Service Fabric Cluster nodes can't get private key from certificate

2

I have a 5 node service fabric cluster running a single application. I have my app settings encrypted using a self signed certificate. This certificate is uploaded to keyvault, and I have fed this URL into my application. I can see the cert is being installed on my VM, and running Invoke-ServiceFabricDecryptText also returns me the correct decrypted value. However, when looking at my management console, I see this error:

Error event: SourceId='System.Hosting', Property='Activation:1.0'.
There was an error during activation.Failed to ACL folders or certificates required by application. Error:0x80090014

Looking into the node logs, I see these entries that correspond with the error above:

2016-9-7 20:09:44.541,Informational,2148,2580,Common.CryptoUtility,GetCertificate(LocalMachine, MY, FindByThumbprint:)
2016-9-7 20:09:44.541,Informational,2148,2580,Common.CryptoUtility,GetCertificate: match found: thumbprint = [thumbprint], expiration = 2017-09-02 16:08:04.000
2016-9-7 20:09:44.541,Error,2148,2580,Common.CryptoUtility,CryptAcquireCertificatePrivateKey failed. Error:0x80090014
2016-9-7 20:09:44.541,Error,2148,2580,Common.SecurityUtility,Failed to get the Certificate's private key. [thumbprint]. Error: 0x80090014
2016-9-7 20:09:44.541,Warning,2148,2580,Hosting.ProcessActivationManager,ACLing private key filename for thumbprint [thumbprint]. ErrorCode=0x80090014

I'm at a loss.

azure
ssl
azure-service-fabric
asked on Stack Overflow Sep 7, 2016 by Teknos

2 Answers

2

Ended up being a bad cert. The one I initially uploaded to Keyvault was an existing certificate using New-SelfSignedCertificate in posh. I then added a second one to Key Vault by making it on the fly with the Invoke-AddCertToKeyVault command with the -CreateSelfSignedCertificate switch, and it worked.

answered on Stack Overflow Sep 8, 2016 by Teknos
0

That typically means that the cluster cert wasn't created currently. Since its private key is not retrievable.

If you used ServiceFabricRPHelpers.psm1 (Invoke-AddCertToKeyVault with -CreateSelfSignedCertificate) to create a self-signed certificate - you should know that it creates such invalid cert unless PSPKI version 3.2.5 is installed. Even if you use PSPKI version 3.2.6 (or PSPKI is not installed) it will create invalid cert, because of a bug in ServiceFabricRPHelpers.psm1. I fixed the issue here (but it's not yet merged) https://github.com/ChackDan/Service-Fabric/pull/31

As a workaround, 1. Install the latest PSPKI from https://pspki.codeplex.com/releases/view/625365 2. Before running Invoke-AddCertToKeyVault, apply the fix here https://github.com/ChackDan/Service-Fabric/pull/31 to ServiceFabricRPHelpers.psm1

Once the fix is merged I will update this thread...

answered on Stack Overflow Sep 25, 2017 by Aviad Ezra • edited Sep 25, 2017 by Aviad Ezra

User contributions licensed under CC BY-SA 3.0