Manually roll over a Service Fabric cluster certificate

[tr1al3x]

I am following bellow doc to renew service fabric certs..
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-rollover-cert-cn
certPS.txt

Getting following errors on couple instances:

PS C:\WINDOWS\system32> $keyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $KeyVaultResourceGroupName -Location $region
Get-AzureRmKeyVault : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:13

• $keyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupN ...

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [Get-AzureRmKeyVault], ParameterBindingException
  • FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.Azure.Commands.KeyVault.GetAzureKeyVault

---

PS C:\WINDOWS\system32> Update-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -Name $VmssName -VirtualMachineScaleSet $vmss -Verbose
VERBOSE: Performing the operation "Update" on target "scaleset".
Update-AzureRmVmss : List secrets contains repeated instances of
/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/, which is disallowed.
ErrorCode: InvalidParameter
ErrorMessage: List secrets contains repeated instances of
/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/*, which is disallowed.
ErrorTarget: sourceVault.id
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : ***
At line:1 char:1

• Update-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -Name $V ...

•   + CategoryInfo          : CloseError: (:) [Update-AzureRmVmss], ComputeCloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Automation.UpdateAzureRmVmss
  
  
  

Two questions...
1.
Why I have to create a new RG and if I do, by using my existing one, will it override it and all its contents?

The script creates a new RG , which I skipped since I already have a RG and a Keyvault that Im trying to update its cert (pfx).

Create new Resource Group

New-AzureRmResourceGroup -Name $KeyVaultResourceGroupName -Location $region

Get the key vault. The key vault must be enabled for deployment.

$keyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $KeyVaultResourceGroupName
$resourceId = $keyVault.ResourceId

On the "Update-AzureRmVmss : List secrets contains repeated instances of...which is disallowed."
I guess this has to do with using the same keyVault and existing secrets, how do I fix it.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq

BTW I see the cert is renewed (at least I see the new thumbprint" in the keyvault.

Excuse the ignorance and thank you.

[MiYanni]

@tr1al3x To fix your first error, simply remove the Location parameter. KeyVault names are unique, so Location is not part of that parameter set.

After getting that working, let us know if you are still having issues.

[markcowl]

Closing as it seems this fixed your issue. Please let us know if there's still an issue.

[akrone-hach]

I'm having the same issue as @tr1al3x. I have an existing Resource Group, Key Vault, and Certificate. I want to use the new Cert in the Scale Set but following the script in the documentation produced the error that @tr1al3x reported. Below is a modified version of the script from the article to use the existing Key Vault, and Cert.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force

$SubscriptionId  =  "MySubscription" #Update this 

# Sign in to your Azure account and select your subscription
Login-AzureRmAccount -SubscriptionId $SubscriptionId

$VmssResourceGroupName     = "VmssResourceGroupName" #Update this
$VmssName                  = "VmssName" # Update This
$CertificateThumbprint = "Cert Thumbpriint" #Update This
$CertificateURL = "https://myvault.vault.azure.net/secrets/MyCert/Version" #Update This
$SourceVault = "/subscriptions/SubscriptionId/resourceGroups/ResourcecGroup/providers/Microsoft.KeyVault/vaults/myVault" # Update This
$CommName    = "CN=MyCluster.eastus.cloudapp.azure.com" # Update This

Set-StrictMode -Version 3
$ErrorActionPreference = "Stop"

$certConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $CertificateURL -CertificateStore "My"

# Get current VM scale set 
$vmss = Get-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -VMScaleSetName $VmssName

# Add new secret to the VM scale set.
$vmss = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmss -SourceVaultId $SourceVault `
    -VaultCertificate $certConfig

# Update the VM scale set 
Update-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -Verbose `
    -Name $VmssName -VirtualMachineScaleSet $vmss

[Chemlin]

How do i roll over certificates on a local Service Fabric Cluster????

[rbeauchamp]

@markcowl Can you please re-open this issue? I am getting the same error reported by @akrone-hach and @tr1al3x:

Update-AzureRmVmss : List secrets contains repeated instances of
/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/, which is disallowed.
ErrorCode: InvalidParameter
ErrorMessage: List secrets contains repeated instances of
/subscriptions/*/resourceGroups/***/providers/Microsoft.KeyVault/vaults/***, which is disallowed.

Maybe I'm getting the above error because I uploaded the certificate to the existing key vault already used/reference by the cluster. To roll over a certificate, do we really need to create a new key vault to hold the new cert? Thanks!

[tr1al3x]

Here how I got cert renewed..

1. Upload cert to keyvault (new version certificate.pfx), copy the SecretIdentifier URL, you will need it to update SF templates below.
2. Navigate to "resource explorer" your subscription -- > resource group -- > providers/Microsoft.Compute/virtualMachineScaleSets
3. Chose your scale set to update, click EDIT/read/write.
4. Locate "vault certificates" in the template and add the following:
   {
   "certificateUrl": "secret identifier URi",
   "certificateStore": "My"
   }
5. Click PUT to apply changes.
6. Ater update is completed EDIT/read-write again and locate "extensionProfile"
7. Add the following under certificates

"certificateSecondary": {
"thumbprint": "****************************************",
"x509StoreName": "My"
},

8. Click PUT to update.

9. Navigate to Microsoft.ServiceFabric section and click on the cluster name.

10. Add the following "thumbprintSecondary", in the certificates section of the template's code and "PUT" to apply changes.
    "thumbprintSecondary": "********************************",

11. Swap certificates (primary-secondary), in the scale set and the ServiceFabric templates. Just swap the thumbprint values, secondary thumbprint in place of primary's

You can verify by looking into SF explorer manifest, you will see primary-secondary thumbprints.

[rbeauchamp]

@tr1al3x Awesome!! That worked! Thank you for taking the time to clearly document the steps.