none
FASTSearchCert Validation Errors RRS feed

  • Question

  • I currently have the following error in ULS.

    An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=FASTSearchCert\nIssuer Name: CN=FASTSearchCert\nThumbprint: D13E70D12CEBA759ACD12AFAEF3F72AAB3A10649\n\nErrors:\n\n SSL policy errors have been encountered. Error code '0x6'..

     

     I have imported the pfx using the docs - .\SecureFASTSearchConnector.ps1 –certPath "path of the certificate\certificatename.pfx" –ssaName "name of your content SSA" –username “domain\username”

     

    This is stopping my query SSA connecting to the search provider... any assitance would be appreciated

    Thursday, August 11, 2011 12:42 PM

All replies

  • Hello Zak,

    If you run

    Ping-SPEnterpriseSearchContentService fasthost.com:13391
    

    from the SP server, where fasthost.com is the host where you are running the content distributor, is the FASTSearchCert certificate still valid?

    Regards,
    Mikael Svenson 


    Search Enthusiast - SharePoint MVP/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Thursday, August 11, 2011 1:37 PM
  • Hi Mike,

    here is the outpout.

    CN=FASTSearchCert     16B036B7EFCAA42691D0D94816DD6B352C3B225C      12/08/2012 14:31:07

     

    I have also tried using a cert generated by an AD CA, Computer Template with the FQDN of the fast server.

     

    Cheers

    Friday, August 12, 2011 1:29 PM
  • Hello Zak,

    Did it report true or false in the "ConnectionSuccess" column? And is indexing working, just not queries?

    -m


    Search Enthusiast - SharePoint MVP/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Friday, August 12, 2011 1:32 PM
  • ConnectionSuccess is False. I havent setup any content crawls yet.

     

     

    Cheers

    Friday, August 12, 2011 2:02 PM
  • Hi Zak,

    Re-reading your question you had issues with the Query SSA. The step you executed was for the Content SSA.

    For queries you have to configure a claims certificate. Exporting it from the SharePoint server to the FAST QR server(s) as explained here "Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint" - http://technet.microsoft.com/en-us/library/ff381253.aspx#BKMK_ConfigureClaimsAuthentication.

     

    Regards,
    Mikael Svenson 


    Search Enthusiast - SharePoint MVP/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Friday, August 12, 2011 8:00 PM
  • Hi Mikael,

     

    Im getting myself a little confused here. Let me try this again.

     

     I have configured up the Content SSA, once done I have imported the pfx using the docs - .\SecureFASTSearchConnector.ps1 –certPath "path of the certificate\certificatename.pfx" –ssaName "name of your content SSA" –username “domain\username”.

    At this point the validation to the ContentDistributer cannot be verified and this is the error reported in ULS

    An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=FASTSearchCert\nIssuer Name: CN=FASTSearchCert\nThumbprint: D13E70D12CEBA759ACD12AFAEF3F72AAB3A10649\n\nErrors:\n\n SSL policy errors have been encountered. Error code '0x6'..

     

    Cheers

    Zak

    Monday, August 15, 2011 7:57 AM
  • Hello Zak,

    Ok, when you have configured the Content SSA and registered the certificate, the Ping command should return "true", even if you haven't crawled any content. The Ping command ensures the connection is ok and working.

    Are you sure the the SecureFASTSearchConnector step performed without errors? And did you use the domain\username of the OSearch14 service when you executed the command?

    You can try to regenerate the certificate and perform the SecureFASTSearchConnector one more time as outlines here: http://technet.microsoft.com/en-us/library/ff381244.aspx

    Regards,
    Mikael Svenson 


    Search Enthusiast - SharePoint MVP/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Monday, August 15, 2011 12:44 PM
  • Hi Mikael,

    I have tried generating the certificate several times. I have also used our internal CA to generate a certificate for it. Eachtime the Content Distributer cannot be validated when using the SecureFASTSearchConnector.ps1 command. OSearch14 service is running under the same account i am using for the command.

     

     

    Cheers

     

    Monday, August 15, 2011 1:54 PM
  • Hello Zak,

    Troubleshooting this is not the easiest remote, but  can you check if the content distributor URL you used on the Content SSA is the same as in Install_Info.txt, and also check if it's the same as <fastsearchfolder>\etc\contentdistributo.cfg.

    Can you also double-check that the thumbprint is the same on the certificate on the FAST server and on the SP server.

    You can list the thumbprint for the FASTSearchCert in PowerShell like this:

    @(dir cert:\LocalMachine -recurse | ? { $_.Subject -eq 'CN=FASTSearchCert' })
    

    Regards,
    Mikael Svenson 


    Search Enthusiast - SharePoint MVP/WCF4/ASP.Net4
    http://techmikael.blogspot.com/
    Tuesday, August 16, 2011 7:02 AM
  • Hi Mikael,

    Having the exact same problem as Zak (same error, same status 'False' for the "Connection Success"...) , I have followed the instructions you gave to him, with the same success... :-(

    I have check the thumbprint (wich is exactly the same on both machines).

    But when checking the <fastsearchfolder>\etc\contentdistributor.cfg I found out that the port set in this file (13390)  was different from the one I had in the install_info.txt (13391) wich is the one I used for the Content SSA. (same URL different port)

    My question is : shall I redo the Content SSA settings using the port set in the contentdistributor.cgf, or shall I just change the value of the port in the contentdistributor.cfg according to the one set for the Content SSA (wich is the one given as result in the install_info.txt) ??

    Thanks in advance.


    • Edited by Phil Reed Tuesday, December 11, 2012 3:42 PM
    Tuesday, December 11, 2012 3:42 PM
  • Per the guidance on http://support.microsoft.com/kb/2619798 the port numbers in install_info.txt and contentdistributor.cfg are different by design.  Try regenerating the .pfx and exporting the FAST certificate to the SharePoint server.

    Also, you may want to reference http://social.technet.microsoft.com/Forums/sv/fastsharepoint/thread/4ee11fb2-73bc-4406-92e4-98ca1c154ca6.


    -:¦:- Ebony -:¦:- Enterprise Search Practice | Microsoft Services http://blogs.technet.com/b/ebonywashington/


    Thursday, February 28, 2013 9:00 PM