gMSA Secured On-Premise Cluster with SSL Reverse Proxy and Gateway not working

[Adebeer]

I'm trying to understand why Service Fabric is not working with provided HTTPS certificates. I've been through the documentation and believe I've configured it correctly.

Note:

• Cluster created just fine and I can connect just fine via powershell
• Get-ServiceFabricClusterHealth doesn't return any errors
• I can deploy app to it - and this app successfully uses the same HTTPS certificate
• CN of the HTTPS certificate is CN = ServiceFabric-DefaultHttps, O = MyOrg, OU = Foo, DC = corp, DC = myorg, DC = org
• DNS Name=*.corp.myorg.org
• SHA256 used for cert hash
• Cert has self signed CA cert - no issues there and Chrome happy with this cert
• Can't connect to Explorer - Response: Getting HTTP/1.1 502 Invalid SSL Certificate

"security": {
			"ClusterCredentialType": "Windows",
			"ServerCredentialType": "Windows",
			"WindowsIdentities": {
				...
			},
			"CertificateInformation": {
				"ReverseProxyCertificateCommonNames": {
				  "CommonNames": [
					  {
						"CertificateCommonName": "ServiceFabric-DefaultHttps"
					  }
					],
					"X509StoreName": "My"
				}
			}
		},
...
{
				"name": "ServiceNodeType0",
				"clientConnectionEndpointPort": "19000",
				"clusterConnectionEndpointPort": "19001",
				"leaseDriverEndpointPort": "19002",
				"serviceConnectionEndpointPort": "19003",
				"httpGatewayEndpointPort": "19080",
				"reverseProxyEndpointPort": "19081",
				"applicationPorts": {
					"startPort": "20001",
					"endPort": "20999"
				},
				"placementProperties": {
					"SSD": "false",
					"Type": "Service"
				},
				"isPrimary": false
			}

...
fabricSettings": [
			...
			{
				"name": "ApplicationGateway/Http",
				"parameters": [
				  {
					"name": "ApplicationCertificateValidationPolicy",
					"value": "ServiceCommonNameAndIssuer"
				  }
				]
			},
			{
				"name": "ApplicationGateway/Http/ServiceCommonNameAndIssuer",
				"parameters": [
					{
						"name": "ServiceFabric-DefaultHttps",
						"value": "85 36 72 74 ad fb 1a 50 0d e4 af a4 b9 99 3b 29 e7 54 5d 0c"
					}
				]
			}
		]

[baoduy]

Hi @Adebeer

I successfully install the secure service fabric with gMSA. Follow the configuration here for your reference Config

I have uploaded a sample to include certificates, config files and command here to install Secured Service Fabric for both gMSA and Certificates. Here is package

Here is my topic for the installation with certificate.

Hope it help.

Thanks and Regards Duy

[Adebeer]

That's awesome, thank you @baoduy. I'll give it a go tonight to see where I went wrong

[Adebeer]

Thanks @baoduy for your help! Greatly appreciated.

So I now have reverse proxy working using HTTPS just fine! I believe where I went wrong is that I should have set SN to simply sf.corp.myorg.org and removed any additional OU/O/DC values in SN.

However I'm still not sure how to get the HTTP gateway (i.e. explorer on port 19080) to use HTTPS.

Essentially I've added the following under fabricSettings as per msdocs

{
				"name": "ApplicationGateway/Http/ServiceCommonNameAndIssuer",
				"parameters": [
					{
						"name": "sf.corp.myorg.org",
						"value": "85 36 72 74 ad fb 1a 50 0d e4 af a4 b9 99 3b 29 e7 54 5d 0c"
					}
				]
			}

However if I look at cluster manifest I see below - note how the protocol for HttpGatewayEndpoint is still HTTP - but I don't know how to set this to https via the json config file - I've not seen anything in msdocs to indicate this.

<NodeType Name="WebNodeType0">
      <Endpoints>
        <ClientConnectionEndpoint Port="19000" />
        <LeaseDriverEndpoint Port="19002" />
        <ClusterConnectionEndpoint Port="19001" />
        <HttpGatewayEndpoint Port="19080" Protocol="http" />
        <HttpApplicationGatewayEndpoint Port="19081" Protocol="https" />
        <ServiceConnectionEndpoint Port="19003" />
        <ApplicationEndpoints StartPort="20001" EndPort="20999" />
      </Endpoints>

...

 <FabricSettings>
    <Section Name="ApplicationGateway/Http">
      <Parameter Name="ApplicationCertificateValidationPolicy" Value="ServiceCommonNameAndIssuer" />
      <Parameter Name="GatewayAuthCredentialType" Value="X509" />
      <Parameter Name="GatewayX509CertificateFindType" Value="FindBySubjectName" />
      <Parameter Name="GatewayX509CertificateFindValue" Value="sf.corp.myorg.org" />
      <Parameter Name="GatewayX509CertificateStoreName" Value="My" />
      <Parameter Name="IsEnabled" Value="true" />
    </Section>
    <Section Name="ApplicationGateway/Http/ServiceCommonNameAndIssuer">
      <Parameter Name="sf.corp.myorg.org" Value="85 36 72 74 ad fb 1a 50 0d e4 af a4 b9 99 3b 29 e7 54 5d 0c" />
    </Section>

I know when I was using X509 security, the gateway port becomes https as part of configuring cluster/server X509 certs...but I would have thought one could do same when using gMSA too... maybe I can't configure this via json and do an upgrade

Other than that - from your article/link - basically I would configure my LB with sf.corp.myorg.org endpoint - so that make sense.

[baoduy]

Nice, congratulation

[Adebeer]

Can anyone give me an update on how to configure the explorer/http gateway to be https aswell??

The problem with having the LB/Reverse Proxy configured for HTTPS but not the explorer is that once you visit a HTTPS URL via LB/Reverse Proxy, you cannot visit the explorer because browser caches the HTTPS certificate - so you have to either clear HTTPS cache or visit website in incognito (or via a particular node).

Not a showstopper, but certainly annoying and confusing for users!!

[baoduy]

I guess We can add Cluster Certificate configuration so the Explore will run on the HTTPS mode as well.

[dkkapur]

@Adebeer were you able to secure the SF Explorer endpoint? Sorry for the late response.. this was buried in my github notifications :(.

[Adebeer]

@dkkapur No problem!

No - I ended up leaving the cluster explorer as http.

[rmsryu]

Is there any update on this? Just checked on latest version of SF Cluster 7.0.466.9590 with gMSA account.. and still SF Explorer doesn't work for https.

"security": {            
          "ClusterCredentialType": "Windows",
          "ServerCredentialType": "Windows",          
          "WindowsIdentities": { 
            "ClustergMSAIdentity" : "contoso\\svcGmsa$",
            "ClusterSPN" : "http/sf.contoso.local",             
            "ClientIdentities": [
              {
                "Identity": "CONTOSO\\gAdminServiceFabric",
                "IsAdmin": true
              },
              {
                "Identity": "CONTOSO\\gUserServiceFabric",
                "IsAdmin": false
              }
            ]
          },
          "CertificateInformation": {            
            "ServerCertificate": {
              "Thumbprint": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",	
              "ThumbprintSecondary": "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY",
              "X509StoreName": "My"
            }
          }

@dkkapur fyi

[gdoddsy]

Any more updates on this? It's not ideal having http traffic to the explorer.

[gdoddsy]

I guess there's still nothing here. As @Adebeer has mentioned, you can't easily access the HttpGatewayEndpoint once you hit something secure on the reverse proxy, because your browser now expects it to be HTTPS. There must be a way to fix this!