web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Connect-ServiceFabricC...
Finance | Project Operations, Human Resources, ...
Suggested Answer

Connect-ServiceFabricCluster fails after Certificate Rotation

(0) ShareShare
ReportReport
Posted on by Huggins Mafigu 507

I am in the process of rotating certificates on an on-premise version of D365FO. I changed the certificates and I tried to reinstall the LocalAgent using the new certificates(client, server and serviceprincipal) and it highlighted CertificateNotMatched with the following error.

PS C:\Infrastructure\Scripts\LocalAgent26> .\LocalAgentCLI.exe Install .\localagent-config.json
Invoking ef6.exe database update --assembly OrchestrationService.DataModels.dll --connection-string "Data Source='xxxxx';Initial Catalog = 'xxxxx'; Integrated Security = True;  MultipleActiveResultSets=True"  --connection-provider Sys
tem.Data.SqlClient  --project-dir C:\Infrastructure\Scripts\LocalAgent26
LocalAgentCLI.exe Error: 0 : Exception System.AggregateException: One or more errors occurred. ---> System.Fabric.FabricServerAuthenti
cationFailedException: FABRIC_E_SERVER_AUTHENTICATION_FAILED: CertificateNotMatched ---> System.Runtime.InteropServices.COMException: 
Exception from HRESULT: 0x80071C44
   at System.Fabric.Interop.NativeClient.IFabricClusterManagementClient12.EndGetClusterManifest2(IFabricAsyncOperationContext context)
   at System.Fabric.FabricClient.ClusterManagementClient.GetClusterManifestAsyncEndWrapper(IFabricAsyncOperationContext context)
   at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously
)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SetupInfrastructure.ServiceFabricApplicationSetupManager`1.<GetImageStoreParameters>d__25.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SetupInfrastructure.ServiceFabricApplicationSetupManager`1.<Deploy>d__24.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at LocalAgentCLI.Program.Main(String[] args)
---> (Inner Exception #0) System.Fabric.FabricServerAuthenticationFailedException: FABRIC_E_SERVER_AUTHENTICATION_FAILED: CertificateN
otMatched ---> System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x80071C44
   at System.Fabric.Interop.NativeClient.IFabricClusterManagementClient12.EndGetClusterManifest2(IFabricAsyncOperationContext context)
   at System.Fabric.FabricClient.ClusterManagementClient.GetClusterManifestAsyncEndWrapper(IFabricAsyncOperationContext context)
   at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously
)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SetupInfrastructure.ServiceFabricApplicationSetupManager`1.<GetImageStoreParameters>d__25.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SetupInfrastructure.ServiceFabricApplicationSetupManager`1.<Deploy>d__24.MoveNext()<---

Press any key to exit


The key word I discovered is CertificateNotMatched, but I still don't know where exactly it's going wrong!

I also tried to Connect-ServiceFabricCluster using the new certServerThumbprint to the service fabric cluster and it give the following error

PS C:\Infrastructure\Scripts> ###### connect to the secure cluster using certs
$ClusterName= "xxx.xxx.xxx.xx.xx.xxxx:19000"
$CertThumbprint= "xxxxxxx"

Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `
    -X509Credential `
    -ServerCertThumbprint $CertThumbprint  `
    -FindType FindByThumbprint `
    -FindValue $CertThumbprint `
    -StoreLocation CurrentUser `
    -StoreName My

WARNING: Failed to contact Naming Service. Attempting to contact Failover Manager Service...
WARNING: Failed to contact Failover Manager Service, Attempting to contact FMM...
False
Connect-serviceFabricCluster : FABRIC_E_CONNECTION_DENIED: CertificateNotMatched
At line:4 char:1
+ Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Connect-ServiceFabricCluster], FabricConnectionDeniedException
    + FullyQualifiedErrorId : TestClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster




Any help?
I have the same question (0)
  • WillWU Profile Picture
    WillWU 22,361 on at

    Hi Huggins Mafigu,

    Please make sure that the SSL certificate matches your SF Cluster endpoint URI.

    Check the thread and focus on sebbrochet's answer:

    github.com/.../146

    Hope this helps.

  • Huggins Mafigu Profile Picture
    Huggins Mafigu 507 on at

    Tried still no luck! Certificates are present in both LocalMachine/My and CurrentUser/My. But I got something that I did not understand, the monitoringAgentCertThumbprint did not change from the previous value! Besides this I still have no idea why it's still saying CertificateNotMatched after running Connect-serviceFabricCluster. But if I use the thumbprint of an old certificate its connecting.

    Any help please!

  • Suggested answer
    Huggins Mafigu Profile Picture
    Huggins Mafigu 507 on at

    I have managed to solve the problem. I did the process of Upgrading the Service Fabric Cluster using the following steps to make sure the certificates are rotated.

    Connect-ServiceFabricCluster

    Start-ServiceFabricClusterConfigurationUpgrade -ClusterConfigPath ClusterConfig.json

    Update-ServiceFabricClusterUpgrade -UpgradeReplicaSetCheckTimeoutSec 30

    Get-ServiceFabricClusterUpgrade

    Update-ServiceFabricClusterUpgrade -UpgradeReplicaSetCheckTimeoutSec 30

    This managed to solve my problem and after this I was able to successfully connect to the cluster and also to install the local agent

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 646 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 529 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 285 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans