ArcGIS.com to portal collaboration fails due to SSL cert validation error

1909
3
Jump to solution
02-17-2018 11:51 PM
DanielBull1
New Contributor II

Hi

Im attempting to set up a collaboration between ArcGIS.com and portal 10.6. I am an Early Adopter for ArcGIS.com, so the collaboration item shows up in the in ArcGIS.com menu. I can create my invitation in ArcGIS.com, however, when time comes to accept my invitation (in portal), I get this:

Failed to validate SSL certificate for https://<myagolsite>.arcgis.com.The certificate authority that issued the SSL certificate needs to be trusted by Portal before the invitation can be accepted. See Configuring the portal to trust certificates for more information.

 I would expect anything from ArcGIS.com to automatically be OK with portal. However, I went through the process and exported out added CA cert from chrome to my PC from ArcGIS.com starting with the root, then two intermediate certs. I then added these certs to <portal>\portal/portaladmin/security/sslCertificates/. However I still get the same error above where portal fails to validate certs from ArcGIS.com.Any ideas what is wrong and how this could be sorted? Im pretty excited about portal-agol collaboration so would like to get this going.

Cheers

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
DanielBull1
New Contributor II

So this was sorted by exporting certificates from browser, converting these to a ,crt format using https://www.sslshopper.com/ssl-converter.html. Cert was then uploaded to PA firewalls as a trusted root CA, so that they can use that to unencrypt and inspect any traffic that has been encrypted with those certs.

View solution in original post

3 Replies
JeffSmith
Esri Contributor

The ArcGIS Online sites all use certificates signed by DigiCert which is trusted by default in Portal.  Does the server where your Portal is installed use a forward proxy to gain Internet access?  I'm wondering if that forward proxy might be decrypting and re-encrypting the request using its own certificate that Portal does not trust. 

0 Kudos
DanielBull1
New Contributor II

Thanks Jeff

There is no forward proxy, and SSL passes through with no decrypting. However Im getting the IT staff to load the AGOL certs internally, and allow ssl cert to pass through with no inspection, to see if this helps. 

0 Kudos
DanielBull1
New Contributor II

So this was sorted by exporting certificates from browser, converting these to a ,crt format using https://www.sslshopper.com/ssl-converter.html. Cert was then uploaded to PA firewalls as a trusted root CA, so that they can use that to unencrypt and inspect any traffic that has been encrypted with those certs.