%3CLINGO-SUB%20id%3D%22lingo-sub-797380%22%20slang%3D%22en-US%22%3EAzure%20Service%20Fabric%20%7C%20Adding%20Application%20Certificate%20to%20the%20Linux%20Cluster.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-797380%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EScenario%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EI%20wanted%20to%20add%20an%20Application%20Certificate%20to%20the%20Service%20Fabric%20Cluster.%20I%20searched%20online%20and%20found%20that%20using%20the%20command%20Add-AzServiceFabricApplicationCertificatewe%20can%20add%20a%20certificate%20to%20the%20Cluster.%20However%2C%20I%20was%20getting%20below%20error%20while%20doing%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EError%20Message%3A%20%E2%80%9CNo%20VMSS%20was%20found%20under%20resource%20group%3A%20ServiceFabric_RG%20with%20servicefabric%20extension%20and%20cluster%20id%3A%20bxxxxxxxxx-15ab-4cde-servicefabric%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EScreenshot%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Blog.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126390i00E4A225D1F33371%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Blog.png%22%20alt%3D%22Blog.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECause%20and%20Resolution%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20cmdlet%20AzServiceFabricApplicationCertificate%20works%20only%20on%20Windows%20based%20Azure%20Service%20Fabric%20Cluster.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%E2%80%99t%20use%20%3CSTRONG%3E%3CEM%3Eaz%20sf%20application%20certificate%20add%20%3C%2FEM%3E%3C%2FSTRONG%3ECLI%20command%20as%20this%20is%20deprecated.%26nbsp%3B%20If%20you%20use%20this%20CLI%20command%20it%20will%20fail%20with%20%3CFONT%20color%3D%22%23FF0000%22%3Eaz%20%3A%20ERROR%3A%20add_app_cert()%20missing%201%20required%20positional%20argument%3A%20'client'%20error.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20be%20using%20%3CSTRONG%3E%3CEM%3EAdd-AzVmssSecret%20%3C%2FEM%3E%3C%2FSTRONG%3Ecommand%20instead%20to%20add%20certificates%20to%20the%20clusters%20(This%20command%20works%20for%20both%20Windows%20and%20Linux%20clusters)%20-%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fpowershell%252Fmodule%252Faz.compute%252Fadd-azvmsssecret%253Fview%253Dazps-2.6.0%26amp%3Bdata%3D02%257C01%257Cnavba%2540microsoft.com%257C2e6ea1b81d27452a12ff08d72bbb4a33%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637025956135734016%26amp%3Bsdata%3D02c9qXUzzAc1zXkNKwhIX3cBSScGVjqPXLzTEqWyrDE%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.compute%2Fadd-azvmsssecret%3Fview%3Dazps-2.6.0%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSCRIPT%3E%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%24cert%20%3D%20Get-AzKeyVaultCertificate%20-VaultName%20%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BKey%20Vault%20Name%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%20-Name%20%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BCertificate%20Name%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%24Vault%20%3D%20Get-AzKeyVault%20-VaultName%20%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BKey%20Vault%20Name%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%24CertConfig%20%3D%20New-AzVmssVaultCertificateConfig%20-CertificateUrl%20%24cert.SecretId%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%24VMSS%20%3D%20Get-AzVmss%20-ResourceGroupName%20%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BResource%20Group%20Name%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Bnbsp%3B%20-VMScaleSetName%20%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BVMSS%20Name%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Bamp%3B%2339%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3BAdd-AzVmssSecret%20-VirtualMachineScaleSet%20%24VMSS%20-SourceVaultId%20%24Vault.ResourceId%20-VaultCertificate%20%24CertConfig%20%7C%20Update-AzVmss%26amp%3Bamp%3Bamp%3Bamp%3Blt%3B%2FP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BP%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%26amp%3Bamp%3Bamp%3Bamp%3Blt%3BSTRONG%26amp%3Bamp%3Bamp%3Bamp%3Bgt%3B%3C%2FSCRIPT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20note%20that%20if%20you%20use%20the%20above%20script%2C%20then%20it%E2%80%99ll%20add%20a%20new%20sourceVault%20section%20to%20the%20VMSS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHence%2C%20you%20need%20to%20create%20a%20new%20key%20vault%20in%20the%20same%20location%20as%20of%20the%20previous%20key%20vault%20and%20then%20create%20a%20new%20certificate%20inside%20it.%20You%20can%E2%80%99t%20add%20a%20new%20vaultCertificates%20entry%20to%20sourceVault%20using%20this%20command.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20and%20the%20alternate%20approach%20have%20been%20documented%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fvirtual-machine-scale-sets%252Fvirtual-machine-scale-sets-faq%2523when-i-run-update-azvmss-after-adding-more-than-one-certificate-from-the-same-key-vault-i-see-the-following-message%26amp%3Bdata%3D02%257C01%257Cnavba%2540microsoft.com%257C2e6ea1b81d27452a12ff08d72bbb4a33%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637025956135744013%26amp%3Bsdata%3DjB6jAPwZlmgUl2UtEq4oUdOFdR%252B5eDQumHgbmrjjJIE%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machine-scale-sets%2Fvirtual-machine-scale-sets-faq%23when-i-run-update-azvmss-after-adding-more-than-one-certificate-from-the-same-key-vault-i-see-the-following-message%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAuthor%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305093%22%20target%3D%22_blank%22%3E%40mrkar-MSFT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-797380%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EAdding%20Application%20Certificate%20to%20the%20Linux%20Cluster.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3EError%20Message%3A%20%E2%80%9CNo%20VMSS%20was%20found%20under%20resource%20group%3A%20ServiceFabric_RG%20with%20servicefabric%20extension%20and%20cluster%20id%3A%20bxxxxxxxxx-15ab-4cde-servicefabric%E2%80%9D%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Scenario:

I wanted to add an Application Certificate to the Service Fabric Cluster. I searched online and found that using the command Add-AzServiceFabricApplicationCertificatewe can add a certificate to the Cluster. However, I was getting below error while doing it.

 

Error Message: “No VMSS was found under resource group: ServiceFabric_RG with servicefabric extension and cluster id: bxxxxxxxxx-15ab-4cde-servicefabric”

 

Screenshot

Blog.png

 

Cause and Resolution

The cmdlet AzServiceFabricApplicationCertificate works only on Windows based Azure Service Fabric Cluster.

 

You can’t use az sf application certificate add CLI command as this is deprecated.  If you use this CLI command it will fail with az : ERROR: add_app_cert() missing 1 required positional argument: 'client' error.

 

You should be using Add-AzVmssSecret command instead to add certificates to the clusters (This command works for both Windows and Linux clusters) - https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsssecret?view=azps-2.6.0

 

<Script>

$cert = Get-AzKeyVaultCertificate -VaultName '<Key Vault Name>' -Name '<Certificate Name>'

$Vault = Get-AzKeyVault -VaultName '<Key Vault Name>'

$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl $cert.SecretId

$VMSS = Get-AzVmss -ResourceGroupName '<Resource Group Name>'  -VMScaleSetName '<VMSS Name>'

Add-AzVmssSecret -VirtualMachineScaleSet $VMSS -SourceVaultId $Vault.ResourceId -VaultCertificate $CertConfig | Update-AzVmss

</Script>

 

Please note that if you use the above script, then it’ll add a new sourceVault section to the VMSS.

 

Hence, you need to create a new key vault in the same location as of the previous key vault and then create a new certificate inside it. You can’t add a new vaultCertificates entry to sourceVault using this command.

 

This and the alternate approach have been documented here: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#whe...

 

Author: @mrkarMSFT