Unable to replace Data Store SSL Certificate

4213
23
04-21-2018 09:46 AM
WilliamRice
Occasional Contributor II

I am attempting to replace the Data Store self-signed certificate with my commercial certificate using the Data Store "updatesslcertificate" utility.   When I run the utility, I receive the following error:  "Error encountered:  Machine 'https://<server name>:2443/arcgis/datastoreadmin' returned an error.  'Unable to import certificate'.  My certificate is in the .pfx format and was imported into and is being used successfully with Portal and Server so I don't believe there is anything wrong with my commercial certificate.  I am not finding anything to troubleshoot this particular issue.

0 Kudos
23 Replies
AndrewValenski__IT_
Occasional Contributor III

Could you provide some more information? Perhaps the error logs for the datastore?

0 Kudos
BillFox
MVP Frequent Contributor

Hi William/Andrew,

There's a BUG on that in 10.5 data store

What release are you using?

-Bill

0 Kudos
WilliamRice
Occasional Contributor II

I am using ArcGIS Enterprise version 10.6 with also the latest patches applied.

Will

0 Kudos
WilliamRice
Occasional Contributor II

Using ArcGIS Server Manager, I am not seeing any errors generated in the log files for the Data Store.  I am just seeing the error message "Error encountered:  Machine 'https://<server name>:2443/arcgis/datastoreadmin' returned an error.  'Unable to import certificate' when I run the Data Store "updatesslcertificate" utility. 

The only other item I have noticed is that every time I run the "updatesslcertificate" utility, a file of the form "agsdatastore.ks.20180424011020477" gets generated under the Data Store C:\Program Files\ArcGIS\DataStore\etc\ssl directory and that the update date of the agsdatastore.ks file does not change.

--Will

0 Kudos
AndrewValenski__IT_
Occasional Contributor III

And are you running this from an admin account from the machine that ADS is installed on?

I'd also confirm that the certificate you are using is added to the machine's trusted root certificate store on the machine where ADS is installed

0 Kudos
WilliamRice
Occasional Contributor II

Andrew,

I am running the updatesslcertificate using a Windows Domain Account that is a member of the Local Administrators Group on the location machine.  I am running the command while logged into the machine via Remote Desktop.  This Domain user account is the same account that was originally used to install Portal for ArcGIS, ArcGIS Server, and Data Store on the machine.  The machine is running Windows 2016 server with IIS for the webserver software.  When I go into the Microsoft Management Console (MMC) Certificate Manager, I see my commercial certificate issued for the machine listed under Certificates (Local Computers) > Personal > Certificates.  Under Trusted Root Certification Authorities > Certificates, I see four Root certificates listed for the commercial certificate vendor.

0 Kudos
AndrewValenski__IT_
Occasional Contributor III

Wait, are you running a 10.6 Enterprise stack on a 2006 server?

0 Kudos
WilliamRice
Occasional Contributor II

Sorry, Windows 2016 Server. 

0 Kudos
AndrewValenski__IT_
Occasional Contributor III

Phew

Okay, if you navigate to the ADS logs (by default, this exists at this path: c:\arcgisdatastore\logs\<machinename>\

There will be two folders, 'datastore' and 'server.'

Can you run the utility again and then open up the recentmost log file and search for the event? This should give a lot more detail than Server Manager.

Also, can you confirm that you have a file named 'agsdatastore.ks' in this directory: C:\Program Files\ArcGIS\DataStore\etc\ssl

Also (sorry for the overload), can you confirm that the account running ADS has full permission to the C:\Program Files\ArcGIS\DataStore folder with the option to inherit permissions enabled?

0 Kudos