImport>
    ...
      <Policies>
         <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="Cert1" />
      </Policies>
   </ServiceManifestImport>

and finally the certificate reference is also needed at the end of the ApplicationManifest:

   <Certificates>
      <EndpointCertificate X509FindValue="<certificate-thumbprint>" Name="Cert1" />
   </Certificates>

I've closed this now - thank you both again for your fast help! Service Fabric is great!!

@amitavmohanty01

This comment has been minimized.

Show comment
Hide comment
@amitavmohanty01

amitavmohanty01 Jan 12, 2016

@jameskeongchen I tried the config changes as suggested by you. This results in a cert being used for SSL. Also, the same cert has to be passed by the client for authentication. In IE, I had to select a login cert. In the manifest there is a cluster certificate, a server certificate and a client certificate. I am assuming client login is enabled by the setting client certificate. Now, I want to know the following.

  1. How can I avoid that ?
  2. How How can I have have a different certificate as client certificate ?

amitavmohanty01 commented Jan 12, 2016

@jameskeongchen I tried the config changes as suggested by you. This results in a cert being used for SSL. Also, the same cert has to be passed by the client for authentication. In IE, I had to select a login cert. In the manifest there is a cluster certificate, a server certificate and a client certificate. I am assuming client login is enabled by the setting client certificate. Now, I want to know the following.

  1. How can I avoid that ?
  2. How How can I have have a different certificate as client certificate ?
@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Jan 13, 2016

Contributor

Glad you got SSL working too. Haven't really gone further than that but your questions are a logical expansion.

  1. I'm no expert but to avoid using a client cert for login you could just use an unsecured cluster - obviously wouldn't recommend that! and

  2. although I haven't tested this, my approach would be to use the client cert I wanted for the setup of the cluster, and then use the "Updating certificates" section of the article Mani mentioned: http://blogs.technet.com/b/kv/archive/2015/07/14/vm_2d00_certificates.aspx

That would let you push additional certificates to the VMs in the cluster which you could then reference separately from the service fabric manifest. Hope that helps - let us know how you go!?

Contributor

jameskeongchen commented Jan 13, 2016

Glad you got SSL working too. Haven't really gone further than that but your questions are a logical expansion.

  1. I'm no expert but to avoid using a client cert for login you could just use an unsecured cluster - obviously wouldn't recommend that! and

  2. although I haven't tested this, my approach would be to use the client cert I wanted for the setup of the cluster, and then use the "Updating certificates" section of the article Mani mentioned: http://blogs.technet.com/b/kv/archive/2015/07/14/vm_2d00_certificates.aspx

That would let you push additional certificates to the VMs in the cluster which you could then reference separately from the service fabric manifest. Hope that helps - let us know how you go!?

@jmblakl

This comment has been minimized.

Show comment
Hide comment
@jmblakl

jmblakl Mar 2, 2016

@msfussell Can you explain the difference between the Primary Certificate that is required by the cluster for security and the Admin thumbprint/ Read Only Thumbprint? Is the primary used for SSL traffic only and the other two for authorization into the cluster manager?

jmblakl commented Mar 2, 2016

@msfussell Can you explain the difference between the Primary Certificate that is required by the cluster for security and the Admin thumbprint/ Read Only Thumbprint? Is the primary used for SSL traffic only and the other two for authorization into the cluster manager?

@AndreasM009

This comment has been minimized.

Show comment
Hide comment
@AndreasM009

AndreasM009 Mar 11, 2016

Hm, I did all the things described in the upper posts to get ssl running in my cluster. First I was happy to deploy a secured cluster and that I have to authenticate myself using a certificate when I'm using the ServiceFabric Explorer. That's great. After that I tried to Setup SSL for my Stateless WebApi Services as described by jameskeongchen. But it does not work. I always get an Activation error when I try to deploy my Service to Azure. When I try to debug the service locally, the service does not startup. Any Ideas?

AndreasM009 commented Mar 11, 2016

Hm, I did all the things described in the upper posts to get ssl running in my cluster. First I was happy to deploy a secured cluster and that I have to authenticate myself using a certificate when I'm using the ServiceFabric Explorer. That's great. After that I tried to Setup SSL for my Stateless WebApi Services as described by jameskeongchen. But it does not work. I always get an Activation error when I try to deploy my Service to Azure. When I try to debug the service locally, the service does not startup. Any Ideas?

@jameskeongchen

This comment has been minimized.

Show comment
Hide comment
@jameskeongchen

jameskeongchen Mar 11, 2016

Contributor

@AndreasM009 try checking the output window in visual studio for more insight into why your service wont start locally.

Contributor

jameskeongchen commented Mar 11, 2016

@AndreasM009 try checking the output window in visual studio for more insight into why your service wont start locally.

@AndreasM009

This comment has been minimized.

Show comment
Hide comment
@AndreasM009

AndreasM009 Mar 11, 2016

@jameskeongchen It works now, thank you. Now I have a problem with StatefullServices when I host them in Azure. On Activation a TargetInvocationException is thrown, locally it works fine.

AndreasM009 commented Mar 11, 2016

@jameskeongchen It works now, thank you. Now I have a problem with StatefullServices when I host them in Azure. On Activation a TargetInvocationException is thrown, locally it works fine.

@AndreasM009

This comment has been minimized.

Show comment
Hide comment
@AndreasM009

AndreasM009 Mar 12, 2016

@jameskeongchen
Sorry today it is not working right now. When I try to debug my Service I get the following Warnings from my local Service Fabric Installation:
ConfigurePortCertificate: httpsPort=XYZ, certStoreName My, certfindvalue , error AlreadyExists
Failed to configure port certificate for port: XYZ, certificatefindvalue , error AlreadyExists
Failed to remove ACL for port 8082 principalSid S-1-5-20. ErrorCode=NotFound
Failed to remove port entry from map for port XYZ. ErrorCode=NotFound

Can this be the reasons why my Service Activation fails?
Can you tell me where I can find more detailed logs?

AndreasM009 commented Mar 12, 2016

@jameskeongchen
Sorry today it is not working right now. When I try to debug my Service I get the following Warnings from my local Service Fabric Installation:
ConfigurePortCertificate: httpsPort=XYZ, certStoreName My, certfindvalue , error AlreadyExists
Failed to configure port certificate for port: XYZ, certificatefindvalue , error AlreadyExists
Failed to remove ACL for port 8082 principalSid S-1-5-20. ErrorCode=NotFound
Failed to remove port entry from map for port XYZ. ErrorCode=NotFound

Can this be the reasons why my Service Activation fails?
Can you tell me where I can find more detailed logs?

@AndreasM009

This comment has been minimized.

Show comment
Hide comment
@AndreasM009

AndreasM009 Mar 12, 2016

@jameskeongchen
Now I tried to bind to another port and I get the following Errors:
RegisterHttpUrlAcl returned errorcode 0x800700b7

Any Idea?

AndreasM009 commented Mar 12, 2016

@jameskeongchen
Now I tried to bind to another port and I get the following Errors:
RegisterHttpUrlAcl returned errorcode 0x800700b7

Any Idea?

@AndreasM009

This comment has been minimized.

Show comment
Hide comment
@AndreasM009

AndreasM009 Mar 18, 2016

@jameskeongchen
Now it works, I had to update to version 1.5.175.

AndreasM009 commented Mar 18, 2016

@jameskeongchen
Now it works, I had to update to version 1.5.175.

@msfussell

This comment has been minimized.

Show comment
Hide comment
@msfussell

msfussell Mar 27, 2016

@jmblakl
Re your questions on the use of the different certs read this https://azure.microsoft.com/en-gb/documentation/articles/service-fabric-cluster-security/#secure-a-service-fabric-cluster-by-using-certificates article, notably the section starting with Admin client and Read on client certs.

Admin Client: This information is used to validate that the client that is connecting to the cluster management endpoint is presenting the right credential to perform admin and read-only actions on the cluster. You can specify more than one certificate that you want to authorize for admin operations.

Thanks.

msfussell commented Mar 27, 2016

@jmblakl
Re your questions on the use of the different certs read this https://azure.microsoft.com/en-gb/documentation/articles/service-fabric-cluster-security/#secure-a-service-fabric-cluster-by-using-certificates article, notably the section starting with Admin client and Read on client certs.

Admin Client: This information is used to validate that the client that is connecting to the cluster management endpoint is presenting the right credential to perform admin and read-only actions on the cluster. You can specify more than one certificate that you want to authorize for admin operations.

Thanks.

@msfussell msfussell reopened this Mar 27, 2016

@msfussell msfussell closed this Mar 27, 2016

@masnider masnider referenced this issue Apr 26, 2016

Closed

HTTPS #19

@MegaMax93

This comment has been minimized.

Show comment
Hide comment
@MegaMax93

MegaMax93 May 3, 2016

If this is the wrong place for adding my experience with all the existing guidlines regarding HTTPS, I am sorry. Please give me feedback, when this is the case.

I want a https endpoint for my in a local service fabric (GA version) cluster hosted stateless Web API service. After achieving that, I want to deploy my cluster in Azure.

I followed the steps in the "Secure a Service Fabric cluster" article of the service fabric documentation and created a self-signed certificate and uploaded it to my key vault. I also imported my certificate to my machine's "trusted people" store with the Import-PfxCertificate commands on step 2.5.

AddCertToKeyVault:

Invoke-AddCertToKeyVault -SubscriptionId <Id> -ResourceGroupName 'ResourceGroupName' -Location 'West Europe' -VaultName 'VaultName' -CertificateName 'TestCert' -Password '****' -CreateSelfSignedCertificate -DnsName 'www.<clustername>.westeurope.cloudapp.azure.com' -OutputPath 'C:\MyCertificates'

Now I adjusted the ServiceManifest.xml, ApplicationManifest.xml (like in RunAs: Run a Service Fabric application with different security permissions) and my OwinCommunicationListener.cs:

ServiceManifest.xml (MasterDataServiceWebApi):

<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="MasterDataServiceWebApiPkg"
                     Version="1.0.0"
                     xmlns="http://schemas.microsoft.com/2011/01/fabric"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <ServiceTypes>
    <StatelessServiceType ServiceTypeName="MasterDataServiceWebApiType" />
  </ServiceTypes>

  <CodePackage Name="Code" Version="1.0.0">
    <EntryPoint>
      <ExeHost>
        <Program>MasterDataServiceWebApi.exe</Program>
      </ExeHost>
    </EntryPoint>
  </CodePackage>

  <ConfigPackage Name="Config" Version="1.0.0" />

  <Resources>
    <Endpoints>
      <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="5030" CertificateRef="TestCert"/>
    </Endpoints>
  </Resources>
</ServiceManifest>

ApplicationManifest:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="exCHANGETestCluster2Type" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
   <Parameters>
      <Parameter Name="MasterDataServiceWebApi_InstanceCount" DefaultValue="-1" />
   </Parameters>
   <ServiceManifestImport>
      <ServiceManifestRef ServiceManifestName="MasterDataServiceWebApiPkg" ServiceManifestVersion="1.0.0" />
      <ConfigOverrides />
      <Policies>
         <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="TestCert" />
      </Policies>
   </ServiceManifestImport>
   <DefaultServices>
      <Service Name="MasterDataServiceWebApi">
         <StatelessService ServiceTypeName="MasterDataServiceWebApiType" InstanceCount="[MasterDataServiceWebApi_InstanceCount]">
            <SingletonPartition />
         </StatelessService>
      </Service>
   </DefaultServices>
   <Certificates>
      <EndpointCertificate X509FindValue="<Thumbprint>" Name="TestCert" />
   </Certificates>
</ApplicationManifest>

OwinCommunicationListener.cs:

[...]
public Task<string> OpenAsync(CancellationToken cancellationToken)
    {
      var serviceEndpoint = this.serviceContext.CodePackageActivationContext.GetEndpoint(this.endpointName);
      int port = serviceEndpoint.Port; //NEW!

      if (this.serviceContext is StatefulServiceContext)
      {
        [...]
      }
      else if (this.serviceContext is StatelessServiceContext)
      {
        var protocol = serviceEndpoint.Protocol;

        this.listeningAddress = string.Format(
            CultureInfo.InvariantCulture,
            //"http://+:{0}/{1}",
            "{0}://+:{1}/{2}", //NEW!
            protocol,
            port,
            string.IsNullOrWhiteSpace(this.appRoot)
                ? string.Empty
                : this.appRoot.TrimEnd('/') + '/');
      }
      else
      {
        throw new InvalidOperationException();
      }
[...]

When I deploy the stateless service to my local cluster now, my service fabric explorer reports some very "expressive" errors and I am not able to access my service:

Kind        Health State  Description
=============================================================================
Services    Error         Unhealthy services: 100% (1/1), ServiceType='MasterDataServiceWebApiType', MaxPercentUnhealthyServices=0%.
Service     Error         Unhealthy service: ServiceName='fabric:/sfCluster/MasterDataServiceWebApi', AggregatedHealthState='Error'.
Partitions  Error         Unhealthy partitions: 100% (1/1), MaxPercentUnhealthyPartitionsPerService=0%.
Partition   Error         Unhealthy partition: PartitionId='e5635b85-3c23-426b-bd12-13ae56796f23', AggregatedHealthState='Error'.
Event       Error         Error event: SourceId='System.FM', Property='State'. Partition is below target replica or instance count.

Visual Studio isn't providing me with any further error details. It's quite the opposite. The stacktrace prints: fabric:/sfCluster/MasterDataServiceWebApi is ready.

What did I miss? Did I configured something wrong?

BTW: After that, I created a new cluster in Azure with my self-signed certificate, but when I try to acess the Service Fabric Explorer of this cluster I have no UI and a blank site..

MegaMax93 commented May 3, 2016

If this is the wrong place for adding my experience with all the existing guidlines regarding HTTPS, I am sorry. Please give me feedback, when this is the case.

I want a https endpoint for my in a local service fabric (GA version) cluster hosted stateless Web API service. After achieving that, I want to deploy my cluster in Azure.

I followed the steps in the "Secure a Service Fabric cluster" article of the service fabric documentation and created a self-signed certificate and uploaded it to my key vault. I also imported my certificate to my machine's "trusted people" store with the Import-PfxCertificate commands on step 2.5.

AddCertToKeyVault:

Invoke-AddCertToKeyVault -SubscriptionId <Id> -ResourceGroupName 'ResourceGroupName' -Location 'West Europe' -VaultName 'VaultName' -CertificateName 'TestCert' -Password '****' -CreateSelfSignedCertificate -DnsName 'www.<clustername>.westeurope.cloudapp.azure.com' -OutputPath 'C:\MyCertificates'

Now I adjusted the ServiceManifest.xml, ApplicationManifest.xml (like in RunAs: Run a Service Fabric application with different security permissions) and my OwinCommunicationListener.cs:

ServiceManifest.xml (MasterDataServiceWebApi):

<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="MasterDataServiceWebApiPkg"
                     Version="1.0.0"
                     xmlns="http://schemas.microsoft.com/2011/01/fabric"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <ServiceTypes>
    <StatelessServiceType ServiceTypeName="MasterDataServiceWebApiType" />
  </ServiceTypes>

  <CodePackage Name="Code" Version="1.0.0">
    <EntryPoint>
      <ExeHost>
        <Program>MasterDataServiceWebApi.exe</Program>
      </ExeHost>
    </EntryPoint>
  </CodePackage>

  <ConfigPackage Name="Config" Version="1.0.0" />

  <Resources>
    <Endpoints>
      <Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="5030" CertificateRef="TestCert"/>
    </Endpoints>
  </Resources>
</ServiceManifest>

ApplicationManifest:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="exCHANGETestCluster2Type" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
   <Parameters>
      <Parameter Name="MasterDataServiceWebApi_InstanceCount" DefaultValue="-1" />
   </Parameters>
   <ServiceManifestImport>
      <ServiceManifestRef ServiceManifestName="MasterDataServiceWebApiPkg" ServiceManifestVersion="1.0.0" />
      <ConfigOverrides />
      <Policies>
         <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="TestCert" />
      </Policies>
   </ServiceManifestImport>
   <DefaultServices>
      <Service Name="MasterDataServiceWebApi">
         <StatelessService ServiceTypeName="MasterDataServiceWebApiType" InstanceCount="[MasterDataServiceWebApi_InstanceCount]">
            <SingletonPartition />
         </StatelessService>
      </Service>
   </DefaultServices>
   <Certificates>
      <EndpointCertificate X509FindValue="<Thumbprint>" Name="TestCert" />
   </Certificates>
</ApplicationManifest>

OwinCommunicationListener.cs:

[...]
public Task<string> OpenAsync(CancellationToken cancellationToken)
    {
      var serviceEndpoint = this.serviceContext.CodePackageActivationContext.GetEndpoint(this.endpointName);
      int port = serviceEndpoint.Port; //NEW!

      if (this.serviceContext is StatefulServiceContext)
      {
        [...]
      }
      else if (this.serviceContext is StatelessServiceContext)
      {
        var protocol = serviceEndpoint.Protocol;

        this.listeningAddress = string.Format(
            CultureInfo.InvariantCulture,
            //"http://+:{0}/{1}",
            "{0}://+:{1}/{2}", //NEW!
            protocol,
            port,
            string.IsNullOrWhiteSpace(this.appRoot)
                ? string.Empty
                : this.appRoot.TrimEnd('/') + '/');
      }
      else
      {
        throw new InvalidOperationException();
      }
[...]

When I deploy the stateless service to my local cluster now, my service fabric explorer reports some very "expressive" errors and I am not able to access my service:

Kind        Health State  Description
=============================================================================
Services    Error         Unhealthy services: 100% (1/1), ServiceType='MasterDataServiceWebApiType', MaxPercentUnhealthyServices=0%.
Service     Error         Unhealthy service: ServiceName='fabric:/sfCluster/MasterDataServiceWebApi', AggregatedHealthState='Error'.
Partitions  Error         Unhealthy partitions: 100% (1/1), MaxPercentUnhealthyPartitionsPerService=0%.
Partition   Error         Unhealthy partition: PartitionId='e5635b85-3c23-426b-bd12-13ae56796f23', AggregatedHealthState='Error'.
Event       Error         Error event: SourceId='System.FM', Property='State'. Partition is below target replica or instance count.

Visual Studio isn't providing me with any further error details. It's quite the opposite. The stacktrace prints: fabric:/sfCluster/MasterDataServiceWebApi is ready.

What did I miss? Did I configured something wrong?

BTW: After that, I created a new cluster in Azure with my self-signed certificate, but when I try to acess the Service Fabric Explorer of this cluster I have no UI and a blank site..

@masnider

This comment has been minimized.

Show comment
Hide comment
@masnider

masnider May 3, 2016

Contributor

Hi @MegaMax93, the errors you see in VSTS are common and could be present if the cluster is just starting up. If all the services were ready after that then I would expect things to generally be working. Can you share what you see in Service Fabric Explorer for this cluster?

Contributor

masnider commented May 3, 2016

Hi @MegaMax93, the errors you see in VSTS are common and could be present if the cluster is just starting up. If all the services were ready after that then I would expect things to generally be working. Can you share what you see in Service Fabric Explorer for this cluster?

@xirzec

This comment has been minimized.

Show comment
Hide comment
@xirzec

xirzec May 3, 2016

I'm hitting the same problem. I can add the <EndpointCertificate> and I can update the ServiceManifest to use the right protocol and reference the certificate, but if I deploy with the <EndpointBindingPolicy> connecting the two the app crashes infinitely (failed activation) and Fabric keeps restarting it. No helpful diagnostic logs showing up :(

xirzec commented May 3, 2016

I'm hitting the same problem. I can add the <EndpointCertificate> and I can update the ServiceManifest to use the right protocol and reference the certificate, but if I deploy with the <EndpointBindingPolicy> connecting the two the app crashes infinitely (failed activation) and Fabric keeps restarting it. No helpful diagnostic logs showing up :(

@xirzec

This comment has been minimized.

Show comment
Hide comment
@xirzec

xirzec May 3, 2016

Digging through the event viewer turned up some more details: HttpCertCfg returned errorcode 0x80070520 for port 443

xirzec commented May 3, 2016

Digging through the event viewer turned up some more details: HttpCertCfg returned errorcode 0x80070520 for port 443

@MegaMax93

This comment has been minimized.

Show comment
Hide comment
@MegaMax93

MegaMax93 May 4, 2016

@masnider

service fabric explorer_1

service fabric explorer_2_1

service fabric explorer_2_2

service fabric explorer_3_1

service fabric explorer_3_2

After building, the service fabric is setting the replica to 'active' but shortly after that it loses the connection to this replica and service fabric is trying to rebuild it on another node.

@xirzec sadly, this error doesn't show up in my diagnostic events window.. :/

MegaMax93 commented May 4, 2016

@masnider

service fabric explorer_1

service fabric explorer_2_1

service fabric explorer_2_2

service fabric explorer_3_1

service fabric explorer_3_2

After building, the service fabric is setting the replica to 'active' but shortly after that it loses the connection to this replica and service fabric is trying to rebuild it on another node.

@xirzec sadly, this error doesn't show up in my diagnostic events window.. :/

@masnider

This comment has been minimized.

Show comment
Hide comment
@masnider

masnider May 4, 2016

Contributor

@xirzec, is 0x80070520 "ERROR_NO_SUCH_LOGON_SESSION A specified logon session does not exist. It may already have been terminated." This usually means that the cert is not in the expected store on the machine, or may also mean that the thumbprint is not correct (we see this a lot when copying thumbprint values out of MMC as sometimes weird extra invisible characters get appended, please check). Some other data might be found here: http://stackoverflow.com/questions/35307118/how-to-configure-ssl-on-a-self-hosted-web-api-in-azure-service-fabric and here http://stackoverflow.com/questions/36991658/stateless-web-api-on-azure-service-fabric-over-https/37032732#37032732

Contributor

masnider commented May 4, 2016

@xirzec, is 0x80070520 "ERROR_NO_SUCH_LOGON_SESSION A specified logon session does not exist. It may already have been terminated." This usually means that the cert is not in the expected store on the machine, or may also mean that the thumbprint is not correct (we see this a lot when copying thumbprint values out of MMC as sometimes weird extra invisible characters get appended, please check). Some other data might be found here: http://stackoverflow.com/questions/35307118/how-to-configure-ssl-on-a-self-hosted-web-api-in-azure-service-fabric and here http://stackoverflow.com/questions/36991658/stateless-web-api-on-azure-service-fabric-over-https/37032732#37032732

@xirzec

This comment has been minimized.

Show comment
Hide comment
@xirzec

xirzec May 4, 2016

I figured out my trouble. Since I had followed the same instructions @MegaMax93 did and used Import-PfxCertificate I had imported the SSL certificate I wanted to use to the current user store instead of the local machine store, which is why Service Fabric couldn't find it.

@MegaMax93 if you want to try what I did, just tweak the command slightly: Import-PfxCertificate -Exportable -CertStoreLocation cert:\localMachine\my -FilePath C:\cert.pfx -Password (Read-Host -AsSecureString -Prompt "Enter Certificate Password") - you also have to make sure to run it from an admin powershell instance. Re-reading your above comment, seems like maybe you put it inside of Trusted People instead of my?

xirzec commented May 4, 2016

I figured out my trouble. Since I had followed the same instructions @MegaMax93 did and used Import-PfxCertificate I had imported the SSL certificate I wanted to use to the current user store instead of the local machine store, which is why Service Fabric couldn't find it.

@MegaMax93 if you want to try what I did, just tweak the command slightly: Import-PfxCertificate -Exportable -CertStoreLocation cert:\localMachine\my -FilePath C:\cert.pfx -Password (Read-Host -AsSecureString -Prompt "Enter Certificate Password") - you also have to make sure to run it from an admin powershell instance. Re-reading your above comment, seems like maybe you put it inside of Trusted People instead of my?

@RajeetN

This comment has been minimized.

Show comment
Hide comment
@RajeetN

RajeetN May 4, 2016

@xirzec, that is correct Service Fabric only looks in Local Machine store. If you look at DeployedApplication health in Service Fabric Explorer it should bubble up the error that causes activation to fail.

RajeetN commented May 4, 2016

@xirzec, that is correct Service Fabric only looks in Local Machine store. If you look at DeployedApplication health in Service Fabric Explorer it should bubble up the error that causes activation to fail.

@MegaMax93

This comment has been minimized.

Show comment
Hide comment
@MegaMax93

MegaMax93 May 6, 2016

@xirzec Thank you so much, that worked for my local cluster! :) I imported my certificate into Cert:\CurrentUser\TrustedPeople and Cert:\CurrentUser\My before. When Service Fabric looks only in the local machine store, so are the import skripts in this tutorial wrong?

Now I have created a service fabric cluster in azure with this certificate. But when I try to access the service fabric explorer of this cluster, my browser returns a blank site. What did I wrong?

MegaMax93 commented May 6, 2016

@xirzec Thank you so much, that worked for my local cluster! :) I imported my certificate into Cert:\CurrentUser\TrustedPeople and Cert:\CurrentUser\My before. When Service Fabric looks only in the local machine store, so are the import skripts in this tutorial wrong?

Now I have created a service fabric cluster in azure with this certificate. But when I try to access the service fabric explorer of this cluster, my browser returns a blank site. What did I wrong?

@vturecek

This comment has been minimized.

Show comment
Hide comment
@vturecek

vturecek May 6, 2016

Member

Stupid questions, but:
Do you have the same cert installed on the machine from which you're accessing Service Fabric Explorer?
Are you accessing Service Fabric Explorer using https?

Member

vturecek commented May 6, 2016

Stupid questions, but:
Do you have the same cert installed on the machine from which you're accessing Service Fabric Explorer?
Are you accessing Service Fabric Explorer using https?

@MegaMax93

This comment has been minimized.

Show comment
Hide comment
@MegaMax93

MegaMax93 May 6, 2016

@vturecek Yep, I have installed the same cert on my machine. And yes, I am acessing the service fabric explorer using https.

MegaMax93 commented May 6, 2016

@vturecek Yep, I have installed the same cert on my machine. And yes, I am acessing the service fabric explorer using https.

@RajeetN

This comment has been minimized.

Show comment
Hide comment
@RajeetN

RajeetN May 6, 2016

@xirzec, no that tutorial is not wrong. It asks to import server self signed cert on your client machine so certificate validation using http clients can work. Its different from Service Fabric doing certificate lookup on cluster nodes.

RajeetN commented May 6, 2016

@xirzec, no that tutorial is not wrong. It asks to import server self signed cert on your client machine so certificate validation using http clients can work. Its different from Service Fabric doing certificate lookup on cluster nodes.

@xirzec

This comment has been minimized.

Show comment
Hide comment
@xirzec

xirzec May 7, 2016

@RajeetN Sorry, I wasn't trying to imply the tutorial was wrong, but just that the way you use a cert to authenticate to the cluster is different from how to use the same cert to host a WebAPI behind SSL on the local cluster. Rather than having to manage two signed SSL certs for the same common name, it seems pretty convenient to re-use the primary cert in this fashion as it's already present on every node. I notice that Service Fabric Explorer also uses the primary cert in this same fashion.

Most of my confusion was around the fact that services run under machine accounts and they have a separate certificate store than the current user. I think someone more familiar with IIS certificate management probably wouldn't have gotten stuck where I did. :)

xirzec commented May 7, 2016

@RajeetN Sorry, I wasn't trying to imply the tutorial was wrong, but just that the way you use a cert to authenticate to the cluster is different from how to use the same cert to host a WebAPI behind SSL on the local cluster. Rather than having to manage two signed SSL certs for the same common name, it seems pretty convenient to re-use the primary cert in this fashion as it's already present on every node. I notice that Service Fabric Explorer also uses the primary cert in this same fashion.

Most of my confusion was around the fact that services run under machine accounts and they have a separate certificate store than the current user. I think someone more familiar with IIS certificate management probably wouldn't have gotten stuck where I did. :)

@alexnedelcu

This comment has been minimized.

Show comment
Hide comment
@alexnedelcu

alexnedelcu Dec 16, 2016

@MegaMax93 you can use Event Viewer see more errors coming from your app.

alexnedelcu commented Dec 16, 2016

@MegaMax93 you can use Event Viewer see more errors coming from your app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment