Also check out my other post: Service Bus 1.1 - farm with custom certificate and DNS name.
Certificate should be of type AT_KEYEXCHANGE
Set-SBCertificate : Cannot validate argument on parameter ‘FarmCertificateThumbprint’. Certificate with thumbprint d63f327453d3693fa3b2d78541ca7d3808e58d46 cannot be used. Certificate should be of type AT_KEYEXCHANGE.
To solve this you need to generate a new certificate which complies with these requirements (taken from here):
- It must be valid thus the current system date and time should be between the Valid From and Valid To properties of the certificate.
- The Common Name (CN) in the Subject property of the certificate must be the same as the fully qualified domain name (FQDN) of the server computer.
- It must be issued for server authentication so the Enhanced Key Usage property of the certificate should include ‘Server Authentication (1.3.6.1.5.5.7.3.1)’.
- It must be created by using the KeySpec option of ‘AT_KEYEXCHANGE’.
- It must be placed in the certificate store of the local computer or current user (see below for details).
Which basically means you need to generate your certificate as so:
makecert -r -n "CN=servicebus.crp.contoso.local" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"
All certificates thumbprint is needed to go from generated certificates to custom certificates
Set-SBCertificate : All certificates thumbprint is needed to go from generated certificates to custom certificates.
This happens if you didn’t specify both EncryptionCertificateThumbprint and FarmCertificateThumbprint. So the fix is simple, specify both certificates, like so:
Set-SBCertificate -EncryptionCertificateThumbprint 9000356a2ccafd9e5284ac03eadf73ad813cfbfa -FarmCertificateThumbprint 9000356a2ccafd9e5284ac03eadf73ad813cfbfa -SBFarmDBConnectionString "Server=sqlserver;Trusted_Connection=true;Database=SbManagement;Connect Timeout=300"
Unable to obtain private key file name for certificate
Update-SBHost : Unable to obtain private key file name for certificate with thumbprint:9000356a2ccafd9e5284ac03eadf73ad813cfbfa
This tells you that the certificate doesn’t contain the private key in it. Basically you need to regenerate your certificate to make sure it has the private key.
# Add -pe parameter to include the key inside the .cer file.
makecert -n "CN=servicebus.crp.contoso.local" -r -pe -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"
Alternatively you can [get the PFX file for your certificate][get-pfx] if the private key is available.
Non-zero exit code: -1
Set-SBFarm : Non-zero exit code: -1
This was a tough one to crack and googling didn’t help. So I resorted to reflection and looked inside C:\Program Files\Service Bus\1.1\Microsoft.ServiceBus.Commands.dll, where I found this:
dictionary1.Add("SBFarmDNS", this.FarmDns);
// ...
[Function(Name = "Store.UpdateServiceConfig")]
public int UpdateServiceConfig([Parameter(DbType = "BigInt", Name = "ServiceId")] long? serviceId, [Parameter(DbType = "NVarChar(128)", Name = "Name")] string name, [Parameter(DbType = "NVarChar(MAX)", Name = "Value")] string value)
{
return (int) this.ExecuteMethodCall((object) this, (MethodInfo) MethodBase.GetCurrentMethod(), (object) serviceId, (object) name, (object) value).ReturnValue;
}
So then I look inside the SbManagement database and find Store.UpdateServiceConfig stored procedure. This is just this:
ALTER PROCEDURE [Store].[UpdateClusterConfig]
@ClusterId bigint,
@Name nvarchar(128),
@Value nvarchar(max)
as
begin
set nocount on
update [Store].[ClusterConfig]
set
[Value] = @Value,
[Revision] = [Revision] + 1,
[Modified] = SYSDATETIMEOFFSET()
where
[ClusterId] = @ClusterId and
[Name] = @Name
if (@@ROWCOUNT <> 1)
return -1
return 0
end;
So basically it’s trying to update SbManagement.Store.ServiceConfig record with the Name = 'SBFarmDNS'. Funny thing is - I don’t see this record in the SbManagement.Store.ServiceConfig table.
So I try to add it manually via SQL:
insert into SbManagement.Store.ServiceConfig (ServiceId, Name, Value, Revision, Created, Modified)
values (1, 'SBFarmDNS', 'servicebus.crp.contoso.local', 1, getdate(), getdate())
Now when I run Set-SBFarm -FarmDns servicebus.crp.contoso.local it works.