Unable to replace Data Store SSL Certificate

WilliamRice · ‎04-21-2018

I am attempting to replace the Data Store self-signed certificate with my commercial certificate using the Data Store "updatesslcertificate" utility. When I run the utility, I receive the following error: "Error encountered: Machine 'https://<server name>:2443/arcgis/datastoreadmin' returned an error. 'Unable to import certificate'. My certificate is in the .pfx format and was imported into and is being used successfully with Portal and Server so I don't believe there is anything wrong with my commercial certificate. I am not finding anything to troubleshoot this particular issue.

Anonymous User · ‎04-24-2018

If those don't work, please email me at Andrew.Valenski@charlottenc.gov, as the other options to "deep troubleshoot" are probably best kept relatively under the wraps, as they modify some of the "deep" files and exposing that information here will probably do more harm than good in the long run

WilliamRice · ‎04-24-2018

1. Yes, the file 'agsdatastore.ks' exists. The file has the Date Modified date of when I originally installed the Data Store software.

2. Permissions. I am currently using a local user account, arcgis, to run the ArcGIS Data Store service. This 'arcgis' user account has Full Control on the C:\Program Files\ArcGIS\DataStore folder and Inheritance is enabled.

3. Error Message. I am not finding the error message "Unable to import certificate" in any of the Data Store log files found under D:\arcgisdatastore\logs\<machine name> . I am only seeing the error message as part of the error message output from running the updatesslcertificate utility from the Command Line.

Anonymous User · ‎04-24-2018

Then it's best if you email me at Andrew.Valenski@charlottenc.gov so we can get a bit more "in the weeds." I don't want to post on geonet instructions for, if done incorrectly, modifying some core server components.

When I get your email, I'll pass along the next steps!

TheodoreDean · ‎06-17-2018

Hi

Has this been resolved ? I think we are facing the same problem with 10.6

WilliamRice · ‎06-18-2018

Theodore,

No, the issue has not been resolved yet. Andrew Valenski above offered to provide some additional troubleshooting steps. Due to the black box nature of the Data Store, Esri's tech support solution was for me to completely reinstall all of the components of ArcGIS Enterprise. The parts of ArcGIS Enterprise 10.6 we are currently using are working just fine. I had to put this issue aside for the moment because I had to move on to some other tasks. Likely I will need to revisit this issue again in the very near future.

RDEKAdmin · ‎06-21-2018

Hi,

We had this issue as well (ArcGIS Enterprise Builder 10.6) but Esri Support was able to provide the following info:

Here's the known bug: [BUG-000114816 : ArcGIS Data Store 10.6 will fail to update it's SSL certificate if the certificate's privacy key has special characters within it.] This problem occurs for Portal for ArcGIS as well, so I would imagine this also occurs in ArcGIS Data Store.

Re-creating our certificate .pfx file with a password that only contained alphanumeric characters solved the problem.

Note that the server we had issues with was running Windows Server 2016. The certificate (with old password containing alpha-numeric characters) updated without issue on a different server running 2012 R2.

JonathanQuinn · ‎06-22-2018

I think there are a couple issues here, the first being that the certificate can't be imported, which may be a bug as RdekMappingRdek Admin‌ has described.

The other is, as the OP initially mentioned, the logs/error message don't indicate the problem. If you ever get back to this, I'd suggest logging another bug that the error message should tell you why the operation failed, not just that it failed.

"Error encountered: Machine 'https://<server name>:2443/arcgis/datastoreadmin' returned an error. 'Unable to import certificate' doesn't tell you much.

FabianMeyer · ‎06-30-2019

I know this is an old issue, but it concerns us every three month because we regulary change the SSL certificates of our Enterprise site (Let's encrypt certs). I find out that you can't update the certificate, if you use the same Alias. If you try so, it will return the error message mentioned above. So I change the Alias everytime I update the SSL certificate by adding a counter to the Alias and everything is ok.

Just want to share this workaround-

WilliamRice · ‎07-04-2019

Ok. Thanks for sharing what you found out and your work around.

NiekGoorman1 · ‎05-27-2020

Thanks Fabian - this was a very useful bit of knowledge as it's still affecting me at 10.7.1. Changed the password to exclude special characters and used a new alias. Bugs like this really should not be present at all, and certainly not after another major release of the software. How did this get past QA?