SSL certificates - Portal and ArcGIS Server - Import certificate chain?

AndreaB_ · ‎03-30-2026

Hi all,

I'm using Enterprise 11.5 and using a DigiCert cert.

I haven't had any SSL errors until now. I'm getting an error while running a scheduled model: File "C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\ssl.py", line 588, in _load_windows_store_certs
self.load_verify_locations(cadata=certs)
ssl.SSLError: [RSA: WRONG_SIGNATURE_LENGTH] wrong signature length (_ssl.c:4047)

So I thought I would do some digging with Esri Tech support. So we tried some cert stuff but I'm still wondering.

I read these docs: Server and Portal

One thing I noticed in the Portal documentation: I import the .pfx and I use Import Certificate Chain and then it says The alias for these certificates will match the alias entered above and be appended with either _roo... Then it says "After importing an existing CA-signed certificate, the root and intermediate certificates may have already been imported. These would be listed under Security > SSLCertificates."

I don't have any certs listed except the one .pfx. Does anyone use Import Certificate Chain and it actually lists the root and intermediate certs?

So now I'm thinking I need to export the root and intermediate certs from the .pfx using IIS - Site Bindings - Edit - View - Certification path - click on the root cert - Details - Copy to File and save as a .cer and import them separately into Portal and ArcGIS Server.

Let me know what you think. Thank you!

Andrea

AndreaB_

No, I've never tried it. But I'm going to test tonight logged into the machine as the domain service account and configure the scheduled task to "Run only when user is logged on", then stay logged into the server and let the task run. I'll let you know. Thank you!

AndreaB_

@JoshuaBixby and @TimoT I was able to successfully run the scheduled Model at 5pm when logged into the machine as the domain service account user and running the task as 'Run only when user is logged on'. The scheduled model at 1:10am still failed when run as the same domain service account user but not logged in and using 'Run whether user is logged on or not'.

TimoT

Sounds like you're getting closer to figuring it out. This could be related to what I previously mentioned with regards to the difference between interactive vs batch logins.

Have you tried running the scheduled task as a different domain user or service account?

For completeness sake, you can also try running the scheduled task under a local user account on the machine.

AndreaB_ · ‎04-02-2026

I'm still getting the error. I also read this solving-ssl-errors-in-python-requests and this python-in-arcgis-pro-3-6-faq but deleting the C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3 folder and running a repair installation on 3.6.1 didn't update the date of the C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\certifi\cacert.pem file, so I don't think that will help. I tried this in my Dev environment first.

JoshuaBixby

When you logged in as the domain service account the other day and successfully ran the model, did you get any dialog pop-ups? Specifically, what there any dialog relating to accepting a certificate?

AndreaB_

nope, nothing.

AndreaB_

Here is the resolution! I worked with Esri tech support. Below from Esri Tech support quoted.

“Based on our analysis of the logs, the failure occurs because the background process cannot access the user’s personal certificate store or specific environment paths when the user is logged off. We have identified several PATH NOT FOUND and NAME NOT FOUND errors specifically related to SSL certificate validation and licensing lookups.

To resolve this, I recommend we start by modifying the script itself.

Modify the Python Script: We can explicitly tell the script where to find the necessary certificates, bypassing the Windows Certificate Store entirely.

Ensure you have this file in this location and accessible to the service account (C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\certifi\cacert.pem).
Add the following lines to the very top of your script:

import os
#Point to the specific certificate file
os.environ['REQUESTS_CA_BUNDLE'] = r"C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\certifi\cacert.pem

This worked - but not at 12:30am. "The failure at 12:30 AM is likely due to the Windows environment unloading the user profile or certificates after a few hours of inactivity. "

So I set it to run at 8pm and it works like a charm! 😃

Thank you for helping me out! Hope this helps someone in the future.