Community

FEDERATION - Unable to validate TLS certificate (10.9.1)

2669
6
11-17-2022 10:29 PM
Labels (1)
Labels
timshapiro
by
New Contributor III
‎11-17-2022 10:29 PM

Just upgraded a single machine base deployment from 10.7.1 to 10.9.1.  Everything was successful, but I receive the following error message when attempting to validate the federated server

  • Error: Unable to validate TLS certificate on ArcGIS Server administration URL. Ensure the root certificate is trusted or the certificate common name matches the URL hostname.

I am using the exact same certificate that was being used without issue before the upgrade.  I confirmed the root is trusted on the machine, and it is a wildcard cert so the 3rd part of the of the error message does not apply. 

Why would 10.9.1 not like this cert if it was valid  for 10.7?  is there another step I am missing to complete the federated server validation process after an upgrade?

I am able to access server admin, portal admin, and portal home without issue, but server manager will not load after the sign in page.

0 Kudos
6 Replies
JeffSmith
by Esri Contributor
Esri Contributor
‎11-18-2022 08:56 AM

Yes, there were some enhancements in 10.9.1 to validate the certificate used in the Server admin url.  We didn't do this in 10.7 and while things still worked, there were some workflows that would fail if Portal did not trust the Server admin url certificate.

Since you are receiving that error message, I would double-check that the root certificate and any intermediate certificates from the CA that signed your wildcard cert are imported into the portaladmin api under sslCertificates/importRootOrIntermediate.  Once imported, make sure the Portal service restarts for the new certs to take effect.

0 Kudos
Scott_Tansley
by MVP Regular Contributor
MVP Regular Contributor
‎11-18-2022 01:52 PM

Hey Tim,  If you haven't fixed this already then possibly consider rolling back to the selfsigned certificate in server admin:

Home > Machine > MachineName

There's instructions documented in this recent community post:  https://community.esri.com/t5/arcgis-enterprise-questions/questions-about-updating-ssl-certificates-... 

This will allow you to move on with the upgrade and you can sort the certificates later.  I think you may just have struck the reason that the enterprise builder failed to upgrade.  You get a lot more fine-grained information doing it step-by-step.

Hope you sort it.

 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
timshapiro
by
New Contributor III
‎11-18-2022 10:36 PM

Thanks Scott.  I tested it with the self signed cert in server admin, and was able to successfully validate the federation, however, I am still unable to sign in to server manager...  I am able to access server admin, portal admin, and portal home without issue, but server manager will not load after the sign in page.  The last time I ran into this issue, switching to the CA signed cert resolved it.  any ideas of what else might be going on?

0 Kudos
Scott_Tansley
by MVP Regular Contributor
MVP Regular Contributor
‎11-18-2022 10:44 PM

have you done a CTRL + F5?  Have you tried inPrivate mode to enter Server manager? Sometimes you can get cached items stuck in the browser that block things.

If you have then my guess is that it's to do with the certs.  I'd delete the CA signed certificates from portal and server, using portal/server admin, and then reload them.

There are times, and I'm not saying this is one, where AD policies enforce things in company browsers that make issues like this hard to resolve.  Having a 'clean' laptop, if IT will let you have one may be a useful test.

 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
uriedc_mike
by
New Contributor
‎02-24-2023 07:58 AM

Hi Tim,

Thanks for the posting your error message.  I had the same issue.  In our case it turns out that the common name url (server name) in the server cert does not match the server name.  A new ssl cert needed to be requested by our IT dept with the correct server name url.  Hope this helps.

0 Kudos
feralcatcolonist_old
by
Occasional Contributor II
‎03-03-2023 12:00 PM

We're using a wildcard certificate like *.domain.com and are getting this error:

 

Unable to validate TLS certificate on ArcGIS Server administration URL. Ensure the root certificate is
trusted or the certificate common name matches the URL hostname.

 

What do other people with wildcards do?

EDIT:
For anyone playing along at home; we ended up having to upload our intermediate and root certificates. I actually don't know how to do this the button-clicking way we configured ours in the ArcGIS PowerShell DSC.


Likes an array of [cats, gardening, photography]