[azure microservice service fabric] the service fabric cluster hangs up because the certificate expires (the upgrade cannot be completed, and the node is unavailable)

Problem description

establish Service Fabric when , Certificates are a very important part of the whole cluster , With user authentication , Communication between nodes ,SF Upgrade the identity and authorization authentication and other functions . If the certificate is expired, the nodes will be affected and the cluster will not work properly .

When the certificate expires or is revoked , The usual problems are ：

• Service  Fabric The cluster cannot use the upgrade service
• Service  Fabric Explorer Unable to connect
• Disable all nodes , Unable to view any node information

When the above situation occurs , The quickest way is to build a brand new Service Fabric colony , This is also the most efficient way . To prevent certificate expiration, send , Here are two suggestions ：

One ： stay Key Vault When creating a certificate in , Choose to automatically renew the new version certificate .

Two ： And if you don't automatically renew the new version certificate , Then you need to specify a maintenance plan , Update the certificate before it expires . and Service Fabric The process of replacing the security certificate , First of all, you need to put Upload the new certificate to key vault in , And then through powershell Or add auxiliary certificates for the cluster in the form of templates , And then in Portal Operation switching certificate .

Please refer to ：（ At present Service Fabric Export templates from the resource group of , Yes certificateSecondary The nodes are modified ）

​ ​https://docs.microsoft.com/zh-cn/azure/service-fabric/service-fabric-cluster-security-update-certs-azure#add-a-secondary-certificate-using-resource-manager-powershell​​

 

​ ​https://docs.microsoft.com/en-us/powershell/module/az.servicefabric/add-azservicefabricclustercertificate?view=azps-1.0.0​​

When the auxiliary certificate is added , You can see two certificates in the portal , Click... In the red box ... In exchange for the main / Supporting certificate .

Use Powershell Command to load secondary certificates (Secondary Certificate):

      
      

       
       Connect-AzAccount -Environment AzureChinaCloud
       
       

       
       
Select-AzSubscription -Subscription 'subscription id'
       
       

       
       
Add-AzServiceFabricClusterCertificate -ResourceGroupName 'sf2-rg' -Name 'lbcerttest02' -SecretIdentifier 'https://yourkeyvault.vault.azure.cn/secrets/cert name/<secret identifier>'
       
       
###################### CLI command 
       
       

       
       
az login
       
       

       
       
az sf cluster certificate add -g sf-rg -c lbcerttest01 --secret-identifier 'https://yourkeyvault.vault.azure.cn/secrets/cert name/<secret identifier>'
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.
       
       
6.
       
       
7.
       
       
8.
       
       
9.
       
       
10.
      
      

Execute command reference ：

perform Add-AzServiceFabricClusterCertificate The progress of the prompt after the command is as follows ：

Reference link ：

####

​ ​Add-AzServiceFabricClusterCertificate​​​: Add a secondary cluster certificate to the cluster, ​ ​https://docs.microsoft.com/en-us/powershell/module/az.servicefabric/add-azservicefabricclustercertificate?view=azps-5.2.0​​

####

​ ​az sf cluster certificate add:​​​ Add a secondary cluster certificate to the cluster. ​ ​https://docs.microsoft.com/en-us/cli/azure/sf/cluster/certificate?view=azure-cli-latest#az_sf_cluster_certificate_add​​

####

management SF The documentation of the cluster certificate can be referred to ：​ ​https://docs.azure.cn/zh-cn/service-fabric/service-fabric-cluster-security-update-certs-azure​​

When facing problems in a complex environment , The way to check things needs ： The turbid and quiet Xu Qing , An Yidong's Xu Sheng . In the clouds , Just so !