1

We have 5 Service Fabric nodes running 2 applications in 4 environments in Azure. Our Network team wanted to switch out our cluster certificate so they generated a new one (I believe in the key vault) and swapped it to primary. We updated our project to use the new cert's thumbprint. We successfully authenticated to the cluster and deployed (via Visual Studio) using the new cert, but now the application will not activate. The error we are seeing is:

System.Hosting' reported Error for property 'Activation:1.0:1.0:131965678558388988'. There was an error during activation.There is already a certificate with thumbprint 123oldCertNumber bound to port 200appPort. New certificate thumbprint specified: 321newCertNumber

Additionally, we tried deleting the old cert which is now in the secondary slot, but it just processes for hours saying "Cluster is updating user certificate." and eventually fails to delete the cert.

Any help would be greatly appreciated!

madeFromCode
  • 721
  • 7
  • 15

3 Answers3

0

Here's what worked for me:

I deleted all applications, but did not unprovision them. I then reset all nodes to clear them out. Then I deleted the old cert - this time it worked. I redeployed and viola, it activated no problem. Well, almost, I have one node that is stuck with the same error message. I've tried deleting data and resetting it, but haven't been able to clear it yet.

madeFromCode
  • 721
  • 7
  • 15
0

If both of you applications were using the old certificate then you may have encountered a problem described in documentation describing Upgrading multiple applications with HTTPS endpoints.

When the first application goes to update it will fail to configure the HTTPS port with the new certificate, since the second application is still running and has already configured the HTTPS port with the old certificate. The only path forward is to remove both applications that are sharing the port and then upgrade.

For this reason you may want to consider approaches to prevent this problem in the future. You could:

  • Combine services from the two applications into a single application, or
  • Run each application on a different port.
Roy
  • 41
  • 3
0

I just finished upgrading my applications to use a new cert and here is what you must do. I have 3 applications using the one cert.

Instructions
In the Application Manifest, I removed the binding

from 2 of my 3 applications. It is important that you do not remove the binding from all of your apps at once.

I then redeployed the 2 apps with the binding removed.

I updated the 3rd Application with the new cert and redeployed

i then added back the binding in the other 2 applications and updated them to use the new cert and redeployed.

That was all that was needed.

Here is a link to the solution

Renew endpoint certificate

starforce
  • 21
  • 4