This article is contributed. See the original author and article here.

What is the Certificate Validation Issue? 


DigiCert introduced a new CA which reuses the signing key of an existing and still-valid CA. This means there are 2 different CA certificates in circulation, and either can be included in the chain built for a certificate signed by this shared key. Existing certificates declared in Service Fabric clusters by subject with issuer pinning are at risk of spontaneously failing validation.  


 


How to identify if your cluster is susceptible to the Certificate Validation Issue? 


This issue affects any SF cluster that uses a Cluster certificate that is a DigiCert-issued X509 certificate(s), declared by common name with issuer pinning with the following configuration: 



  • Certificate’s Authority Key Identifier Extension matches  



  • OId: 2.5.29.35 

  • KeyID=0f80611c823161d52f28e78d4638b42ce1c6d9e2 




  • SHA1 thumbprint 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4 



  • valid until 08/Mar/2023 

  • serial # 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91 
     



  • SHA1 thumbprint 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C 



  • valid until 22/Sep/2030 

  • serial #02:74:2e:aa:17:ca:8e:21:c7:17:bb:1f:fc:fd:0c:a0 () 



  • Pinned-issuer list for cluster configuration includes 1fb86b1168ec743154062e8c9cc5b171a4b7ccb4 but does not include 626D44E704D1CEABE3BF0D53397464AC8080142C 


If your cluster is not configured using the above properties, you may disregard the rest of this post.  


 


Symptoms in impacted environments 



  • One or more cluster nodes appear down/unhealthy. 

  • Cluster is unreachable, whether from the Azure portal or directly (SFX/other clients). 

  • Event logs show errors like: “authorization failure: CertificateNotMatched”. 

  • Pending upgrades are not progressing/appear to be stuck.



Required Action 



  • Follow the Trouble Shooting guide with Mitigation steps: Troubleshooting Guide  

  • Mitigation specified in the TSG must be applied by you.  


 


If you have any questions or concerns, please contact us by opening a support request. In addition, here are your general support options for Service Fabric: Learn about Azure Service Fabric Support options – Azure Service Fabric | Microsoft Docs

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.