HTTPS endpoints not working in Service Fabric local cluster

Question

I am able to run a stateless service in a local service fabric cluster. However, when I add an https end point, activation fails.

I made the following changes:

ServiceManifest.xml:

<Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="my_api_cert" />

ApplicationManifest.xml:

<Policies>
  <EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="my_api_cert" />
</Policies>
<Certificates>
  <EndpointCertificate X509FindValue="[Api_SslCertHash]" Name="my_api_cert" />
</Certificates>

I have uploaded the newly created certificate to Local Machine\My store too.

I get the following error in cluster manager:

Error event: SourceId='System.Hosting', Property='Activation:1.0:1.0'. There was an error during activation.

What could be the solution for this issue?

Answer 1

Try to add the following to the applicationmanifest.xml

  <ServiceManifestImport>
        <ServiceManifestRef ServiceManifestName="WebApiServicePkg" ServiceManifestVersion="1.0.0" />
        <ConfigOverrides />
        <Policies>
          <EndpointBindingPolicy CertificateRef="SslCert" EndpointRef="ServiceEndpoint" />
        </Policies>
  </ServiceManifestImport>
  <Certificates>
    <EndpointCertificate Name="SslCert" X509FindValue="[SslCert_Thumbprint]" X509StoreName="My" />
  </Certificates>

Answer 2

I had the exact same issue and my problem was that I was not passing the correct thumbprint in ApplicationManifest.xml. Make sure your [Api_SslCertHash] has the correct cert thumbprint.

In EventViewer > Microsoft Service Fabric, I saw this:

Failed to configure port certificate for port: [my port], certificatefindvalue [my wrong cert thumbprint], error 0x80070520

If you google this error code, you'll see it has to do with binding SSL with IIS or something similar. So that narrowed it down to the certificate and then I realized I was not using the correct cert.

Check and see if you missed anything: http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/ This link is a step by step tutorial to adding https to a service fabric service and you can use it as a check list.

Answer 3

As others have mentioned, this can happen when the certificate thumbprint is incorrect. However there is one specific reason for the thumbprint to be incorrect that can be so frustrating to figure out it deserves its own answer.

I'll quote TChiang phorego (Partner) from the MSDN forums (emphasis mine):

The trick is that when you copy the thumbprint from the certificate store, it comes with some hidden characters in the front (when I place the cursor at the front and press <- the cursor will not advance left), so when you paste it into the manifest, SF cannot install the service. So just make sure you remove the hidden characters and then it will be ok.