I am trying to get Portal 10.3.1 installed and work with my instance of ArcServer 10.3.1
I am working on a domain on a strictly internal LAN created by our SA and named with a .local suffix. I am just now learning about how .local domains are problematic now. http://www.mirazon.com/so-you-have-a-local-domain-now-what/ My SA launched a local Certificate authority for me, created a certificate named server.dommainname.local, and I thought I got it working on the local IIS and bound it to port 443. However, client connections from browsers still report security problems. The cert is not recognized.
ESRI tech support ran through the set up with me with screen share, then elevated me to next tier tech support, and they finally blamed the cert my SA generated.
I talked to GoDaddy about buying a cert from them, but they told me their certs will not work on a .local domain. They said domains like this are not longer “fully functional domain names”, starting in Nov. 2015. But will this also not work if we generate a domain cert from our local authority? Is this because the local domain is named *.local?
Shooting from the hip here, since I did not create our self-signed cert, and we are working with ArcGIS Server, non-federated....however, we were having issues with our proxy and secured services on our strictly in-house machine. Came down to the self signed cert. My IT guy said something about it not liking the .domain.local part of the cert.
Out IIS is setup to be https://gisdev105 without needing the .domain.local when we can the web pages. The original cert I think included the .domain.local From what I understand, he creted a new self-signed cert to match the gisdev105 portion only. So our proxy now works with our secure/non-secure services (just not totally with our custom print service...but that is another thread).
As of November 1st 2015 you can't get a publicly trusted certificate issued from a major Certifying Authority (CA) like GoDaddy for an internal/intranet web address (i.e. localhost, something.local, etc.). It seems there are a number of alternatives but I would seek expert advice on them. However, my take on it is you can do the following (for Windows Systems..I'm not sure how it differs on other operating systems)
Regarding your issues:
Have the machines that these client browsers are on been programmed (through Group Policy or otherwise) to trust certificates issued by the internal Certifying Authority you are using? I.e. is your internal CA or the specific certificate you've created listed in the "Trusted Root Certification Authorities" for that machine and other machines in the Windows Domain?
You can usually easily access this info in Chrome Settings, Advanced, Privacy and Security, Manage Certificates and then look at Trusted Root Certification Authorities.
I suspect that the error will only occur if your certificate has not been trusted but it could also have been improperly configured.
EDIT - Some Resources for you:
I have read up on self-signed certs, and can't figure out what they are good for. ESRI docs on Portal https://enterprise.arcgis.com/en/web-adaptor/10.3/install/iis/enable-https-on-your-web-server-portal... say that with a self-signed cert I will not be able to get Portal federated with Server, or get GISPro to use my local Portal. At one of my two locations where I'm trying to install Portal, I don't even have a local domain. Without a local domain, I can't get a self generated domain cert, but Portal is working real well for my customers when I just give them the url with port 7443 added, and tell them to add an exception to their browsers. So that's why I'd like to concentrate on getting the domain cert from our local CA working.
I think those links will be helpful.
Because your internal CA is not a 'well known' CA, it's not in your certificate store on your client machines. Like Ryan mentions above, you need to import your cert into the store for it to be trusted.