ServiceFabric独立服务器:无法获取私钥文件 [英] ServiceFabric standalone: Failed to get private key file

查看:358
本文介绍了ServiceFabric独立服务器:无法获取私钥文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个独立的ServiceFabric群集(3个节点)。我创建了用于服务器和客户端授权的SSL证书。然后,我将证书指纹分配给群集配置。一切正常(群集运行状况还可以,我的应用程序也可以运行。但是Microsoft-ServiceFabric / Admin日志中存在很多错误。以下警告和错误每分钟都会写入日志:

I have a standalone ServiceFabric cluster (3 nodes). I created SSL certificate for server and client authorization. Then I assign certificate thumbprint to a cluster config. Everything work okey( cluster health is Ok and my applications works as well. But there are a lot of errors in Microsoft-ServiceFabric/Admin log. Following warning and errors are writing to log every minute:


  • CryptAcquireCertificatePrivateKey失败。错误:0x80090014

  • 无法获取证书的私钥文件名。错误:0x80090014

  • 所有尝试获取私钥文件名的尝试均失败。

  • 未能获取证书的私钥。指纹:{Cert
    Thumbprint}。错误:E_FAIL

  • 无法获取私钥文件。x509FindValue:{证书拇指印},
    x509StoreName:我,findType:FindByThumbprint,错误E_FAIL

  • SetCertificateAcls失败。 :E_FAIL无法进行ACL

  • FabricNode / ServerAuthX509FindValue,ErrorCode E_FAIL

  • CryptAcquireCertificatePrivateKey failed. Error:0x80090014
  • Can't get private key filename for certificate. Error: 0x80090014
  • All tries to get private key filename failed.
  • Failed to get the Certificate's private key. Thumbprint: {Cert Thumbprint}. Error: E_FAIL
  • Failed to get private key file. x509FindValue: {Cert Thumbprint}, x509StoreName: My, findType: FindByThumbprint, Error E_FAIL
  • SetCertificateAcls failed. ErrorCode: E_FAIL Can't ACL
  • FabricNode/ServerAuthX509FindValue, ErrorCode E_FAIL

我授予写入许可到用于网络服务和系统的私钥存储。我还为PK stora分配了gMSA帐户ge。但是错误仍然存​​在。
从另一方面来看,一切看起来都很好,可以正常运行并正在运行...
这是我的群集配置(安全部分):

I assinged write permitions to private keys storage for NETWORK SERVICE and SYSTEM. As well I assigned gMSA account for PK storage. But errors still apears in log. From the other hand everything looks fine, cluster up and running... Here is my cluster config (security part):

security :{

ServerCredentialType: X509,
ClusterCredentialType: Windows,
WindowsIdentities:{

ClustergMSAIdentity: gMSAccountName@domain.com,
ClusterSPN: http / servicefabric
},
CertificateInformation:{

ServerCertificate:{
Thumbprint: {Cert Thumbprint},
X509StoreName: My
},
ClientCertificateThumbprints:[

{

CertificateThumbprint: {Cert Thumbprint},
IsAdmin:true
}
],
X509StoreName: My
}
},

"security":{
"ServerCredentialType":"X509", "ClusterCredentialType":"Windows", "WindowsIdentities":{
"ClustergMSAIdentity":"gMSAccountName@domain.com", "ClusterSPN":"http/servicefabric" }, "CertificateInformation":{
"ServerCertificate": { "Thumbprint": "{Cert Thumbprint}", "X509StoreName": "My" }, "ClientCertificateThumbprints":[
{
"CertificateThumbprint":"{Cert Thumbprint}", "IsAdmin":true } ], "X509StoreName": "My" } },

对于经过x509认证的创建,我使用OpenSSL 1.0.2k-fips 2017年1月26日。我按照本文中的步骤操作: https://gist.github.com/harishanchu/e82d759c0235379d1778f799992b5774
有人可以澄清这个问题吗?

For x509 certificated creation I used OpenSSL 1.0.2k-fips 26 Jan 2017. I follow the steps from this article: https://gist.github.com/harishanchu/e82d759c0235379d1778f799992b5774 Could anyone clarify this issue?

推荐答案

MachineKeys 文件夹中似乎没有私钥文件。
要验证文件夹中是否有物理文件,请运行以下powershell命令:

It seems like you don't have a private key file in the MachineKeys folder. To verify if you have a physical file in the folder run this powershell command:

$certThumb = "1D6523F622E33DF46382D081BCA9AE9A2D8D78CC"

Try
{
     $WorkingCert = Get-ChildItem CERT:\LocalMachine\My |where {$_.Thumbprint -match $certThumb} | sort $_.NotAfter -Descending | select -first 1 -erroraction STOP
     $TPrint = $WorkingCert.Thumbprint
     $rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
}
Catch
{
     "Error: unable to locate certificate for $($CertCN)"
     Exit
}

if ($WorkingCert.PrivateKey) {
     $WorkingCert.PrivateKey
}
else
{
     "No private key found"  
}

如果收到未找到私钥消息,则表示 MachineKeys 文件夹。即使证书属性可以另行声明(有一个钥匙图标和消息您具有与此证书对应的私钥)。虽然我不知道为什么,但是对于某些证书,会发生上述情况。

If you get No private key found message it means there is no private key in the MachineKeys folder. Even though certificate properties can claim otherwise (there is a key icon and message You have a private key that corresponds to this certificate). Although I don't know why but for some certificates above situation happens.

作为解决方法,请按照以下步骤操作:

As a workaround, follow these steps:


  1. 转到本地计算机证书存储并删除您的证书。

  2. 首先将证书导入到本地用户存储

  3. 然后将您的证书导入本地计算机存储。

  4. 设置网络服务的访问权限用户。

  1. Go to the local machine cert store and delete your certificate.
  2. Import your certificate to the local user store first.
  3. Then import your certificate to the local machine store.
  4. Set access rights for Network Service user.

如果按照上述步骤操作,则私钥将添加到 MachineKeys 文件夹,错误将消失。
显然,您必须为每个群集节点重复这些步骤。

If you follow steps above, private key will be added to MachineKeys folder and error will disappear. Obviously you have to repeat these steps for every cluster node.

这篇关于ServiceFabric独立服务器:无法获取私钥文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆