6

I have followed this article to setup an OWIN self hosted Web API within an Azure service fabric stateless service.

I also found this article which describes setting up an HTTPS endpoint within an Azure service fabric service.

  ...
  <Certificates>
    <EndpointCertificate Name="TestCert1" X509FindValue="FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F0" X509StoreName="MY" />  
  </Certificates>
  ...

How do I configure the SSL certificate for my WebAPI service within service fabric? When I access my service fabric cluster in the Azure portal, the "Certificate" textboxes are greyed out.

In other Azure services their is typically a area to upload certificates which can then be referenced by the application.

Do I need to manually include my certificate in the service fabric package and install it into the certificate store before it can be referenced?

In addition does azure provide a HTTPS cert for *.cloudapp.azure.com that can be used during development?

Wallace Breza
  • 4,898
  • 1
  • 28
  • 33

1 Answers1

11

To secure an OWIN Self-Hosted API in SF with SSL, you can follow the different scripts and example config I've compiled:

https://gist.github.com/andersosthus/c483eaf8630219c789de

The basic flow goes like this:

  1. Upload a certificate to KeyVault (uploadCertToKeyVault.ps1)
  2. Install the certificate to your SF VMs (installCertOnVm.ps1)
  3. Configure the Endpoint section of your ServiceManifest
  4. Configure the ManifestImport and Policy section of your application manifest

Step 1 & 2 can be skipped, but then you need to log in to each VM and install the certificate manually.

For VMSS: To install certificates from KeyVault onto a VMSS with ARM, do the following: In your VMSS template, under the OSProfile section, there is section called secrets. Here you can configure the sourcevault and add certificates to be installed.

This works like all other ARM templates. You can add a certificate to this list at a later point and redeploy the template. The certificate will then be installed on your VMSS.

anderso
  • 981
  • 8
  • 12
  • 1
    Nice solution, is this targeted at vm scale sets? What happens when the scale set decides to scale - do I need to attach the script to something to autorun? – andycwk Apr 18 '16 at 21:55
  • 3
    This is for pre-VMSS. For VMSS, you'll add the certificate to the Secrets section of the VMSS definition, and then it'll get provisioned on all the machines. The same goes for updating the cert, just update the VMSS definition and it'll roll it out to all the machines. – anderso Apr 19 '16 at 07:38
  • I've gotten as far as updating the VMSS definition with the new secret, but when I attempt to deploy that I get an error about the VHDs being in use -- see here: http://stackoverflow.com/q/37504102/287610 – Lars Kemmann May 28 '16 at 22:02
  • You have another gist showing that you just run a PS script to add the secret to each VM directly. That ended up working for me -- I posted a comment on your gist showing how to do it with the VMSS cmdlets. :) Thanks so much! But I'd still really like to have this work via the ARM template... – Lars Kemmann May 28 '16 at 23:33
  • Hi Lars. Thanks. I've updated my answer above with info about ARM VMSS and certificates :) – anderso May 30 '16 at 08:01
  • Can it be run on a local cluster? I couldn't run it locally. – shlatchz Jul 23 '16 at 18:14