Known Issues with SSL certificate rotation feature in LCS
On April 22 2018, we released a feature in LCS that enabled Project owners and Environment managers to rotate the SSL certificate on the one-box environments deployed in their own subscription using the Rotate secrets feature. Since then we have had customers ask questions as well as report some issues.
This post will continue to be updated on the issues that the team is currently tracking along with potential workarounds.
Issue: SSL certificate rotation fails and the environment goes to Incomplete state
Answer: Check if VS is running on the machine. If so, close it, stop and start the environment from LCS and once the environment goes to Deployed status, trigger Rotate secrets action.
Issue: SSL certificate rotation fails for environments that have *sandbox.ax.dynamics.com instead of *.cloud.dynamics.com
Resolution Status: On April 23 2018 06:00:00 AM UTC, we have released a fix to take care of rotating the SSL certificates on *sandbox.ax.dynamics.com as part of the Rotate secrets feature.
Issue: Rotate secrets option does not show up for my environment
Answer: The Rotate secrets option is available to users that are logged in as Project owners or Environment managers for one-box Demo/DevTest environments that are in the Deployed state in customer/partner subscription (not managed by Microsoft). If your environment is in the Stopped state, the Rotate secrets option will not be available. If the above conditions are met and the Rotate secrets option is still not available, open a support incident.
Issue: Rotate secrets completes successfully and environment is usable but the Environment history page in LCS is not updated
Answer: We have found an issue in LCS that is causing the environment history to not be updated in a timely manner. There is a significant delay between the operation completing and the environment history being updated. We are investigating this issue. However, even if the environment history is not updated, the environment is safe to use.
Resolution Status: Fixed.
Issue: SSL certificate rotation completed successfully but the Environment details page still shows the warning message about cert rotation being needed
Answer: We have found a sync issue between LCS and the machine. The issue is causing the warning message to show even though the certification rotation operation completed successfully. If the certificate rotation is complete, you can ignore the warning and use the environment.
Resolution status: Fixed.
Issue: Environment is in Incomplete state after the certificate rotation has been completed
Answer: We are investigating the root cause for this issue. However, as a workaround to fix the environment state issue, first confirm if the certificate rotation completed successfully. To do that, complete the following steps. After you have confirmed that certificate rotation has completed successfully, you can start and stop the environment from LCS to fix the environment state. If there are specific services started on the machine, you must restart those services.
- Remote desktop into the machine and launch the IIS Manager.
- Go to Sites > AOSService > Site Bindings, and select https/403.
- Click Edit, and then click View on SSL certificate.
- If the Valid period is listed as 4/12/2018 to 4/12/2020, the certificate has been successfully rotated.
