Share via

sfctl Connection Errors with Self-Signed Certificate on Windows 11

Deyvid Todorov 0 Reputation points
2024-12-10T14:20:26.81+00:00

I am running sfctl on Windows 11 and have the latest version of it. I followed the official guide for setup the sfctl https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cli

Environment
SF Cluster Version(Windows Scaleset): 10.1.1541.9590
OS:Windows 11
Name: sfctl

Version: 11.2.1

Summary: Azure Service Fabric command line

Home-page: https://github.com/Azure/service-fabric-cli

Author: Microsoft Corporation

Author-email: sfpythoncli@microsoft.com

License: MIT

Location: C:\Python\Python313\Lib\site-packages

Requires: adal, applicationinsights, azure-servicefabric, future, joblib, knack, msrest, msrestazure, portalocker, psutil, requests, six, tqdm

The certificate is self-signed .pfx without password protection. Because I have old ciphers I used that command to export it with -legacy param
openssl pkcs12 -in server.pfx -out mycert.pem -nodes -legacy

My endpoint is https://my-cluster:19080 trying this command.(When I try to access from the browser explorer I have to select the certificate, and then the https stay is not secure)

sfctl cluster select --endpoint "https://my-service-fabrcic.cluster:19080" --pem ./mycert.pem --no-verify
Error:(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1018)'))

Tried with HTTP only i received another error:
Connection aborted.', ConnectionResetError(10054, 'An existing connection was forcibly closed by the remote host', None, 10054, None)))

I also tried with --cert and --key to export from the pfx without success.
How can I correctly configure sfctl to work with my setup? Are there specific steps for handling self-signed certificates in this scenario?

Thanks!

Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
272 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sai Krishna Katakam 1,510 Reputation points Microsoft Vendor
    2024-12-11T01:23:40.7233333+00:00

    Hi Deyvid Todorov,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    To resolve the connection errors with sfctl when using a self-signed certificate on Windows 11, please follow these steps:

    Import the self-signed certificate into the Trusted Root Certification Authorities store on your Windows 11 machine. Open the Certificate Manager by typing certmgr.msc in the Run dialog (Win + R). Navigate to Trusted Root Certification Authorities > Certificates. Right-click and select Import, then follow the prompts to import your .pem certificate.

    User's image Verify you are specifying the correct paths to your certificate and key files. If you have exported the certificate and key separately, use the --cert and --key options. Example command:

    sfctl cluster select --endpoint "https://my-service-fabric.cluster:19080" --cert ./mycert.pem --key ./mykey.pem --no-verify

    Make sure that both your sfctl and Service Fabric cluster are up to date. Compatibility issues can sometimes cause unexpected errors.

    For more details, please refer to below documentation:
    Service Fabric cluster security scenarios

    If an answer has been helpful, please consider accept the answer and "Upvote" to help increase visibility of this question for other members of the Microsoft Q&A community. 

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.