service-fabric: EventStore Events has No Items to Display and Indicates an Error Message

A new service fabric cluster (v6.4.622.9590) was deployed in Azure using the page here to add the relevant section to the ARM template. Deployment was successful and the cluster is healthy. The service fabric:/System/EventStoreService is ready and healthy.

Error message in UI: image

Error: null failed. Code: E_ACCESSDENIED Message: Access Denied.

Everything else in the UI is accessible and works. What could be causing the error?

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Reactions: 1
  • Comments: 34 (15 by maintainers)

Most upvoted comments

I can’t believe you would recommend using issuer thumbprint when service fabric team has announced in blog post that thumbprints are basically evil. If other customers feel the same way, please let your opinion be known.

https://blogs.msdn.microsoft.com/azureservicefabric/2018/04/27/secrets-management-through-certificate-common-names/

Please reconsider.

+2
juho-hanhimaki on Feb 1, 2019

Yep, I am not fully happy with this either. There exists no good reason to require certificateIssuerThumbprint for a certificate that is totally valid and issued by trusted root CA.

Cluster also doesn’t require it. It’s only EventStore and BackupRestoreService that do.

Managing IssuerThumbprints is unnecessary burden as it’s totally normal that the Issuer might change when certificates are renewed/new certificates are bought.

+1
juho-hanhimaki on Feb 1, 2019

@ibabou I was finally able to figure out what is causing the issue. It seems the EventStore and BackupRestoreService both can’t be reached when cluster certificate is bound by common name.

That is too bad because using common name to bind the certificate is considered a best practice: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-best-practices-security#secure-a-service-fabric-cluster-certificate-by-common-name https://docs.microsoft.com/fi-fi/azure/service-fabric/service-fabric-production-readiness-checklist

Hopefully something can be done to work around this issue?

Here are the specific changes I made to fix the issue:

Before:

    "virtualMachineProfile": {
     ...
                "certificate": {
                  "commonNames": [
                    "[parameters('certificateCommonName')]"
                  ],
                  "x509StoreName": "[variables('certificateStoreName')]"
                }

  "type": "Microsoft.ServiceFabric/clusters",
   ...
    "certificateCommonNames": {
      "commonNames": [
        {
          "certificateCommonName": "[parameters('certificateCommonName')]",
          "certificateIssuerThumbprint": ""
        }
      ],
      "x509StoreName": "[variables('certificateStoreName')]"
    }

After:

    "virtualMachineProfile": {
     ...
                "certificate": {
                  "thumbprint": "<mythumbrint>",
                  "x509StoreName": "[variables('certificateStoreName')]"
                }

  "type": "Microsoft.ServiceFabric/clusters",
   ...
    "certificate": {
      "thumbprint": "<mythumbrint>",
      "x509StoreName": "[variables('certificateStoreName')]"
    },
+1
juho-hanhimaki on Jan 31, 2019
Read more comments on GitHub
← service-fabric: DNS doesn't work in containers
service-fabric: Service Fabric Stateful Service in Azure - RAM usage keeps growing. Possible memory leak →