问题
I have an Azure pipeline, which works pretty well with a self-signed certificate:
It deploys (via ARM templates) Redis, CosmosDB, EventHub, Keyvault, then imports the self-signed certificate into the Keyvault, then deploys SF cluster and configures it with the certificate.
Finally the pipeline deploys our team's application with the following task:
- task: ServiceFabricDeploy@1
displayName: 'Deploy SF app'
inputs:
applicationPackagePath: '$(Build.BinariesDirectory)\Release\Applications\CloudGateway\Pkg\release'
serviceConnectionName: '${{ parameters.ServiceConnectionName }}'
applicationParameterPath: '$(Build.BinariesDirectory)\Release\Applications\CloudGateway\ApplicationParameters\Cloud.xml'
overwriteBehavior: 'SameAppTypeAndVersion'
overridePublishProfileSettings: true
upgradeMode: 'UnmonitoredAuto'
FailureAction: 'Rollback'
It works well, for days and in 5 different pipelines (1 scheduled for nights, 3 manual and 1 used for our Pull Request builds).
My problem:
I am trying to switch from using a self-signed certificate to a real wildcard certificate issued by DigiCert.
And then the final ServiceFabricDeploy@1 task fails with
An error occurred attempting to import the certificate. Ensure that your service endpoint is configured properly with a correct certificate value and, if the certificate is password-protected, a valid password. Error message: Exception calling "Import" with "3" argument(s): "The specified network password is not correct.
When I go to my resource group and verify that everything is deployed properly, I can not find any problems.
The SF cluster is configured with the new DigiCert certificate:
And I have updated the SF service connection with the new hostname, certificate thumbprint and base64-encoded certificate contents as well:
The only difference I see to the self-signed certificate, which I was using before and for which the Service Fabric app deployment worked is that it had a password.
While the new DigiCert-issued certificate does not have a password.
Is that the reason why the error message mentions that the third argument is missing?
I have searched for way to add a password to a certificate (either manually or by a PowerShell command) and have not found any.
I have create Github issue #13079 for my problem and also asked at Microsoft forum.
UPDATE:
I've decided to add reverse proxy to our SF cluster setup - and will configure the Digicert certificate there, while keeping the self-signed certificate for SF node-to-node comms.
来源:https://stackoverflow.com/questions/62245798/does-service-fabric-application-deployment-fail-because-the-certificate-does-no