Hi Service Fabric Team,

Our team encountered an issue that is similar to issue #932 . We first tried to use Add-AzureRmServiceFabricApplicationCertificate on a Azure Key Vault that is not in the same location as our SF cluster. It thrown an error, so we changed to another Key Vault. However, the VM setting still remembers the previous key vault address, thus the certificate cannot be installed and we got blocked.

The version of our Azure PowerShell was behind the bug fix version when we first called Add-AzureRmServiceFabricApplicationCertificate. After that, it was updated to the latest version. However the issue still persists. I think we still need to remove the old certificate from the VMs.

We applied the the workaround @rovinbhandari provided in the original bug report. However, the last step could not work out:

Update-AzureRmVmss -ResourceGroupName $vmssrgname -Name $vmssname -VirtualMachineScaleSet $vmss

Error message:

Update-AzureRmVmss : Long running operation failed with status 'Failed'. Additional Info:'Key Vault https://[My KV]/secrets/[secret name]/[secret version]
either has not been enabled for deployment or the vault id provided,
/subscriptions/[resource ID]/resourceGroups/[OLD KeyVault Name]/providers/Microsoft.KeyVault/vaults/[OLD KeyVault Name], does not match the Key Vault's true resource id.'
ErrorCode: KeyVaultAccessForbidden

Please note that we supplied valid information both for secret identifier and for NEW key vault name. However, in the error message, OLD key vault name overwrote the NEW key vault name we supply.

Could you kindly help us solve this issue?

Appreciate your help since our production is blocked by this issue. Thank you!

Please raise support request ICM from Microsoft support channel for production issues.
Does the workaround mentioned in this comment works for you :

The workaround is to remove the offending cert in the vmss model by going to resources.azure.com

We redeployed the service and the cert is removed. Thank you!