SSL cert ACLs

[solidcloudio]

Can you clarify the statement:

Need to also make sure certificate has proper ACL to be retrieved by YarpProxy process running under the configured local account (by default SF applications run under Network Service account) so that the private key can be accessed during the SNI step in TLS handshake.

How exactly do you do that? I don't have any control over the nodes, certs are installed in the scaleset by ARM..

Getting: "Yarp.ServiceFabric.Core.Service.Security.ServerCertificateBinding.SniServerCertificateSelector[0] Encountered error when tried to validate private key access for certificate with subject name....."

[solidcloudio]

I found this: https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster

[solidcloudio]

https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/Set%20ACL%20for%20a%20SF%20certificate.md

Following this, I added a script, and a custom extension to run it. I can confirm that it does modify the private key ACL and add NETWORK SERVICE. I'll submit a PR to the https://github.com/Azure/Service-Fabric-Troubleshooting-Guides repo with the script and ARM extension sample.