SharePoint 2013: How to replace expired WorkFlow Manager Certificates - Solution for Service bus error

 Problem

The Workflow Manager suddenly stopped working in my SharePoint 2013 with Workflow 2013. All the workflows associated with lists and libraries were not working. when I tried to manually start the workflows, I got below error message:



The reason behind this issue was that Service Bus Gateway and Service Bus Message Broker Services were not running. When I tried to run those services, I got below error:

After that I used Event Viewer to troubleshoot the service bus for server and found that the certificate requested with thumbprint XYZ is expired.

Solution

Solution for above problem is to replace expired workflow manager certificates. Below are steps for WFM farm using WFM.SB certificate generation key - resetting expired certificate process:

Step 1

In order to reset generation key for WFM and SB the following steps needs to be done on the WFM node(s): System date and clock of WFM node must be set back before certificate expiration date (step needs to be done if multiple WFM nodes in farm)

  • Stop Windows time service
  • Change System date and clock to Day before certificate expired (in this example, the cert expired on August 28th, 2020)

Note: It may happen that if you stop Windows Time Service, and try to change system date, but System date does not change and reverts back immediately after updating date. In that case, disable automatic server side time synchronization  from HyperV virtual Machine for Application Server (server on which workflow manager is installed).

Step 2

Once, System date and time has been set prior to expiration date, open workflow manager PowerShell and follow below steps. Make sure to Output workflow manager PowerShell commands to clipboard and paste to notepad.
TIP: Use “|clip” parameter to output results to clipboard and then paste to notepad.
  • Get-WFFarm |clip
Use Get-WFFarm to figure out your WorkflowHostUri. When you run Get-WFFarm, it lists the URI of your workflow site along with the HTTP/HTTPS ports and a myriad of other information, so it's really helpful if you've forgotten those settings.


 

  • Get-SBFarm |clip
Get-SBFarm retrieves the configuration for the Service Bus for Windows Server farm.


  • Get-SBNamespace |clip
Get-SBNamespace retrieves information about the Service Bus for Windows Server namespaces.


NOTE: The “Get-SBNamespace” command will list ManageUser accounts – one of those accounts should be the logon credentials used. Account should have the required SQL permissions to reset expired certificates.
NOTE: After reverting the date and time, all services should display as “Running” before proceeding to next steps
  • Get-WFFarmStatus
  • Get-SBFarmStatus


  • From Administrative SharePoint Management Shell, run below command to get current WorkflowHostURI used to register WFM to SharePoint:
    • $wfProxy = Get-SPWorkflowServiceApplicationProxy
    • $wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 -WarningAction SilentlyContinue))

  • Run below WFM PowerShell command to change passphrase and thumbprints:
    • Run these commands to set the Certificate keys:
      • $CertKey=convertto-securestring ‘PASSPHRASE’ -asplaintext -force;
      • Set-WFCertificateAutoGenerationKey –Key $CertKey
      • Set-SBCertificateAutogenerationKey –Key $CertKey


  • Then run the below commands:
    • Stop-SBFarm

    • Update-SBHost


  • Run Workflow Manager Configuration Wizard – we’ll leave WFM farm first and then rejoin WFM farm.  This step is necessary, as when we rejoin the WFM farm later, it will create the new WFOutboundCertificate for us.
    • Steps to leave WFM Farm
      • Open the Workflow Manager Configuration Wizard
      • Choose “Leave Workflow Manager Farm”
      • When the Summary page finishes loading, first be sure to copy the details prior to clicking on the Check Mark in the lower Right corner to start the removal process.  These details will be needed later when we go to rejoin the WFM farm
      • When complete, you can close out of the Wizard by clicking on the Check Mark again.
    • Steps to rejoin WFM Farm
      • Open the Workflow Manager Configuration Wizard
      • Choose “Join an Existing Workflow Manager Farm”

      • Fill out the details on the page, then click Next 


      • Fill out the details on the page, then click Next 
      • Fill out the details on the “Join Service Bus Farm” page, then click Next 


      • Review the Summary page, then click the Check Box to start the configuration
      • When complete, click the Check box

Step 3

Enable Windows Time Service – this will automatically change server back to current date and time

Step 4

Follow the steps from this article:  SharePoint 2016: Step by Step guide to add Workflow Manager Certificate into SharePoint trust (Also install to Trusted Root store)

Step 5

Export WFM Client certificate using below command from Workflow Manager Powershell: Get-WFAutoGeneratedCA
  • Above command creates “AutoGeneratedCA.cer” file in path where command was executed – default C:\Program Files\WorkFlow Manager\1.0

  • Copy “AutoGeneratedCA.cer” file to all SP nodes and Web Frontends – install certificate to Trusted Root Certification Authorities certificate store
  • Copy the file to the SharePoint server(s)
  • Right-click, and select Install Certificate


  •  Select “Local Machine” and click Next

  • Select “Place all certificates in the following store”, and then choose “Trusted Root Certification Authorities”, and then choose OK, and NEXT, then FINISH

Step 6 

Test one of your 2013 workflows now, and it should complete successfully.




Comments

Post a Comment

Popular posts from this blog

How to Change SharePoint 2013 Farm Account Password

Image
 SharePoint Farm Account SharePoint farm account is a service account which manages farm services. It is also used as application pool identity for Central Administration and used for accessing database. In some conditions, you may have to change the password of SharePoint farm account due to security policies. Steps to change Farm Account Password using Central Administration In this blog, we will update SharePoint farm password from SharePoint Central Administration which means we don't have to change the password in Active Directory. When we change the password using below steps, password in AD will be automatically updated. Go to SharePoint Central Administration Click on Security  Under General Security header, click on "Configure managed accounts" Click on Edit icon against the respective service account for which you want to change the password Tick "Change password now" check box Select "Set account password to new value" option Enter the new p...
Read more

Service Bus Gateway service struck in starting State after installing security updates on SharePoint Servers

Image
 Problem background When you install updates on SharePoint Servers, things may get chaotic sometimes. In my case, when I installed security updates for SharePoint Servers, SharePoint 2013 workflows stopped working. First, I checked all service bus services. I figured out that Service bus Gateway was stuck in starting state. When I tried to manually start it, below error popped up: After checking logs in ULS viewer and Event Viewer, I found below messages: "  Service cannot be started. Microsoft.ServiceBus.Commands.Common.Exceptions.HostNotConfiguredException: Entry for host XYZAPPServer is not present in Service Bus farm management database. ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 -...
Read more