Also check out my other post: Service Bus 1.1 - errors and their solutions.
The problem with Service Bus is that the auto-generated certificate is generated in machine name. This means it can’t be used to authenticate against FQDN (e.g. - https://servicebus.crp.contoso.local:9355) as it’s different from the machine name (e.g. - https://johns-computer:9355).
The solution is to replace the auto-generated certificate with a custom one. Changing Service Bus certificate can be done via Service Bus PowerShell using Set-SBCertificate
. This article explains the steps.
1. Generate certificate
There are many ways to generate certificate. We will use makecert.exe. Just open command prompt and run this:
makecert -r -n "CN=servicebus.crp.contoso.local" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2020 "Service-Bus-SSL.cer"
Then import Service-Bus-SSL.cer into “Trusted Root Certification Authorities” store via MMC.
2. Change farm’s certificate
Set-SBCertificate -EncryptionCertificateThumbprint fe00256a1cbefd9e3609ac03aadf73a4873bfba6 -FarmCertificateThumbprint fe00256a1cbefd9e3609ac03aadf73a4873bfba6 -SBFarmDBConnectionString "Server=sqlserver;Trusted_Connection=true;Database=SbManagement;Connect Timeout=300"
Which results in this message:
To complete your configuration update, please run Stop-SBFarm, then Update-SBHost on every machine of your farm, then run Start-SBFarm.
3. Install certificate on all farm hosts
In order to Update-SBHost
on other hosts, we need to import the certificate to those machines inside the “Personal” (My) and the “Trusted Root Certification Authorities” (Root). Of course we can do it with via the MMC GUI, but come on! PowerShell everything!
But first get the .pfx file by exporting the certificate with the private key.
# Run this on the machine on which the certificate was initially generated and is already installed.
$mypwd = ConvertTo-SecureString -String "password" -Force –AsPlainText
Get-ChildItem -Path cert:\localMachine\my\241973c6f454eafd55207460d0d2f4f434998dd7 | Export-PfxCertificate -FilePath "Service-Bus-SSL.pfx" -Password $mypwd
Then:
# Run this on each machine where you need to install the certificate.
$mypwd = ConvertTo-SecureString -String "password" -Force –AsPlainText
Import-PfxCertificate –FilePath "Service-Bus-SSL.pfx" cert:\localMachine\my -Password $mypwd
Import-PfxCertificate –FilePath "Service-Bus-SSL.pfx" cert:\localMachine\Root -Password $mypwd
4. Set-FarmDNS
Set your farm’s DNS to align with the certificate you issued:
Set-SBFarm -FarmDns servicebus.crp.contoso.local
5. Update-SBHost
Now to complete your configuration you need to Stop-SBFarm
and then run Update-SBHost
on each host machine. Once you’ve done that, you can finally start your farm with Start-SBFarm
.
Summary
This is far from simple. While I do think that Service Bus offers really good featureset, I think it seriously lacks in the ease-of-setup aspect. These are some of the problems I see:
- Lack of proper GUI client
- Error messages are often not very helpful
- I found at least 1 bug (SBFarmDNS entry was missing from ServiceConfig table)