ArcGIS Server Manager page not accessible after https/SSL configuration

EyadHammad · ‎12-26-2013

i was in the middle of configuring ArcGIS Server 10.1 in the rest ADMIN where i was enabling HTTPS only instead of HTTP then imported an SSL certificate when suddenly the connection with the ADMIN page got lost and i could not connect again. i get a message the page could not be displayed or found. i was using https://servername:6443/ArcGIS/manager and https://serverName:6443/arcgis/admin/security/config but after i lost the connection, i am not able to open the ArcGIS server pages. in addition, i could not connect using http with port 6080. Moreover, i could not connect to ArcGIS server from ArcCatalog as its complaining about a BAD address.

i forgot to mention that i checked the service for ArcGIS server and confirmed it is running. i even restarted the service several times and restarted the host server with no luck.

we are running ArcGIS server 10.1 on Windows Sever 2008 R2 environment NO web adapter configured

how to re-establish the connection to ArcGIS Server manager or rest pages ?

is there a way to reset the configuration from HTTPS only to HTTPs and HTTP ?

is there a way to default back these security changes in ArcGIS Server ?

appreciate any input

thanks

EyadHammad · ‎12-28-2013

Hey there,

thanks for the tip. i'll try to do that and hope it works

Hey there,

This suggested fix did not work.

EyadHammad · ‎12-28-2013

I believe that the HTTP Only, HTTP and HTTPS, and HTTPS Only settings for the protocol under Security --> Config in AGS Manager pertain to the web adaptor, so altering the value as you mentioned should not cause the issue especially since you said that no web adaptor had been configured and your URL requests use a port number. Based on the info you provided, I would suspect the importing of another security certificate to be the culprit for the time being. It sounds like SSL was working just fine for you initially. A few things to try and/or consider first...

Did you import a CA-signed certificate to replace the default self-signed certificate in AGS? If so, did you use the importRootorImmediate option or the importExistingServerCertificate option? If it's a CA-signed certificate, take a look at the certification path properties for that certificate and verify that all of the certs in the path (i.e., the root cert, any intermediary certs, and the cert itself) exist in the Trusted Root Certification Authority on the AGS machine. You'll know if all of them are trusted when you view the certification path properties depending on whether or not a red X appears next to any of them.

Alternatively, if you need to "clear out" any changes you made regarding the security certificates to get things back to normal per se, you MIGHT be able to try the following:
1. On the server, go to C:\arcgisserver\config-store\machines and open the <servername>.json file (assumes AGS was installed at C:\arcgisserver) using Notepad or Notepad++. Make a backup of the file in the same directory, first.
2. In that file, find the section with "webServerCertificateAlias" and change the value after the colon to be exactly selfsignedcertificate surrounded by double quotes just as you see with the current value. If it's already set to this value, then more than likely you did not try to import a CA-signed certificate into AGS and this most likely isn't your issue.
3. Save the file and then re-start the ArcGIS for Server Windows service.
4. After about a minute following restart of the service in #3 above, try re-requesting the URLs you mentioned to see if the behavior is different. If so, then refer back to the second paragraph of my reply and make sure that, if using a CA-signed certificate, you follow the proper steps to ensure it is trusted on the AGS machine along with any of its intermediary and root certs. If not, then revert back to the backup file created in #1 above and restart the AGS service again since this probably isn't the correct issue and associated fix.

hey there,

i followed the steps but no luck. i have a CA-Signed certificate generated outside of AGS. there seem to be something fishy in this area but i can't put my fingers on it.

i'll have to re-install maintaining the current folders as they have all of our published services and hopefully it would work

thanks

WilliamCraft · ‎12-29-2013

Did you by chance apply SP1 to your 10.1 installation recently? Before performing the re-installation, please check the Windows Firewall on your server and client to see if it might be running along with any other anti-virus software that could be blocking the 6080 and 6443 ports. You may need to temporarily disable them to see if this does the trick; if so, you can create a focused rule for the ports you need. Also, what happens when you log directly into the server and attempt to request the same URLs from a browser locally?

EyadHammad · ‎12-29-2013

Did you by chance apply SP1 to your 10.1 installation recently? Before performing the re-installation, please check the Windows Firewall on your server and client to see if it might be running along with any other anti-virus software that could be blocking the 6080 and 6443 ports. You may need to temporarily disable them to see if this does the trick; if so, you can create a focused rule for the ports you need. Also, what happens when you log directly into the server and attempt to request the same URLs from a browser locally?

Thanks for your reply

we did that. In addition, we added the programs in inbound exceptions for Windows firewall for

B. ArcGISServer.exe    <Install>\ArcGIS\Server\framework\etc\service\bin\ArcGISServer.exe
C. ArcSOC.exe                <Install>\ArcGIS\Server\bin\ArcSOC.exe
D. javaw.exe              <Install>\ArcGIS\Server\framework\runtime\jre\bin\javaw.exe
E. rmid.exe                 <Install>\ArcGIS\Server\framework\runtime\jre\bin\rmid.exe

however, we were unable to get AGS back

our last resort is to cleanup all and do a new installation, and publish again all of our services.

regards,

StephanieSnider · ‎01-07-2014

I've had this happen before after importing a trusted certificate - that ArcGIS Server didn't like. crafty762 suggestion is close to what I did...but to a different file.

1. Navigate to the ArcGIS Server Tomcat directory on the server. Depending on where you install ArcGIS Server, it will be something like ....ArcGIS\Server\framework\runtime\tomcat\conf
2. Open the server.xml and scroll down to the bottom.
3. On the last line of code, you will see a keyAlias =�?�name of the certificate�?�. Since this one isn�??t working, change the alias back the original ESRI selfsigned certificate (SelfSignedCertificate). Save file.
4. Stop and start the ArcGIS Server service.

BrendanWalashek · ‎03-29-2014

I've had this happen before after importing a trusted certificate - that ArcGIS Server didn't like. crafty762 suggestion is close to what I did...but to a different file.

1. Navigate to the ArcGIS Server Tomcat directory on the server. Depending on where you install ArcGIS Server, it will be something like ....ArcGIS\Server\framework\runtime\tomcat\conf
2. Open the server.xml and scroll down to the bottom.
3. On the last line of code, you will see a keyAlias =�?�name of the certificate�?�. Since this one isn�??t working, change the alias back the original ESRI selfsigned certificate (SelfSignedCertificate). Save file.
4. Stop and start the ArcGIS Server service.

On step 3, what is the actual name I should put in there for the ESRI selfsigned certificate? Where would I find that name? My server is crippled until I can fix this....
Thank you so much!

As a horrible alternative, if I were to uninstall ArcGIS Server 10.2 and reinstall, will I lose all my services? Is there any way of saving them without having access to ArcGIS Server Manager?

StephanieSnider · ‎03-31-2014

brendwal,
Update the code to keyAlias =�?�SelfSignedCertificate�?� which is the default certificate that comes with ArcGIS Server. Remember to stop and start the ArcGIS Server service after saving changes to this file. You don't have to lose services if you reinstall ArcGIS Server. Before you uninstall, copy the ..\arcgisserver config-store and directories folders. You can import them back in during the install process or install without them and then copy them over manually.

SantiagoGonzalez_Arriola · ‎10-17-2016

Just wanted to confirm that Stephanie Snider's workaround works. I followed crafty762's advise (changing .../config-store/machine_name.json) and that didn't work. Changing the server.xml under Tomcat conf did the trick!

Steph you are a life saver, I can't thank you enough! Reinstalling and re-publishing services can be a huge nightmare for many. There's always hope!

This worked for me on AGS 10.4 running on Ubuntu Server on AWS.