"Invoke-WebRequest : Unable to retrieve certificates because the thumbprint is not valid. Verify the thumbprint and retry"

[starforce]

Hello, I have a question about using the Invoke-WebRequest power shell command in your example.

First let me give you some background information about my current setup. Right now, I have a Service Fabric cluster using an X.509 cert from an CA and is used to secure the cluster. I have Admin rights, Also, I have the certificate on my local computer in the My (Personal) store. I set up AAD when I first created the cluster which allows me to use Service Fabric Explorer and publish/update code from Visual Studio 2017. This all works fine ,but The problem I am having is when I try to use the Invoke-WebRequest in your example and specify the -CertificateThumbprint. I am using the same Thumbprint that I use to set up my Cluster that I got from the CA. However, I always get the following error

"Invoke-WebRequest : Unable to retrieve certificates because the thumbprint is not valid. Verify the thumbprint and retry"

Is there some reason why I cannot use the same X.509 Thumbprint and Cert that I use for publishing code from Visual Studio to My service fabric cluster and for Service Fabric Explorer ? According to Microsoft documentation, "By default the cluster certificate has admin client privileges." So confused as to why this isn't working.

Thank you

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 3f2bc356-6903-4a75-4c60-2888595afead
• Version Independent ID: f993726e-375d-3f34-6423-957fa9273aa5
• Content: Periodic backup and restore in Azure Service Fabric
• Content Source: articles/service-fabric/service-fabric-backuprestoreservice-quickstart-azurecluster.md
• Service: service-fabric
• GitHub Login: @hrushib
• Microsoft Alias: hrushib

[jakaruna-MSFT]

Thanks for the question! We are investigating and will update you shortly.

[jakaruna-MSFT]

@starforce I tried out in my environment. Got the same error. @MicahMcKittrick-MSFT Please look into the issue.

[mimckitt]

Thanks for confirming you get the same error @jakaruna-MSFT

@hrushib could you take a look at the doc and help us figure out why it doesnt work?

CC @aljo-microsoft

[hrushib]

@starforce, can you attach your cluster manifest and the PS command/script used.

[aljo-microsoft]

@starforce @hrushib @MicahMcKittrick-MSFT

Mutual Authentication.

" Any number of additional certificates can be specified for admin or user client operations. The client can use this certificate when mutual authentication is required. "

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security

@MicahMcKittrick-MSFT

Please close this.

[starforce]

@hrushib @MicahMcKittrick-MSFT @aljo-microsoft

Seems if I didn't have permission to execute the Powershell script that I should not get a thumbprint error . I can connect to my cluster using Connect-ServiceFabricCluster but don't have rights to use the Invoke-WebRequest command? Doesn't seem right.

I am the owner of my AZURE portal and I set myself up as the administrator of my service fabric cluster. I have all security rights and privileges to do anything in my portal. I can upload code to the service fabric cluster and have the ability to use service fabric Explorer to manage the cluster which shows that I have admin rights. When I connect to the service fabric cluster I use the email account associated with the owner of the Azure portal. So the question is how come this isn't working. We're going live in three weeks yet, I still don't have a backup solution for my .NET 2.0 core Stateful Services running on the cluster. All you are doing is cutting and pasting documentation that I've already read but you're not giving me an answer to my question of why this isn't working. This problem was already recreated by Microsoft and I'm looking for an answer

Thank you in advance

[starforce]

@hrushib

Do you still want my cluster manifest and script?

[aljo-microsoft]

@starforce Please review: if you need support after you go live; please open a support ticket: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-support. If you have any documentation questions, please open an issue against the applicable documentation. If you have any software issues, please file an issue in our repository: https://github.com/Microsoft/service-fabric.

@hrushib Please close this.

[hrushib]

@starforce, yes I want to have look at cluster manifest and the command you are using. Please share your cluster manifest and the command so as to have meaningful discussion.

@aljo-Microsoft, at the moment, there is no explicit PS cmdlets for Backup Restore APIs, those are only available as REST APIs. So the links shared by you above won't be useful in this context.

[aljo-microsoft]

@hrushib The user stated his problem is with using "Invoke-WebRequest" against SF Runtime API using the "-certificateThumbprint" parameter.

Using that command and parameter, against a publicly accessible party cluster runtime API yesterday, I could succeeded.

The user also stated he had no actual issue publishing his application to his cluster from VS for Dev\Test; @starforce Nothing will prevent you from declaring the same certificate as both your server cert and client identity cert; though not recommended for production. Recommendation is to use AAD to provide a client id during FabricClient and FabricGateway mutual authentication.

Refs: https://docs.microsoft.com/azure/service-fabric/service-fabric-production-readiness-checklist https://docs.microsoft.com/azure/security/azure-service-fabric-security-best-practices https://docs.microsoft.com/azure/service-fabric/service-fabric-cluster-creation-setup-aad https://docs.microsoft.com/azure/service-fabric/service-fabric-windows-cluster-x509-security

So @starforce and @hrushib am I missing something, what other questions/issues was not addressed?

[starforce]

@hrushib is there an email address that i can send the manifest and PowerShell scripts to you? I don't want to publish my production Manifest for everyone to see.

[aljo-microsoft]

@starforce

my email is aljo@microsoft.com

@jakaruna-MSFT I provisioned a cluster just now, using a CA issued certificate, and didn't declare a client identity

I published an application from VS to my cluster without issue.

I deleted that application from my cluster using PowerShell SF Module without issue.

I invoked my cluster SF API to get cluster health without issues using the following command:

Invoke-WebRequest -Uri "https://sfbpcluster.westus.cloudapp.azure.com:19080/`$/GetClusterHealth?api-version=6.0" -CertificateThumbprint "MY THUMBPRINT"

[starforce]

Just sent Script and Manifest

[aljo-microsoft]

@starforce @hrushib @jakaruna-MSFT @MicahMcKittrick-MSFT

I reproduced the error by removing my client certificate from 'My' Store.

E.G.

Get-ChildItem Cert:\CurrentUser\My\${THUMBPRINT} | Remove-Item

Run the following to solve your problem: Import-PfxCertificate -FilePath .\${YOUR CERT NAME}.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString ${YOUR CERT PASSWORD} -AsPlainText -Force)

Please close this.

[maburlik]

Just as a sanity check, since you are presumably copy pasting the thumbprint, can you just validate the command text in a hex editor to make sure there are no hidden characters in the thumbprint? We've seen other people have byte order mark hidden characters when dealing with copy pasted certs in the past. The Microsoft cert UI contains these characters so they are carried then you copy the thumbprint.

[starforce]

I will try this solution and make sure to use a Hex Editor. I will work on this in the morning when I get back to work. I hope this works. I actually go into Azure and to my Cert Vault and go to the Cert and use the Copy function to get the Tumbprint info.

[aljo-microsoft]

String encoding is a very common issue:

https://blogs.msdn.microsoft.com/commandline/2016/11/17/do-not-change-linux-files-using-windows-apps-and-tools/

We recommend using Visual Studio Code when making software source edits: https://code.visualstudio.com/docs/editor/codebasics

@starforce please let us know if adding the following to our documentation would help:

(Get-Childitem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "cn=westus.cloudapp.azure.com"})[0].Thumbprint

E.G. $url = "https://\<YOUR DOMAIN>.westus.cloudapp.azure.com:19080/BackupRestore/BackupPolicies/$/Create?api-version=6.4"

Invoke-WebRequest -Uri "https://sfbpcluster.westus.cloudapp.azure.com:19080/$/GetClusterHealth?api-version=6.4" -CertificateThumbprint (Get-Childitem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "cn=\<YOUR DOMAIN>.westus.cloudapp.azure.com"})[0].Thumbprint -ContentType 'application/json' -Method Get

[starforce]

Looks like i got further but now getting

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType 'application/json' -CertificateThumbprint 'XXXXXXX806E89C73A32FA4E97DD62B6AF' (I changed the thumbprint here to hide it from being seen by everyone)

Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

I tried it the other way too. and got the same error.

Invoke-WebRequest -Uri "https://zixtysservices.eastus2.cloudapp.azure.com:19080/BackupRestore/BackupPolicies/$/Create?api-version=6.4" -CertificateThumbprint (Get-Childitem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -eq "cn=zixtysservices.com"})[0].Thumbprint -ContentType 'application/json' -Method Get

[aljo-microsoft]

@starforce That call is incorrect, did you use Post or Get like posted above?

[starforce]

@aljo-microsoft

Yes I did run the script and seemed to work see below. 1) ran this scipt

Import-PfxCertificate -FilePath zixtysvault-WWWZixtysServicesWWWDZixtysServices-20181228.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString $ -AsPlainText -Force)

2) and got the following results PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint Subject

---

XXXXXXX3B77DD806E89C73A32FA4E97DD62B6AF CN=zixtysservices.com, OU=Domain Control Validated

3) and then ran

Invoke-WebRequest -Uri $url -Method Post -Body $body -ContentType 'application/json' -CertificateThumbprint 'XXXXXXX806E89C73A32FA4E97DD62B6AF' (I changed the thumbprint here to hide it from being seen by everyone)

Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

[aljo-microsoft]

@starforce Your subject alternative name certificate properties needs to match your domain:

Your custom domain: CN=zixtysservices.com

Add it as to your certificate properties SANS, and ensure your have DNS Alias's that resolves to your cluster's management API IP address.

[starforce]

@aljo-microsoft

According to Microsoft own documentation you cannot get a certificate from a CA for

zixtysservices.eastus2.cloudapp.azure.com. it's just not allowed. I do not have direct access to Microsoft server to provide certain information that a CA would need for verification that I own that domain name.

What you have to do is get a certificate for your own custom domain (zixtysservices.com )and set your custom domain to route to the service fabric url(zixtysservices.eastus2.cloudapp.azure.com ). So when I go https://www. zixtysservices.com which matches the CN for the certificate given to me by my CA it routes it to the service fabric URL. This all works fine and well right now in production.

There's a whole long documentation on how to set this up

[starforce]

@aljo-microsoft

Here's an article on how to add a custom domain name certificate issued by a CA for your service fabric cluster.

https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/

[starforce]

@aljo-microsoft

I found the Microsoft documentation and it states .

The certificate's subject name must match the domain that you use . You cannot obtain an SSL certificate from a certificate authority (CA) for the *.cloudapp.azure.com domain. You must obtain a custom domain name for your cluster. When you request a certificate from a CA, the certificate's subject name must match the custom domain name that you use for your cluster.

[aljo-microsoft]

@starforce

Yes. Your SANS can not == *.cloudapp.azure.com

As this isn't unique, and you don't own 'cloudapp.azure.com'.

Map an DNS Alias to your cluster's management API IP's address:

https://docs.microsoft.com/azure/dns/tutorial-alias-pip

[starforce]

@aljo-microsoft and how would I prove to the ca that I own that domain?

Now able to do that with a self-signed cert yes but not one from a CA

Are you using a self-signed cert or one issue from a CA?

[aljo-microsoft]

I have done this with both self signed, and CA issued certs daily:

https://github.com/aljo-microsoft/demo/blob/master/deploy/servicefabric_bestpractices.py:

For self signed:

default_policy_process = Popen(["az", "keyvault", "certificate", "get-default-policy"], stdout=PIPE, stderr=PIPE)

            stdout, stderr = default_policy_process.communicate()

            if default_policy_process.wait() == 0:
                default_policy_json = json.loads(stdout.decode("utf-8"))
            else:
                sys.exit(stderr)

            # Set Subject Name to FQDN
            # Browsers won't trust certificates with subject names that don't match FQDN
            default_policy_json['x509CertificateProperties']['subject'] = "CN=" + self.dns_name
            default_policy_json['x509CertificateProperties']['sans'] = {'dns_names': [self.dns_name], 'emails': [self.user_email], 'upns': [self.user_email]} 
            policy_file_name = "policy.json"
            policy_file_arg = "@" + policy_file_name
            json.dump(default_policy_json, open(policy_file_name, 'w+'))

            certificate_create_process = Popen(["az", "keyvault", "certificate", "create", "--vault-name", self.keyvault_name, "-n", self.certificate_name, "-p", policy_file_arg], stdout=PIPE, stderr=PIPE)

            if certificate_create_process.wait() != 0:
                sys.exit()

For CA issued, I went through my CA's portal to request my Fully Qualified Domain, and then I went through Azure's portal and added additional SANS.

NOTE: Self Signed Certificates can not be declared by common name, nor do their x509 properties enable secure discovery of renewal thumbprint; so all operation of rotating them requires human action or a custom non-supported solution. Keyvault Integrated Certificate Authorities issued certificates are recommended for cluster security, and Azure Active Directory is recommended for Client Identity.

[starforce]

Please send me the documentation on how to associate a Microsoft service fabric URL with a CA issued certificate and have it is part of the CN or san

[aljo-microsoft]

@starforce

On Portal Blade for Keyvault certificates:

https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/\<YOUR SUBSCRIPTION>/resourceGroups/\<YOUR RG>/providers/Microsoft.KeyVault/vaults/\<YOUR VAULT>/certificates

Click create certificate.

On this blade add the DNS names you own; E.G. The ones that you registered with your CA, and resolves to your service.

[starforce]

@aljo-microsoft

Let me try this and I'll get back to you.

thank you for all your help

[aljo-microsoft]

@starforce

If you did not register your DNS name with your CA you will receive an error like:

Raw Error Message You do not have permission to request auto approval for the site aljotestcert.westus.cloudapp.azure.com,aljotestdns.westus.cloudapp.azure.com with Azure Id \<MY Subscription>.

In this case I attempted to provision a Common Name cert == aljotestcert.westus.cloudapp.azure.com, and provided an DNS Name == aljotestdns.westus.cloudapp.azure.com using my subscription; which failed as I don't own those domains yet.

[starforce]

@aljo-microsoft

Let me try to take a look at this. seems like first I need to register my service fabric URL in the Azure portal using the instruction you just gave me and then go to my CA and add service fabric URLas an SAN

[aljo-microsoft]

Azure Keyvault is the recommended Secrets Management solution for Service Fabric Cluster Certificates, and Service Fabric is not prescriptive about how you obtain or deploy your certificates to your Scale Sets; we recommend using ARM VMSS Resource Property to deploy reliably, and use an Integrated CA DitiCert or GlobalSign.

DigiCert and Global Sign are integrated CA’s that can issue you certificates;I defer to their documentation for how to complete their validation process.

Similar questions: https://github.com/Azure/service-fabric-issues/issues/1209 https://github.com/Microsoft/service-fabric/issues/163 https://feedback.azure.com/forums/170024-additional-services/suggestions/16957756-add-integration-with-let-s-encrypt

[aljo-microsoft]

@starforce @hrushib @jakaruna-MSFT @MicahMcKittrick-MSFT Please close this as the user posted issue has been resolved.

[starforce]

Hello, I really need to get backup going for my .NET CORE 2.0 Stateful apps and so far the suggestions i received here are not working

Begin Issue below:

Hello I just tried registering my Service Fabric Cluster domain name through DigiCert and could not,

I just tried to secure a CERT for my Service Fabric Cluster (http://zixtysservices.eastus2.cloudapp.azure.com/) ,but According to DigiCert who is an Integrated partner with Microsoft when acquiring SSL. You cannot request a cert on any Microsoft Domain name. See Below.

“For legal reasons we unfortunately are not allowed to issue any certificates to any domain names that are using any of Microsoft's trademarks. This included "azure". You can review the General Trademark Guidelines issued by Microsoft themselves.    https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general.aspx   In the Additional Guidelines for Advertising Collateral, Marketing, and Product Packaging, and then Websites section it reads:    "Do not use any Microsoft trademark in the title of your website or as a second-level domain name. You may not use any Microsoft logo without a license or written specifications from Microsoft."    Sorry about the inconvenience. Let us know how you would like to proceed with this order”

So since you CANNOT get a cert on a Microsoft Domain, your solution for my WebInvoke issue will not work “ 
**Import-PfxCertificate -FilePath ..pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -AsPlainText -Force) cannot work because I cannot obtain a CERT to have my CN=zixtysservices.eastus2.cloudapp.azure.com

As I have stated before, a CA verifies ownership of a DOMAIN in a few ways;
TXT Record, placing a HTML file in a certain location on the server, or doing a Whois to the domain owner and sending an email to the ADMIN

SO who can Help me get backup working properly because you cannot have in your CN .azure.com and get a CERT.

[aljo-microsoft]

@starforce and @MicahMcKittrick-MSFT First thank you for your patience and persistence with ensuring we provide accurate information.

You are correct that only MSFTE like myself can provision a DNS name for any MS Azure records.

So you will need to create a DNS alias for your domain, and how is subject to your architecture:

If your management endpoint API is exposed by your Public IP for your load balancer: https://docs.microsoft.com/azure/dns/tutorial-alias-pip

If your management endpoint API is exposed by a Traffic Manager: https://docs.microsoft.com/azure/dns/tutorial-alias-tm

With your DNS alias mapped to yours clusters management IP, you can declare your management endpoint cluster property to use your DNS alias FQDN.

E.G.

 "managementEndpoint": "[concat('<YOUR DNS FQDN ALIAS>',':',variables('nt0fabricHttpGatewayPort'))]",

Let me know if this resolves your issue.

[starforce]

@aljo-microsoft
I will take at look at this. We are using A Load Balance to direct traffic to the Cluster.. Please do not close this issue until we find a solution. It is very important to get this working. I will start work on this tomorrow and provide feedback ..

[starforce]

@aljo-microsoft @MicahMcKittrick-MSFT

I don't know what this means below. Please provide an example. Is this an ARM script, Powershell? Where would i make this change after setting up my Alias. Are you sure this is going to work?

With your DNS alias mapped to yours clusters management IP, you can declare your management endpoint cluster property to use your DNS alias FQDN.

E.G.

"managementEndpoint": "[concat('',':',variables('nt0fabricHttpGatewayPort'))]",

[aljo-microsoft]

@starforce

Following: https://docs.microsoft.com/azure/dns/dns-delegate-domain-azure-dns

I've bought a new domain today from GoDaddy, and updated my name servers to a new DNS Zone created in Azure; since this is where I plan to host my domain.

Currently GoDaddy's states: " After updating your nameservers, allow 4 to 8 hours for other networks to access information for .com and .net domain names "

Ref: https://www.godaddy.com/help/set-custom-nameservers-for-domains-registered-with-godaddy-12317

Going to the portal blade for a Keyvault certificate, I Generated a certificate Request, by configuring DigiCert as my provider, and using my domain name as the common name and dns name in my request; documented here: https://www.digicert.com/azure-key-vault/connect-to-certcentral-quick-start-guide.htm

Note: The password field in Azure Portal Blade is for an API Key, not your DigiCert CertCentral account.

The provider in this case not only validated the details of my GoDaddy registered domain (Address, name, phone number), but also required I provide additional details (Gov ID, work flow approval process, phone call with me, email link I had to click, and then stated they needed more time for a secondary compliance check validation by a second person before they will approve the CSR I have already approved). If things complete as intended, I should have a certificate for my custom domain when I wake up issued by a 3rd party; without a cluster or webserver provisioned (enabled by me buying and owning a domain record from a 3rd party Domain registrar, and KV's Integrated CA's verification process)

Next I will use the previously provided links to map my custom domain to a traffic manager, which will front my Primary Node Types Loadbalancer, and resolve to my management API IP address (where SF system services from my cluster will serve the SF Client API https://docs.microsoft.com/rest/api/servicefabric/sfclient-index); will update tomorrow with results.

Also yes the managementEndpoint is a property of the ARM template cluster resource; example here: https://github.com/Azure-Samples/service-fabric-cluster-templates/blob/master/7-VM-Windows-3-NodeTypes-Secure-NSG/AzureDeploy.json

[starforce]

@aljo-microsoft

Going to wait on your results before i start.

[aljo-microsoft]

@starforce Certificate was provisioned for my custom domain in KV from Digicert using previously provided instructions. Starting the DNS configurations shortly, and will provision a cluster today.

Note: " When you copy each name server address, make sure you copy the trailing period at the end of the address. The trailing period indicates the end of a fully qualified domain name. Some registrars append the period if the NS name doesn't have it at the end. To be compliant with the DNS RFC, include the trailing period. " Ref https://docs.microsoft.com/azure/dns/dns-delegate-domain-azure-dns

GoDaddy appends the trailing period, so including the last period of any of your 4 naming servers, will result in a GoDaddy error; just remove the last period when updating those names.

[aljo-microsoft]

@starforce

With my certificate provisioned for my custom domain, I provisioned a TrafficManager using the following, and standard cluster resources:

https://github.com/aljo-microsoft/demo/blob/master/deploy/Deploy-2NodeTypes-3ScaleSets.endpoint.json

and executed

az group deployment create -g sfbpdeployrg --name sfbptrafficmanager --template-file AzureDeploy.json --parameters @AzureDeploy.parameters.json

Then following this documentation I configured my DNS Zone Alias Record for my provisioned trafficmanager:

https://docs.microsoft.com/azure/dns/tutorial-alias-tm#create-an-alias-record

[aljo-microsoft]

@starforce @hrushib @jakaruna-MSFT @MicahMcKittrick-MSFT

I've now provided all steps on how to configure SF (managementendpoint) to support your custom domain; this property updates Portal SFX URL.

I also provided the guidance on how to acquire from a 3rd party a certificate for your custom domain, by using an Integerated CA to get a certificate for a custom domain, which supports validation processes that don't require you to provision your cluster first.

This will allow you to provision your cluster using common name and a 3rd party custom domain certificate.

That said, please close this.

Note: Using the managementendpoint property only changes portal. If you don't successfully create an alias for your LB or TM fronting your cluster, that name wont resolve to your cluster for SFX or Clients connecting; they would need to connect using the TM or LB public IP directly. The impact of which is your browser will still complain that your custom domain listed in your cert doesn't match the URL. I fixed this by configuring mine correctly, using "A" and "C" record properties in my DNS Zone resource.

[starforce]

@starforce @hrushib @jakaruna-MSFT @MicahMcKittrick-MSFT

I will try this and get back to everyone. Why the rush to close this issue until i verify that it works for me ?

[mimckitt]

Thanks @aljo-microsoft for all the hard work and explanations.

@starforce at this point we have addressed as much as we are able to within the scope of this issue. We use these issues to identify doc problems and we of course try to help further than that when possible.

Please let us know your results. If you need further assistance from here we would need you to open a technical support ticket to work with an engineer to debug further. And of course, if you find any doc issues on other docs feel free to let us know.

[starforce]

@MicahMcKittrick-MSFT .. Thank you. Hopefully it will work. Would i need to buy a Technical Support plan to open a technical support issue?

[mimckitt]

@starforce if it comes to that I can enable you for a free request so no worries :) Let me know the outcome and we can go from there.

[aljo-microsoft]

@starforce and @MicahMcKittrick-MSFT I have also resolved the issue with connecting to my machine using my custom domain.

By configuring my DNS Zone "Alias record set" for both my "A" and "C" record; set the "A" record to all IP address backends being fronted by TM, and use a "C" record set it to the TM DNS name.

[starforce]

@aljo-microsoft Thank you for everything!!

[starforce]

So far so Good. Set up Azure DNS zone,

Then Change Google Domain to use Azure Name Servers. Did Ns-lookup and all is ok. I already had DigiCert Azure Account so done with that..

DigiCert going to allow me to request a 30 days test Cert which is good because don't want to spend 198 dollars until I am sure it will work. Will update after DigiCert sends me info