Also check out my other post: Service Bus 1.1 - farm with custom certificate and DNS name.
Certificate should be of type AT_KEYEXCHANGE
Set-SBCertificate : Cannot validate argument on parameter ‘FarmCertificateThumbprint’. Certificate with thumbprint d63f327453d3693fa3b2d78541ca7d3808e58d46 cannot be used. Certificate should be of type AT_KEYEXCHANGE.
To solve this you need to generate a new certificate which complies with these requirements (taken from here):
- It must be valid thus the current system date and time should be between the Valid From and Valid To properties of the certificate.
- The Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name (FQDN) of the server computer.
- It must be issued for server authentication so the Enhanced Key Usage property of the certificate should include ‘Server Authentication (1.3.6.1.5.5.7.3.1)’.
- It must be created by using the KeySpec option of ‘AT_KEYEXCHANGE’.
- It must be placed in the certificate store of the local computer or current user (see below for details).
Which basically means you need to generate your certificate as so:
makecert -r -n "CN=servicebus.crp.contoso.local" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"
All certificates thumbprint is needed to go from generated certificates to custom certificates
Set-SBCertificate : All certificates thumbprint is needed to go from generated certificates to custom certificates.
This happens if you didn’t specify both EncryptionCertificateThumbprint
and FarmCertificateThumbprint
. So the fix is simple, specify both certificates, like so:
Set-SBCertificate -EncryptionCertificateThumbprint 9000356a2ccafd9e5284ac03eadf73ad813cfbfa -FarmCertificateThumbprint 9000356a2ccafd9e5284ac03eadf73ad813cfbfa -SBFarmDBConnectionString "Server=sqlserver;Trusted_Connection=true;Database=SbManagement;Connect Timeout=300"
Unable to obtain private key file name for certificate
Update-SBHost : Unable to obtain private key file name for certificate with thumbprint:9000356a2ccafd9e5284ac03eadf73ad813cfbfa
This tells you that the certificate doesn’t contain the private key in it. Basically you need to regenerate your certificate to make sure it has the private key.
# Add -pe parameter to include the key inside the .cer file.
makecert -n "CN=servicebus.crp.contoso.local" -r -pe -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"
Alternatively you can [get the PFX file for your certificate][get-pfx] if the private key is available.
Non-zero exit code: -1
Set-SBFarm : Non-zero exit code: -1
This was a tough one to crack and googling didn’t help. So I resorted to reflection and looked inside C:\Program Files\Service Bus\1.1\Microsoft.ServiceBus.Commands.dll, where I found this:
dictionary1.Add("SBFarmDNS", this.FarmDns);
// ...
[Function(Name = "Store.UpdateServiceConfig")]
public int UpdateServiceConfig([Parameter(DbType = "BigInt", Name = "ServiceId")] long? serviceId, [Parameter(DbType = "NVarChar(128)", Name = "Name")] string name, [Parameter(DbType = "NVarChar(MAX)", Name = "Value")] string value)
{
return (int) this.ExecuteMethodCall((object) this, (MethodInfo) MethodBase.GetCurrentMethod(), (object) serviceId, (object) name, (object) value).ReturnValue;
}
So then I look inside the SbManagement database and find Store.UpdateServiceConfig
stored procedure. This is just this:
ALTER PROCEDURE [Store].[UpdateClusterConfig]
@ClusterId bigint,
@Name nvarchar(128),
@Value nvarchar(max)
as
begin
set nocount on
update [Store].[ClusterConfig]
set
[Value] = @Value,
[Revision] = [Revision] + 1,
[Modified] = SYSDATETIMEOFFSET()
where
[ClusterId] = @ClusterId and
[Name] = @Name
if (@@ROWCOUNT <> 1)
return -1
return 0
end;
So basically it’s trying to update SbManagement.Store.ServiceConfig record with the Name = 'SBFarmDNS'
. Funny thing is - I don’t see this record in the SbManagement.Store.ServiceConfig table.
So I try to add it manually via SQL:
insert into SbManagement.Store.ServiceConfig (ServiceId, Name, Value, Revision, Created, Modified)
values (1, 'SBFarmDNS', 'servicebus.crp.contoso.local', 1, getdate(), getdate())
Now when I run Set-SBFarm -FarmDns servicebus.crp.contoso.local
it works.