Calling WCF over HTTPS in Service Fabric : The request was aborted: Could not create SSL/TLS secure channel

Question

I\'m calling a WCF service over HTTPS. => The certificates are ok. See screenshot:

The client certificates are installed under my account and local computer. Both avai

Answer 1

The problem was that network service account did not have the correct access rights to access the private key of the certificate.

You can solve this in 2 ways.

First one use powershell and a setup.bat to install and configure the certificates.

In your service fabric service add Setup.bat in the root of the project. Edit the service manifest and add a setup entry point

Setup.bat CodePackage

The bat file should probably run with elevated trust. You can add the following in the Application Manifest Inside the ServiceManifestImport:

At the bottom of the application manifest (in the root of the xml) add the following to run as admin.

The bat file is simple: powershell.exe -ExecutionPolicy Bypass -Command ".\Scripts\Install-Certificates.ps1"

The powershell script can look like this

$pwd = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText

function Set-CertificatePermission
{
 param
 (
    [Parameter(Position=1, Mandatory=$true)]
    $cert ,

    [Parameter(Position=2, Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$serviceAccount
 )


 # Specify the user, the permissions and the permission type
 $permission = "$($serviceAccount)","Read,FullControl","Allow"
 $accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission;

 # Location of the machine related keys
 $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\";
 $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
 $keyFullPath = $keyPath + $keyName;

 try
 {
    # Get the current acl of the private key
    $acl = (Get-Acl $keyFullPath)

    # Add the new ace to the acl of the private key
    $acl.AddAccessRule($accessRule);

    # Write back the new acl
    Set-Acl -Path $keyFullPath -AclObject $acl;
 }
 catch
 {
    throw $_;
 }
}

function Install-RootCA($path){
    Write-Host "Installing root certificate"

    Import-PfxCertificate -FilePath $path -CertStoreLocation "Cert:\LocalMachine\Root" -Password $pwd -Exportable
}

function Install-Certificate($path){
    Write-Host "Installing certificate"

     $cert = Import-PfxCertificate -FilePath $path -CertStoreLocation "Cert:\LocalMachine\My" -Password $pwd -Exportable
     Set-CertificatePermission $cert "NT AUTHORITY\NETWORK SERVICE"
}



Install-RootCA ".\Certificates\CARoot.pfx"
Install-Certificate ".\Certificates\ClientCert.pfx"

This will install a certificate in the trusted root store (because we use self signed certificates) and install a certificate in the Personal store of the computer account. The important bit for Service Fabric is it also sets correct rights on the private key for network service to access it.

Second method: manuel using mmc

1. Press Windows Key + R
2. Type mmc
3. File => Add / Remove Snappin
4. Add Certificates
5. Choose computer account
6. Right click Trusted Root Certification Authorities\Certificates
7. Import the root certificate *.pfx (Mark it as exportable)
8. Right click Personal\Certificates
9. Import the client certificate *.pfx (Mark it as exportable)
10. Right click on the imported client certificate: All tasks => Manage Private Keys
11. Add Network Service as a user and give it full control