Some days ago this certificate expired within the Microsoft Information Worker VM. The reason I noticed is because I’m currently conduction a FAST for SharePoint workshop in Brussels, and this very morning all the attendees got the same error
Failed to connect to demo2010a.contoso.com:13391 Failed to initialize session with document engine: Unable to resolve Contentdistributor
Certainly not the easiest error to decode, but as I lectured on the importance of the validity period of the certificate yesterday I got on the right track in not too long…. after checking some logs in FAST and not finding anything in particular.
So we added the certificate replacement as an ad-hoc exercise.
If you want to fix this the quick way, here are the steps you need to take to get indexing back up on the image, and read my previous post as to how you can extend this longer than a year.
In a FAST PowerShell Command
net stop FASTSearchMonitoring
net stop FASTSearchService
cd C:\FASTSearch\installer\scripts
.\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true
net start FASTSearchService
net start FASTSearchMonitoring
In a SharePoint PowerShell Command
cd C:\FASTSearch\installer\scripts
.\SecureFASTSearchConnector.ps1 –certPath "..\..\data\data_security\cert\FASTSearchCert.pfx" –ssaName "FASTContent" –username "contoso\administrator"
iisreset
or you can do this which will handle all of the above in a single elevated PS instance:
ReplyDelete###################################
# Apply Certificate to FAST
###################################
write-host "Applying Certificate to FAST" -ForegroundColor Yellow
Add-PSSnapin AdminSnapIn
Add-PSSnapin Microsoft.FASTSearch.PowerShell
Add-PSSnapin Microsoft.SharePoint.PowerShell
stop-service FAST*
$installerdir = $env:FASTSEARCH + "installer\scripts"
cd $installerdir
$pw = ConvertTo-SecureString -AsPlainText -force pass@word1.\ReplaceDefaultCertificate.ps1 -generateNewCertificate $true -certificatePassword $pw
$cert = @(dir cert:\LocalMachine\My -recurse | ? { $_.Subject -eq 'CN=FASTSearchCert' })[0]
$thumb = $cert.Thumbprint
Start-service FAST*
.\SecureFASTSearchConnector.ps1 -certThumbprint $thumb -ssaName "FASTContent" -username "contoso\administrator"
Brian,
ReplyDeleteCool script with some powershell niceties I'll try to remember :D
Of course in production you would have to copy the certificate and use two shells as you would have at least two servers.
Thanks for posting this! I was wondering why my FAST Demo VM crawling stopped working :)
ReplyDeleteSezai, glad the post could be of help :)
ReplyDeleteI did the same steps and I am still getting the same error :-(
ReplyDeleteHave you checked the expiration date of the installed certificate to verify that it's the certificate which is the problem for indexing?
ReplyDeleteAfter renewing the certificate you need to follow the instructions under "Configure SSL enabled communication" here http://technet.microsoft.com/en-us/library/ff381261.aspx
ReplyDeletePeter: that is what the last step in the post does. Calling "SecureFASTSearchConnector.ps1".
ReplyDeleteI have the same error after about a year of everything working fine. I was confused as to why it had stopped working but I think this probably explains it. The thing is on my development box I'm not using SSL. So when I try to run the .\securefastsearchconnectior.ps1 command I get the following error:
ReplyDeleteCould not secure SSA. Script can be rerun to only configure SSA when reason for
error is detected.
New-SPEnterpriseSearchExtendedConnectorProperty : Operation is not supported fo
r Search Application of type Regular.
At C:\FASTSearch\installer\scripts\securefastsearchconnector.ps1:196 char:62
+ $unwanted = New-SPEnterpriseSearchExtendedConnectorProperty <<<< -Se
archApplication $script:ssaName -Name $mUseSsl -Value "true"
+ CategoryInfo : InvalidData: (Microsoft.Offic...nnectorProperty:
NewExtendedConnectorProperty) [New-SPEnterpris...nnectorProperty], Invalid
OperationException
+ FullyQualifiedErrorId : Microsoft.Office.Server.Search.Cmdlet.NewExtende
dConnectorProperty
Is there something else I must do?
You still have to configure the certificate due to crawling is using it for auth against the Content Distributor.
DeleteAnd be sure to run the script in a SharePoint shell. Should work fine if you closely follow the steps in the TechNet article.
That's great, thanks Mikael. It worked.
ReplyDeletei am getting the error
ReplyDeletethe underlying connection was closed : Could not cestablish trust relationship for the SSL/ TLS secure channel.
i have a 7 server farm
3 wfe 2 app server one fast server and one database server.
I had run the securefast script successfully after installing fast on the fast server. I also created the moss.cer and installed it on the fast box. When i was crawling i got a object not found error.
interesting bit is that the fast query can connect and crawl . i created a search center site and it returns results
I deleted the fast content service app and recreated it
but i dont get any results.
I tried the ping-spenterprisesearchcontentservice against the hostname and it came up with the connectionstatus as false for the fastsearch cert.
After a bit of hacking into the securefast script i found the
command Get-SPEnterpriseSearchExtendedConnectorProperty -SearchApplication $script:ssa Name -Identity"Middleware:use-ssl"
was returning an error "the underlying connection was closed : Could not cestablish trust relationship for the SSL/ TLS secure channel."
How do i open the connection
If you recreated the Content SSA you have to redo the certificate steps outlined at http://technet.microsoft.com/en-us/library/ff381261.aspx#BKMK_Configure_ssl_enabled_communication
DeleteCan someone help with the following question? After renewing the certificate is it possible to simply restart the incremental crawls ? It seems that a full crawl is the only option after the certificate renewal ? Is this correct? the problem we have now is that our full crawls take approx 15 hours and this will mean new content added will not be searchable by users until the full crawi is complete.
ReplyDeleteHi,
ReplyDeleteFull crawl should not be needed after replacing the certificate. I've never actually thought about this, but no reason why the cert update should set a flag to force a full crawl.
And a full crawl will not make content unsearchable. You are not resetting the index (or clearing the FAST index).
Worked as described, Info Worker Demo back in action, Thanks for the post Mikael, you da man...
ReplyDelete