Certificate Mismatch When Publishing to ArcGIS Server

464
6
09-05-2019 08:16 AM
LloydBronn
Occasional Contributor II

When trying to publish a map service using python using the arcpy.mapping.CreateMapSDDraft I'm getting the following pop-up:

gis.mymetcon.com works to access our ArcGIS Server Manager and Admin Site. In our ArcGIS Server Administrator Directory under our machine, there are 3 SSL Certificates (root, selfsignedcertificate, and www.gis.mymetcon.com). I think the mismatch is coming in when I try to publish the service to our domain site (Metconapp.metcon.domain), but it is erroring since the name on the certificate is www.gis.mymetcon.com?

Any ideas on what might be going on? We are using Windows 2012 IIS 8 Server Manager. Our All the certificates seem to be valid and not expired. 

Any troubleshooting help is greatly appreciated. 

0 Kudos
6 Replies
JonathanQuinn
Esri Frequent Contributor

If the URL you use to connect to the Server within the .ags file is metconapp.metcon.domain, but the certificate is set to gis.mymetcon.com, then you'll get that prompt. You can either update the URL to point to gis.mymetcon.com or add metconapp.metcon.domain as a SAN to the certificate. If this is an externally facing site, then anyone can take a look at the certificate information and see the internal machine name of Server, though.

LloydBronn
Occasional Contributor II

I don't think we are allowed to use local server names in the SAN to the certificate, is that correct?

0 Kudos
LloydBronn
Occasional Contributor II

Also when I try to connect using the gis.mymetcon.com on our local computers it does not respond so I am unable to use that as the connection URL in the .ags file

0 Kudos
JonathanQuinn
Esri Frequent Contributor

I don't think there's a technical limitation to using local server names, but it may not be best practice depending on how your site is accessed.

Are you on your internal network when attempting to access gis.mymetcon.com? Are you able to reach that URL in a browser? If you can reach it in a browser, you should be able to use it within the arcpy functions. If not, you may have firewall rules that block requests to that endpoint. You may have direct access to the 6443 endpoint of Server, for example https://metconapp.metcon.domain:6443/arcgis. You can try to use that URL instead.

LloydBronn
Occasional Contributor II

I can reach the https://gis.mymetcon.com outside of the network, but not internally. I can access the https://metconapp.metcon.domain:6443/arcgis internally through a web browser, but when I try to connect to the server using that URL inside of ArcGIS Desktop it shows the certificate error that the names do not match and the certificate it directs to is for www.gis.mymetcon.com.

0 Kudos
JonathanQuinn
Esri Frequent Contributor

It sounds like you imported a new certificate for Servers internal web server, (6443):

Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

This is fine to do, but you need to make sure the certificate CN or SAN is set for metconapp.metcon.domain. You can either get a new certificate from your certifying authority, (could be an external or a domain certifying authority), or use the self-signed certificate.

Configure ArcGIS Server with a new CA-signed certificate—ArcGIS Server Administration (Windows) | Ar... 

Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

If you want to use the self-signed certificate, you'll need to tell any machines that you're connecting from to trust the certificate:

Configure ArcGIS Server with the default self-signed certificate—ArcGIS Server Administration (Windo...

0 Kudos