Azure DevOps on-premise cannot verify Kubernetess service connection - kubernetes

I am creating New Kubernetes service connection in Azure DevOps Server 2020 Update 1 via KubeConfig.
When I click to Verify that the connection it says that Verification Failed with the generic error:
Failed to query service connection API: 'https://ekm.mpu.cz/k8s/clusters/c-qmcrb/api/v1/nodes'. Error Message: 'An error occurred while sending the request.'
Please note that the Kubernetess instance is in the other domain.
I have the notion that the error could be with the certs are not imported somewhere on the machine, where the Azure DevOps is hosted, but I am unsure where. The MS documentation is silent about that as well.
So far I've tried to:
Import CA certs to the MMC under trusted publishers.
Import CA certs under cacerts in JAVA-HOME via keytool.
Import CA certs into azureTrustsStore.jks in JAVA-HOME via keytool.
For all 3 I've checked that the CA certs are imported correctly. But to no avail. Could you please advice or redirect me to the method, how to do it?
Additional Info:
While I cannot Verify and Save the connection, I still can Save it and then use it in the pipeline and it works OK! (sucesfully connect and execute the command).

Connection issues can occur for many reasons, but the root cause is often related to an error with one of these items: Network, Authentication, Authorization. You may refer to Basic troubleshooting of cluster connection issues for detailed troubleshooting steps.

Related

Running into certificate errors when running puppet agent config using vault lookup

I'm running into certificate errors when I run "puppet agent -t" using a vault lookup module in my branch for the agent config. Here's the errors I get:
"Failed to apply catalog: certificate verify failed" and "The certificate for does not match its private key"
The error persists even after I swap back to the production branch for the agent, where we then have to do an SSL clean to get the prod agent config to apply successfully.
Would setting up puppet to be the intermediaery CA be a good idea? Anybody run into this before?
We also setup approle auth for vault, but to no avail. Any help would be appreciated, thanks!
Unsuccessful solutions: vault app role auth, generating new keys, defining the ssl_cert manually in the agent config, and cleaning the agent cert from the master.

Service Fabric, Azure Devops Deployment fails : The specified network password is not correct

I was recently ordered by our IT team to disable the NAT pools on my service fabric cluster due to security risks. The only way I could do this was to deploy a new cluster with all its components.
Because this is a test environment I opt to use a self signed cert without a password for my cluster, the certificate is in my vault and the cluster is up and running.
The issue I have now is when I try to deploy my application from an Azure Devops Release Pipeline I get the following message:
An error occurred attempting to import the certificate. Ensure that your service endpoint is configured properly with a correct certificate value and, if the certificate is password-protected, a valid password. Error message: Exception calling "Import" with "3" argument(s): "The specified network password is not correct.
I generated the self signed certificate in Key Vault, downloaded the certificate and used Powershell to get the Base64 string for the service connection.
Should I create the certificate myself, with a password?
With the direction of the two comments supplied, I ended up generating a certificate on my local machine using the powershell script included with service fabric's local run time.
A small caveat here is to change the key size in the script to a large key size than the default, because ke vault does not support 1024 keys.
I then exported the pfx from my user certificates added a password(this is required for the service connection) and impoted the new pfx into my key vault.
Redeployed my cluster and it worked.

Service Fabric not starting service Error: FABRIC_E_CERTIFICATE_NOT_FOUND

I am trying to publish a Service Fabric service to my local cluster, but it never goes out of this state:
There was an error during activation.Failed to configure certificate
permissions. Error: FABRIC_E_CERTIFICATE_NOT_FOUND
Do you know what is this error related to?
How can I fix it?
As the error says, SF is unable to find the required cert in Cert store. You can find the missing cert info from the event error logs in Event Viewer-
%SystemRoot%\System32\Winevt\Logs\Microsoft-ServiceFabric%4Admin.evtx
Check using Certificate Manager if this cert is present and not expired. You can use this script also.
More info regarding the required certs can be found in this file. -
C:\SfDevCluster\Data\_App\_Node_0\{AppNameFromSf}\App.1.0.xml

Deploying a Service fabric app from Team Services to Azure

I need some help with deploying a Service fabric app from Team Services to Azure.
I’m getting the following error from the Agent in Team Services (see screenshot below):
2018-06-22T13:17:13.3007613Z ##[error] An error occurred attempting to
import the certificate. Ensure that your service endpoint is
configured properly with a correct certificate value and, if the
certificate is password-protected, a valid password.
Error message: Exception calling "Import" with "3" argument(s):
"Cannot find the requested object.
Please advise.
Here is my Service Fabric Security security page, don't remember where I set up the password needed on the VSTS side but I took note of it and believe it's correct.
Here is the Endpoint page on the VSTS side:
Issue resolved with the help of MS Support by creating a new Certificate in the Key Vault and Adding it to the Service Fabric, steps:
Azure Portal:
Home > Key vaults > YourKeyVault - Certificates: Generate/Import
Generate new key with a CertificateName of your choosing and CN=CertificateName as Subject.
Home > Key vaults > YourKeyVault - Certificates > CertificateName
Select the only version available and Download in PFX/PEM format.
Power Shell: Convert to Base64 string, CertificateBase64
[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("c:\YourCertificate.pfx"))
Home > YourServicefabric - Security: Add
Add the Certificate you created as Admin Client by providing 's thumbprint.
VSTS/TFS:
Build and release > Your pipeline: Edit
In the Deployment Process Service Fabric Environment click Manage for Cluster Connection and add a new connection. Besides the other information, in the Client Certificate paste the previous CertificateBase64.
Check the Service Endpoint in VSTS:
Whether it has a properly base64 encoded certificate, with a private key.
Also, check if the provided passphrase is correct.
Also, check if the service endpoint is configured as tcp://mycluster.region.cloudapp.azure.com:19000.
Check if the thumbprint is correct.

Handshaking with Octopus server fails from a TeamCity agent

We've been successfully using TeamCity and Octopus on a single machine, and now we have added a new build agent due to growing number of simultaneous builds. I have set up a new Octopus Tentacle and verified that Tentacle is reachable from the Octopus server in Listener role. However,any build that uses Octopack fails when executed on the new TeamCity agent. Here is an extract from the build log:
Running command: octo.exe create-release --server
servername:8443 --apikey SECRET --project NRK Bridge (Legacy)
--enableservicemessages --version 0.0.0.662 --deployto Dev --waitfordeployment --package=NRK.Bridge.Web:0.0.0.662 --packageversion=0.0.0.662
[12:06:02]Creating Octopus Deploy release
[12:06:02]Octopus Deploy Command Line Tool, version 2.0.8.22
[12:06:03]Handshaking with Octopus server: servername:8443
[12:06:06]The following certificate errors were
encountered when establishing the HTTPS connection to the server:
RemoteCertificateChainErrors
[12:06:06]Certificate subject name: CN=servername
[12:06:06]Certificate thumbprint: 79C26(...)
[12:06:07]The following certificate errors were encountered when
establishing the HTTPS connection to the server:
RemoteCertificateChainErrors
[12:06:07]Certificate subject name: CN=servername
[12:06:07]Certificate thumbprint: 79C26(...)
[12:06:08]The following certificate errors were encountered when
establishing the HTTPS connection to the server:
RemoteCertificateChainErrors
What I noticed is that the certificate thumbprint in the build log is different from thumbprints shown in Octopus server machine page. I tried to generate a new API key and re-register a Tentacle. Am I overlooking something here?
Did you copy the Api key into Team City? The api key is different to thumb prints. Api Key can be found in Octopus Admin section, under users tab.