service-fabric-reverse-proxy | reverse proxy for accessing services | Proxy library

I have my cluster setup with a reverse proxy set at port 8080. I now want to change the certificate used on the reverse proxy.

I added the new certificate to my KeyVault, and referenced it in vaultCertificates in the Microsoft.Compute/virtualMachineScaleSets ARM template. Pushed it, waited until it completed, RDP'd into each node and verified that the new certificate was installed.

I updated one of my front facing applications to use the new certificate and it worked fine (thus verifying that it could find it by the thumbprint).

I then modified reverseProxyCertificate.thumbprint in the Microsoft.ServiceFabric/clusters ARM template to reflect the new thumbprint. Pushed this and waited. And waited. And waited. After about an hour my cluster status went from "Updating" to "Ready" (although in my activity log the Write Clusters operation still says Started)

Now, when I go to https://{mycluster}.ukwest.cloudapp.azure.com:8080/ it is still serving up the old certificate.

I RDP'd into one of my nodes and opened up D:\SvcFab\FabricHostSettings.xml and under ApplicationGateway/Http, GatewayX509CertificateFindValue has the correct (new) value.

Looking here, I know it's for a local cluster, but it should be similar to one hosted on Azure, the last step is "Start and complete cluster upgrade". I can't find how, or if you're meant to, do this in Azure. I know for a fact that you can't just restart the VMSS, or it messes everything up!

Have I missed something?