Can't figure SSL out (CA)

4074
11
02-08-2017 02:23 PM
travisslack1
New Contributor III

So I have Portal and Server set up (10.4). My web adaptors were set up using web.domain.com (web being the in house server portal, server and iis are on). 

Do I need to buy two separate SSL certificates? One for IIS and one for Server? I followed the guide here Configuring HTTPS using a new CA-signed certificate—Documentation (10.4) | ArcGIS Enterprise 

filled everything out, generated the CSR from the arcgis server admin page, submitted to godaddy and got two files back, a p7b and a crt. I have to assume IIS can't import this at all because I have tried and every time I import the crt in IIS by completing the certificate request it dissapears out of Server Certificates when I try to do the bindings.

I originally had letsEncrypt properly securing https://web.domain.com working perfectly fine in IIS but me nor the ESRI tech couldnt get it working with ArcGIS Server. As a result of not having SSL on my ArcGIS Server I can't create any applications or webmaps and I think theres other weird issues I am seeing too..when I hit create i get a grey bar

and this in the developer console. 

So how do I do this? I feel like ive wasted days trying to get this working properly and when I think I know what to do its just piling up more issues and none of the guides im seeing cover this in depth. 

currently i have letsencrypt on IIS and its secure when I go to https://web.vectorgeomatics.com which forwards me to web.vectorgeomatics.com/portal/home and its 100% secure. I purchased the godaddy cert, submitted the csr from server admin and have the files mentioned above..... what do now? I've got everything through IWA right now, mainly to to be used internally, but office staff need the option of being able to access the site out of the office which prompts them for their domain user name and password and that is working correctly. I think the steps ive taken so far have been correct?

thanks

Tags (2)
0 Kudos
11 Replies
travisslack1
New Contributor III

Hard to explain how ESRI helped me resolve this.

So there sounds like there is a way to use the same cert for IIS and Server using openssl attaching a private key to it, but as it stands im using letsencrypt for iis and godaddy for server and everything seems to be working fine. the p7b file they give you (godaddy) you upload as a root cert, and then you need to click on the self signed cert you submitted for signing to import the certificate. i was importing the certificate outside of the self-signed cert when I had to click on the self signed cert and then at the bottom his import and then i could import the crt where it does not ask for a password. thanks Abraam for clearing everything up.

0 Kudos
DuarteCarreira
Occasional Contributor II

travis.slack‌ hi there. I'm trying to do the exact same thing. Just can't figure out your solution. Could you be a bit more clearer? Maybe a list of steps?

Thanks.

0 Kudos
travisslack1
New Contributor III

Sure, so the way I got it working was

IIS - Uses Lets Encrypt

ArcGIS Server - Godaddy SSL cert. 

So two certs.

In the SSL admin page of Server Manager you will generate a CSR (your own one I called tobeSignedCSR) and this is what I submitted to GoDaddy for signing. Upload a root cert (in my case, GoDaddy provided it, and I believe there are instructions for GoDaddy that specify to choose Other for the type). One you've gotten the CSR signed, go back to your ssl page and click on the csr (tobeSignedCSR) and you will see at the bottom the option to complete the signing where you can use the cert provided by godaddy or whoever you chose.

there IS a way to get this done using one cert that I have not tried, and this involves generating a private key using something like OpenSSL and attaching it that way. The ESRI tech didn't know off hand but it will be something like this https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-pr... Generate a Self-Signed Certificate from an Existing Private Key and CSR once you've generated a private key. *I think* I have not tested this.

0 Kudos
DuarteCarreira
Occasional Contributor II

Hi and thanks for detailing things. Appreciate it.

I now think I understand the process better... it seems we can use any existing CA-signed certificate, even not creating a request in manager.

My issue now is I cannot import a certificate (.pfx) file without a password... because manager does not allow that. Seems odd since I can create signed certificates without password...

The other issue is how to automate this process to renew the certificate. It seems there is not scripting or command line available in arcgis server for this.

Probably will have to start new threads for this.

Thanks again.

0 Kudos
AlexanderBrown5
Occasional Contributor II

Duarte,

After you have imported your CA-signed certificate into IIS, export it using a password.  Import this new file into ArcGIS Server admin and Portal admin. 

In NO way do you need two different certifications.

Did you also update your windows hosts file in system32 to point to web.vectorgeomatics.com ?

~Alex

0 Kudos
DuarteCarreira
Occasional Contributor II

Alexandre, that's a very good idea...never occurred to me. I'll try it out. Should work.

About hosts file, I did not change it, as I do not understand what that was for...

About automating things, do you have any tips?

Thanks.

0 Kudos
travisslack1
New Contributor III

Good to know I'll have to try that out. I thought it was dumb to be using two certs but it refused to  use my lets encrypt cert from iis because it had a password/private key, whereas the csr generated and submitted for signing does not and this was the only cert server manager would accept. 

0 Kudos
JonathanBailey
Occasional Contributor III

Hi Alex,

Does Esri have a concise set of instructions, or any guidance at all, that you can offer on how to perform this configuration? The only guidance that I've seen is here:

http://server.arcgis.com/en/server/latest/cloud/azure/install-ssl-certificate.htm

Which starts at step 1 Obtain an SSL certificate and export the certificate to a .pfx file.

What magical incantations must I invoke to do this? The Esri Book of Spells seems to be missing those pages.

DuarteCarreira
Occasional Contributor II

jbailey.spatialbridge that was funny! Welcome to our world!

Depending on what you get when you buy a certificate, you may get a pfx or not. If you don't then you can generate one by using the files you receive. This depends on your OS - windows or linux. On windows you can follow alex instructions: double-click you certificate to install. Use certificate manager to export it to a pfx file.

0 Kudos